Qantas data breach exposes up to six million customer profiles
On 30 June, the Australian airline detected "unusual activity" on a platform used by its contact centre to store the data of six million people, including names, email addresses, phone numbers, birth dates and frequent flyer numbers.
Upon detection of the breach, Qantas took "immediate steps and contained the system", according to a statement.
The company is still investigating the full extent of the breach, but says it is expecting the proportion of data stolen to be "significant".
It has assured the public that passport details, credit card details and personal financial information were not held in the breached system, and no frequent flyer accounts, passwords or PIN numbers have been compromised.
Qantas has notified the Australian Federal Police of the breach, as well as the Australian Cyber Security Centre and the Office of the Australian Information Commissioner.
"We sincerely apologise to our customers and we recognise the uncertainty this will cause," said Qantas Group CEO Vanessa Hudson.
She asked customers to call the dedicated support line if they had concerns, and confirmed that there would be no impact to Qantas' operations or the safety of the airline.
The cyber attack is the latest in a string of Australian data breaches this year, with AustralianSuper and Nine Media suffering significant leaks in the past few months.
In March 2025, the Office of the Australian Information Commissioner (OAIC) released statistics revealing that 2024 was the worst year for data breaches in Australia since records began in 2018.
"The trends we are observing suggest the threat of data breaches, especially through the efforts of malicious actors, is unlikely to diminish," said Australian Privacy Commissioner Carly Kind in a statement from the OAIC.
Ms Kind urged businesses and government agencies to step up security measures and data protection, and highlighted that both the private and public sectors are vulnerable to cyber attacks.
Hashtags
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Yahoo
an hour ago
- Yahoo
Couples warned to ‘keep clear records on source of wealth' following landmark divorce ruling
A retired banker who gave his wife nearly £80 million to avoid paying inheritance tax will not have to split that money with her equally following a divorce, the Supreme Court has ruled. Five justices unanimously agreed that because most of the money had been earned prior to the marriage, Clive Standish, 72, was entitled to keep the largest share. He had transferred the multimillion-pound assets to his wife Anna Standish, 57, in 2017, to take advantage of the Australian's non-dom status and allow more money to benefit their two children. Mr Standish, being domiciled in the UK, was worried about paying around £32 million in inheritance tax if he died with the assets in his name, Lords Burrows and Stephens explained in their ruling on Wednesday. Sam Longworth of Hudson Sandler and the lead partner for Mr Standish said: 'The Supreme Court has also provided essential guidance as to when assets which do not have an originating connection to the marriage partnership should be considered marital. 'This guidance will give the courts a clear framework to ensure individuals cannot benefit from running false arguments as to whether they had or had not agreed to share certain assets during the currency of their relationship.' Claire Reid, a partner at Hall Brown Family Law, said the ruling was more 'goalposts being moved' than a 'paradigm shift', adding that other spouses 'looking to manage their wealth to minimise their tax bills' should be 'very circumspect in how they do so'. She said: 'Given the recent changes to the inheritance tax rules announced by the Government, there are likely to be many individuals undertaking the kind of estate planning that Mr and Mrs Standish were. 'Wealthier spouses will now be alive to the need to formalise the terms of any transfers of cash or other assets even more clearly to avoid falling into the same complicated situation.' Sarah Norman-Scott and Victoria Walker, family law partners at Hodge Jones & Allen and Moore Barlow respectively, said couples should keep clear records on the source of their wealth. Ms Walker said: 'Going forward, families will need to keep tighter records to demonstrate that transfers were executed for specific purposes. 'That said, if spouses cannot meet their respective needs from the pool of available assets, the court will still draw on non-matrimonial funds to ensure fairness. 'However, for high value separations where plenty of wealth is available, Standish delivers a clear message: intent is everything.' Yael Selig, a family law partner at Osbornes Law, predicts a 'a surge' in prenuptial and postnuptial inquiries following the Supreme Court's decision. She said: 'Whilst such agreements are not yet considered the norm, they are becoming that way and particularly for couples where there are significant assets involved, although the court's decision will always be grounded in making sure that the financial needs of both parties are met.' Lucy Stweart-Gould, second partner for Mr Standish at Hudson Sandler, said owning money or assets at the time of the divorce, known as having title, is not enough to claim ownership; what matters is how that property is intended to be used. She said: 'Title alone is insufficient evidence to permit a party to share in a non-marital asset. 'What is required is an intention to share and treatment of the asset as shared; on the proper analysis of the facts of this case there was neither.' Jennifer Dickson, family law partner at Withers, agreed. She said: 'The judgment makes clear that non-matrimonial property should not be subject to the sharing principle and matrimonial property should ordinarily be shared 50/50, but that non-matrimonial property can be 'matrimonialised' depending on the couple's intention and treatment of that wealth during the marriage. 'Had the tax planning exercise been designed to benefit Mrs Standish, rather than their children, it may well have been a different story.'
