Update, July 4, 2025: This story, originally published on July 2, has been updated with the latest statement from Qantas, including a lengthy explanation by Vanessa Hudson, the Qantas Group CEO, as well as expert comments from cybersecurity professionals regarding the confirmed cyberattack that occurred just days after an FBI warning about 2FA bypass attacks targeting the airline industry.

Just days after the Federal Bureau of Investigation issued a warning that Scattered Spider hackers were targeting new sectors with 2FA bypass attacks, those attacks have started. Qantas has confirmed that a data breach, potentially exposing the personal information of six million customers, successfully targeted a third-party supplier. As I have said previously, when the FBI issues a cybersecurity alert of any kind, everybody must pay close attention. Here’s what you need to know and do.

The Australian airline, Qantas, is reaching out to customers with a warning that it has detected unusual activity on a third-party platform used to store the details of six million people. The information includes names, email, dates of birth and Qantas frequent flyer details. This comes just days after the FBI issued a warning to the aviation industry, stating that the Scattered Spider ransomware attack group, known for its attacks on the retail and insurance sectors, was shifting its focus to transportation and aviation in particular.

“The FBI has recently observed the cybercriminal group Scattered Spider expanding its targeting to include the airline sector,” an FBI spokesperson said in an email, adding that the attackers were employing “social engineering techniques, often impersonating employees or contractors to deceive IT help desks into granting access.”

Scattered Spider is thought to be associated with what Brett Winterford, vice president of threat intelligence at Okta, calls “a group of loosely affiliated individuals that collaborate and share their tradecraft in a forum called TheCom.” These are young and, Winterford continued, “globally distributed but most often from Western countries, they are motivated by profit but also motivated by the desire to score a big win that impresses their peers.” Most importantly, they target in an opportunistic fashion. “If they enjoy success against a target in any given industry, Winterford warned, echoing the FBI, “they’ll rinse and repeat against similar organizations.” And that appears to be what is happening with the Qantas attack.

Qantas statement update: Qantas has published a July 4 update to its statement regarding the cyberattack.

Qantas said that it is continuing with the incident response, working with specialist cybersecurity teams and is forensically analyzing the system that was compromised. The investigation to date Qantas stated, can confirm the following:

“Our investigation is progressing well with our cybersecurity teams working alongside leading external specialists to determine what information has been accessed,” Vanessa Hudson, Qantas Group CEO, said. “We’re finalising a process that will enable us to provide affected customers with more information about their personal information that was potentially compromised.”

As well as apologising to customers for the uncertainty the cyber incident has caused, and assuring them that Qantas is committed to keeping them informed as the investigation progresses, Hudson said: “We are treating this incredibly seriously and have implemented additional security measures to further strengthen our systems. Our customers can be assured that we have the right expertise and resources dedicated to resolving this matter thoroughly and effectively.”

As for contacting impacted customers, Qanta has now confirmed that, since the morning of July 3, it has contacted its frequent flyers to inform them of the incident via email and, separately, has emailed approximately six million customers with personal information stored on the platform that was compromised. “Next week we will be in a position to update affected customers on the types of their personal data that was contained in the system,” the updated statement said, adding that this will “confirm specific data fields for each individual which will vary from customer to customer.”

The original July 2 statement by Qantas confirming the incident stated that “the incident occurred when a cyber criminal targeted a call centre and gained access to a third-party customer servicing platform.” Exactly the attack route we see in Scattered Spider attacks.

Qantas has confirmed that it took immediate action on July 1 when the activity was detected, contained the system and that all other Qantas systems remain secure. “There is no impact to Qantas’ operations or the safety of the airline,” the statement said.

With six million customers at risk of data breach, Qantas has also confirmed that it is continuing to investigate the proportion of the data that has been stolen, but has said it expects “it will be significant.”

No credit card or passport details have been impacted.

“Our customers trust us with their personal information and we take that responsibility seriously,” Qantas Group chief executive officer, Vanessa Hudson, said.

Customers are advised that they can contact a dedicated Qantas cyber incident support line on 1800 971 541 or +61 2 8028 0534, that includes access to specialist identity protection advice and resources. Qantas has also confirmed that it is aware of scammers impersonating the airline. “We recommend customers remain alert for unusual communications claiming to be from Qantas or requesting personal information or passwords,” a Qantas spokesperson said, adding that “Qantas will never contact customers requesting passwords, booking reference details or sensitive login information.” Any customers receiving suspicious emails, texts or phone calls from someone claiming to be a Qantas representative are advised to report this to the Qantas support line as quoted previously, or to local law enforcement.

“With airlines entering their busiest period of the year, the aviation industry is now feeling the added burden of having to deal with cybercriminals,” James Neilson, a senior vice president at OPSWAT, said. “With Qantas the latest victim in a string of attacks against airlines, attackers are likely to be further emboldened to continue targeting companies in the sector.”

“Groups like Scattered Spider have a history of launching sector-specific campaigns, so it’s hardly surprising aviation appears to be next on their list,” ex-FBI special agent dealing with cybercrime, Adam Marrè, and now chief information security officer at Arctic Wolf, said. “CISOs may sound like a broken record, but this attack should serve as another reminder of the need for businesses to assess cyber defences internally and across supply chains,” Marrè continued, “alongside having an effective Incident Response plan in place.” As far as consumers are concerned, Marrè advised that they should treat “every text, email and phone call coming from their airline with caution and enabling multi-factor authentication across accounts.”

As a Qantas Frequent Flyer member himself, Ross Brewer, vice president of EMEA at Graylog told me, the recent data breach carried a personal significance. “While it’s reassuring to know that no passwords, financial data, or identity documents were compromised,” Brewer said, “the incident serves as a stark reminder of the importance of robust logging and monitoring practices in cybersecurity.” Qantas must exert caution when communicating the wider impact of the incident, according to Brewer, who concluded with a warning that “over-disclosure, such as claiming the entire customer base was affected, can lead to unnecessary alarm. Clear, specific communication is far more effective in maintaining public trust and supporting a transparent, measured response.”

“Airlines, which hold vast amounts of valuable sensitive customer information, have become attractive targets for cybercriminals, and the consequences are significant,” James Neilson, international senior vice president at OPSWAT, said. Stating the obvious, Neilson said that customers expect airlines to safeguard the personal data they entrust to them. But he’s right, of course, they do. And when this data is stolen, it “damages customer trust, gives attackers substantial leverage over their victims, and provides a valuable, resalable resource."

Everyone, across all industry sectors and consumers alike, should heed the FBI warning as a wake-up call to assess their security hygiene. And take action now, not later.