Australian airline Qantas says a data hack on Monday exposed the personal information of six million customers and it expects the amount stolen to be “significant.”
The hack penetrated a third-party customer service platform used by a Qantas contact center, the airline said in a statement on Wednesday. Six million customers have service records on the platform – with data including some of their names, email addresses, phone numbers, birth dates and frequent flyer numbers.
However, the platform does not contain any customer credit card details, financial information or passport details, Qantas said.
After Qantas detected “unusual activity” on the platform, it took action and “contained” the system, it said. The statement said all Qantas systems are now secure, and there is no impact to the company’s operations or safety.
It’s not clear exactly how much data was stolen, “though we expect it to be significant,” the airline said. It is now working to support affected customers, and is cooperating with the Australian Cyber Security Centre, Australian Federal Police and independent cybersecurity experts on the investigation.
“We sincerely apologize to our customers and we recognize the uncertainty this will cause. Our customers trust us with their personal information and we take that responsibility seriously,” said Qantas CEO Vanessa Hudson in the statement.
“We are contacting our customers today and our focus is on providing them with the necessary support.”
Qantas’ share price was down 3.5% in morning trading, against a 0.4% gain in the broader market, according to Reuters.
Australia has seen a series of major cyberattacks and company hacks in recent years. In 2019, a cyberattack targeted Australia’s ruling and opposition parties less than three months before a national election. Two years later, broadcaster Nine News suffered a cyberattack that forced a number of live shows off air – calling it the largest cyberattack on a media company in Australia’s history.
Most recently in 2022, cybercriminals in Russia conducted a ransomware attack on Medibank, one of Australia’s largest private health insurers. Sensitive personal data, including health claims information, was stolen from 9.7 million customers – some of which was then released onto the dark web.
Last year, Australia publicly named and imposed sanctions on a Russian national for his alleged role in the attack. He was an alleged member of the Russian ransomware gang REvil, which had previously launched large attacks on targets in the United States and elsewhere, before Russian authorities cracked down in 2022 and detained multiple people.