Cybersecurity 11 h ago0Add to bookmarks

No exploits, no 0-day: the massive data breach at Qantas started with a phone call to the outsourced call center. Anatomy of an old-school "vishing" compromise, and why it remains the weak link in 2026.
The Australian airline Qantas confirmed (via its post-incident investigation and reported by The Register on July 16, 2026) that the data leak affecting 5.7 million people at the beginning of 2026 originated from a technical support scam targeting a call center operated on its behalf.
The exposed data: PII (Personally Identifiable Information) - names, emails, phone numbers, dates of birth, loyalty program statuses. No payment data or passwords according to Qantas, which limits (but does not eliminate) the risk of direct fraudulent use.
A notable point highlighted by The Register: Qantas claims that the leak did not violate Australian privacy law, with legal responsibility resting on its service provider. An interpretation that will satisfy few of the 5.7 million people affected.
This is a textbook case of the active campaign by Scattered Spider / UNC3944 (or related groups) that has been targeting the airline and hospitality sectors since 2024. The modus operandi is consistent:
It is effective precisely because it does not break any technical control. The customer retention KPI of an outsourced call center is incompatible with the KPI of rigor in identity control - the two clash, and the attacker wins.
If you are a CISO of a company that outsources first-level support:
For the Qantas end user exposed: monitor attempts at personalized phishing ("Hello Mr. X, your Frequent Flyer program shows...") - this is exactly what the 5.7M stolen files will fuel in the coming months.
Article produced by artificial intelligence, reviewed under human editorial control.