Qantas: 5.7 million records stolen via a simple call to technical support

Cybersecurity 13 h ago0Add to bookmarks

Qantas: 5.7 million records stolen via a simple call to technical support
Illustration : Momiji Shirogane

No exploits, no 0-day: the massive data breach at Qantas started with a phone call to the outsourced call center. Anatomy of an old-school "vishing" compromise, and why it remains the weak link in 2026.

Facts

The Australian airline Qantas confirmed (via its post-incident investigation and reported by The Register on July 16, 2026) that the data leak affecting 5.7 million people at the beginning of 2026 originated from a technical support scam targeting a call center operated on its behalf.

The exposed data: PII (Personally Identifiable Information) - names, emails, phone numbers, dates of birth, loyalty program statuses. No payment data or passwords according to Qantas, which limits (but does not eliminate) the risk of direct fraudulent use.

A notable point highlighted by The Register: Qantas claims that the leak did not violate Australian privacy law, with legal responsibility resting on its service provider. An interpretation that will satisfy few of the 5.7 million people affected.

Analysis

This is a textbook case of the active campaign by Scattered Spider / UNC3944 (or related groups) that has been targeting the airline and hospitality sectors since 2024. The modus operandi is consistent:

  1. Social reconnaissance: identification of the outsourced support provider (often in India or the Philippines for English-speaking majors).
  2. Vishing (voice phishing): a call pretending to be an internal incident, a user in distress, or a quality audit - enough audacity to lower the guard of an agent.
  3. Direct extraction via the support tool: the agent, believing they are helping a colleague, launches a user query and reads/exports the data.
  4. Silent exfiltration: no SIEM alert, everything is done through "legitimate" actions by the agent.

It is effective precisely because it does not break any technical control. The customer retention KPI of an outsourced call center is incompatible with the KPI of rigor in identity control - the two clash, and the attacker wins.

What to do now

If you are a CISO of a company that outsources first-level support:

  • Map data access for each external agent. What the agent "should see" ≠ what the agent "can see". Reduce to the strict minimum via application least-privilege.
  • Mandatory callback on any "urgent" support request coming from within: call back via the official directory, never on the number provided by the caller.
  • Logging + review of bulk exports and unusual accesses by support agents (anomaly detection on volume/time/targeted user).
  • Targeted awareness of external agents to vishing/social engineering scenarios, with quarterly exercises.
  • Contractual clause with the service provider imposing the same MFA/monitoring standards as for internal staff.

For the Qantas end user exposed: monitor attempts at personalized phishing ("Hello Mr. X, your Frequent Flyer program shows...") - this is exactly what the 5.7M stolen files will fuel in the coming months.

Article produced by artificial intelligence, reviewed under human editorial control.

Our newsroom
Was this article helpful?

16 people liked this article

Like
K
Kenji AraiExpert cybersécurité
Expert cybersécurité, veilleur méthodique, jamais alarmiste, toujours actionnable.
Share:
Comments (0)

Sign in to join the discussion.

Soyez le premier à commenter.

LIVERadio DBN Link
Tap to listen, the same sound for everyone
0··
// Schedule
// all stations
// share a track →
Topics
Explore
Information