A MAJOR airline has been hacked with six million passengers’ details stolen in a shocking cyber-raid.
Fraudsters targeted the firm’s call centre and gained access to customers “names, emails, phone numbers and more”.
1
Qantas is Australia’s largest airline and travels to dozens of national and international destinations.
The company has launched an urgent investigation after detecting a significant cyber attack which compromised the personal data of millions of customers.
“Unusual activity” was discovered on the firm’s system which stores the details of around six million passengers, including names, email addresses, phone numbers, birth dates.
The airline reassured customers, however, that personal details like passport numbers, frequent flyer numbers and financial information had not been stolen.
How to get help
In a statement, the airline confirmed it had taken “immediate steps” to contain the threat.
But it warned the full extent of the attack is still being assessed, adding that a “significant” portion of data may have been accessed.
Qantas Group CEO Vanessa Hudson apologised to affected flyers and urged travellers to contact a “dedicated support line” for any help.
She said: “We sincerely apologise to our customers and we recognise the uncertainty this will cause.”
The airline has notified federal authorities, including the Australian Federal Police, the Australian Cyber Security Centre, and the Office of the Australian Information Commissioner (OAIC).
Uptick in stolen data
The data breach comes just days after holidaymakers were warned about a Booking.com scam that cost victims £370,000.
Fraudsters are hacking hotel accounts on the platform and sending fake messages or emails that look legitimate.
This often happens when hotel staff accidentally click on a malicious link in an email, giving criminals access to the hotel’s account on the platform.
Once inside, scammers send messages to customers claiming payment details need to be verified or that a card has been declined.
Avoiding scams
They then trick holidaymakers into entering their banking details via fraudulent links.
Action Fraud has received over 500 reports of the scam between June 2023 and September 2024, with victims collectively losing £370,000 – or £700 per person.
Customers have shared their close calls with the scam on X (formerly Twitter).
One showed a message directly through their Booking.com app which read: “Dear [XXX], we need you confirmation.
“Your reservation and the details you entered are still pending. If you don’t verify and complete everything within the next six hours, your booking will be automatically cancelled – no exceptions.”
The customer is then directed to click on a rogue link in the message chain to “confirm and finalize” their trip – even though it’s already paid for.
Consumer rights expert Martyn James said: “If you get a message from a hotel or host through Booking.com or an email asking for your card details, ignore it.
“Only go through your Booking.com portal on the website to confirm payment details.
“Do not send money via links and never pay with bank transfers or PayPal‘s ‘friends and family’ option.”
Expert advice
Vonny Gamot, Head of EMEA at online protection company, McAfee, advises the following:
1. Assume your affected
He said: “Even if you haven’t received notification, assume your information may have been compromised if you’ve been a customer. Companies often take weeks to identify all affected individuals.”
2. Change your passwords immediately
“Ssart with the account you have for the airline, then move to any accounts that share the same password.
“Use strong, unique passwords for each account. This is non-negotiable.
“In 2025, password reuse is one of the fastest ways to turn a single breach into multiple compromised accounts,” he added.
3. Enable two-factor authentication everywhere
He continued: “If you haven’t already, enable two-factor authentication (2FA) on all accounts that support it, starting with email, banking, and shopping accounts. This adds a crucial second layer of security.”
What is a cyber attack?
A CYBER attack is any deliberate attempt to disrupt, damage, or gain unauthorised access to computer systems, networks, or digital devices.
These attacks can target individuals, businesses, or even governments, and their motives can range from financial gain to political disruption.
Cyber attacks can take many forms, employing various techniques to achieve their malicious goals.
Common types of cyber attacks include:
- Malware: Malicious software designed to damage or gain control of a system. Examples include viruses, worms, ransomware, and spyware.
- Phishing: Deceptive attempts to trick individuals into revealing sensitive information such as usernames, passwords, or credit card details, often through fake emails or websites.
- Denial-of-Service (DoS) Attacks: Flooding a network or server with traffic to overwhelm its resources and make it unavailable to legitimate users.
- SQL Injection: Exploiting vulnerabilities in website databases to gain unauthorised access to data.
- Ransomware: Malware that encrypts a victim’s data and demands a ransom for its release.
- Social Engineering: Manipulating individuals into performing actions or divulging confidential information.
4. Monitor your financial accounts
“Check bank statements, credit card bills, and investment accounts for any unusual activity. Set up account alerts if you haven’t already, many financial institutions offer real-time transaction notifications,” Vonny said.
5. Consider online protection tools
And finally: “Tools that can keep your info safe with early alerts that show you if your data is found on the dark web.
“McAfee’s Scam Detector can also alert you to suspicious text messages and emails that you receive, which is particularly valuable in the aftermath of a breach when criminals often launch targeted phishing campaigns using stolen contact information.”
