Qantas data breach exposes up to six million customer profiles

Qantas is contacting customers after a cyber attack targeted their third-party customer service platform.

On 30 June, the Australian airline detected “unusual activity” on a platform used by its contact centre to store the data of six million people, including names, email addresses, phone numbers, birth dates and frequent flyer numbers.

Upon detection of the breach, Qantas took “immediate steps and contained the system”, according to a statement.

The company is still investigating the full extent of the breach, but says it is expecting the proportion of data stolen to be “significant”.

It has assured the public that passport details, credit card details and personal financial information were not held in the breached system, and no frequent flyer accounts, passwords or PIN numbers have been compromised.

Qantas has notified the Australian Federal Police of the breach, as well as the Australian Cyber Security Centre and the Office of the Australian Information Commissioner.

“We sincerely apologise to our customers and we recognise the uncertainty this will cause,” said Qantas Group CEO Vanessa Hudson.

She asked customers to call the dedicated support line if they had concerns, and confirmed that there would be no impact to Qantas’ operations or the safety of the airline.

The cyber attack is the latest in a string of Australian data breaches this year, with AustralianSuper and Nine Media suffering significant leaks in the past few months.

In March 2025, the Office of the Australian Information Commissioner (OAIC) released statistics revealing that 2024 was the worst year for data breaches in Australia since records began in 2018.

“The trends we are observing suggest the threat of data breaches, especially through the efforts of malicious actors, is unlikely to diminish,” said Australian Privacy Commissioner Carly Kind in a statement from the OAIC.

Ms Kind urged businesses and government agencies to step up security measures and data protection, and highlighted that both the private and public sectors are vulnerable to cyber attacks.