Forbes
an hour ago
- Forbes
Why Is No One Deleting Their Data?
Aaron Mendes, CEO of PrivacyHawk . getty If you use the internet, you've been in a data breach. Nearly every American is in multiple data breaches per year. There were over 3,000 major beaches in 2024 (registration required), with over 1.3 billion breach notices to Americans. However, in my research into all 2025 cybersecurity articles written by journalists writing about data breaches for the top 50 U.S. publications, there was zero mention that consumers can prevent themselves from being in breaches by exercising their privacy rights. A popular The Wall Street Journal article titled "Go Delete Yourself" didn't even mention the privacy right to delete! This applies to businesses as well. It's crazy how few companies require employees to request that their data and accounts be completely deleted after discontinuing the use of those services. Think about how many logins an organization with 1,000 employees has. It has to be thousands, if not hundreds of thousands. Many of those accounts have stored credentials and other sensitive information stored by those third parties, exposing them to the risk of being a data breach. And that data can be used to compromise your company. Why aren't any journalists who write about cybersecurity covering this extremely important topic when they talk about data breaches and hacks? That is, reducing your digital footprint by exercising your privacy rights. Businesses have similar rights in many states. Approximately half of the U.S. lives in a state that has a privacy regulation that gives them the right to delete their data or stop their data from being sold. However, despite having this right, hardly anybody exercises it. That's one big reason why everybody is in so many data breaches. There are a couple of reasons for this. The first is that a lot of people aren't even aware that they have this right, largely due to the lack of media coverage on the topic. The second is it's extremely confusing and difficult to exercise, especially at scale if you wanted to delete yourself from the hundreds of companies that you gave your data to over the years that still have it even though they no longer need it. So much is written about the dark web, hacks, ransomware, data breaches and the like, and it feels that all we ever get from cybersecurity professionals is that we should use strong passwords and two-factor authentication (2FA). People seem to be missing this massive preventive security measure. Given all the companies that have your first-party data, getting your data deleted from as many databases as possible so you're not in the next data breach should be a key priority. Very few people are aware of this, including many cybersecurity professionals and journalists who cover these topics. So, I would like to be the one to emphasize the value of educating the public on these privacy rights. Every state privacy law has a "right to delete." Upon request, with few exceptions, businesses have to delete your data if you ask them to. (Exceptions include banks, government and healthcare.) Both individuals and organizations can benefit from deleting their old accounts that are no longer being used. Examples include all the various services you used in the past that you no longer use: retailers, hotel chains, airlines, apps, subscription services and anything where you created a login. Unless you explicitly request it, these companies keep your data indefinitely, even long after you're no longer an active customer or user. And if they have a data breach, all that sensitive information gets leaked. There are steps you can take to reduce this digital footprint. It all starts with exercising your privacy right to data deletion. Business professionals and consumers can both request that companies delete their data. It's time-consuming to do this manually, especially since it could involve hundreds of companies. The process is simple, though: 1. Determine who has your data (your inbox is a good record of it). 2. Visit their privacy policy and search for "delete" or "contact." 3. Send them a request to delete your data. While this could take weeks of work to do manually, there are also a few tools that help automate this process. While we will not recommend a specific one, a list of the ones that are credible and established includes AllState, Digital Footprint, Permission Slip by Consumer Reports, McAfee and my company, PrivacyHawk. These services link with your inbox to automatically identify all the companies that have your personal data and have buttons to automatically send delete requests to each of the companies for which you no longer want to have your data. And then you can track the progress of each request in these apps to confirm they've been processed. I think it's important that people are aware that this is something they can do to protect themselves from being in data breaches. While individuals can't control how every company handles security, they can exercise their right to request data deletion—a step that significantly reduces their exposure in the event of a breach. If you're not in the database, you're not in the breach. And then you won't fall victim to identity theft, scams and spam. Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
Yahoo
an hour ago
- Yahoo
Qantas hack results in theft of 6 million passengers' personal data
Australian airline giant Qantas said on Wednesday it experienced a data breach that compromised the personal information of at least six million passengers. The airline said a cybercriminal targeted one of its call centers on June 30, and stole customer data from its systems, including names, email addresses, phone numbers, dates of birth and frequent flyer numbers. Qantas is the latest airline hacked in recent weeks following a spate of breaches attributed to Scattered Spider, a collective of hackers and tactics that are highly adept at breaking into the networks of big companies. Canadian airline WestJet suffered a data breach in June, which media reports have linked to Scattered Spider. Hawaiian Airlines also said last week it had suffered a data breach. Google's security unit Mandiant told TechCrunch on Wednesday that it is 'too early to tell' if the Qantas hack was linked to Scattered Spider, but warned that airlines should be on 'high alert' for social engineering attacks. Sign in to access your portfolio
