Qantas has confirmed that the personal data of approximately six million customers may have been compromised following a cyberattack on a third-party platform used by its customer service center.

In a statement released on Wednesday, the airline revealed that the breach stemmed from a security failure involving a partner system, not Qantas' core infrastructure. The exposed records reportedly include customer names, email addresses, phone numbers, dates of birth, and frequent flyer membership numbers.

Qantas noted that the compromised system does not store sensitive details such as credit card information, banking credentials, or passport numbers.

Following the discovery of "unusual activity" on the platform earlier this week, Qantas says it quickly intervened to isolate and contain the breach. The company assured the public that its internal systems remain unaffected and that there has been no disruption to flights or other operations.

Qantas breach

While the full scale of the incident is still under investigation, the airline admitted, "We expect it to be significant." The company is currently notifying impacted customers and assisting them. It has also launched a formal investigation in collaboration with the Australian Cyber Security Centre, the Australian Federal Police, and independent cybersecurity consultants.

Qantas CEO Vanessa Hudson issued a public apology, stating, "We sincerely apologize to our customers and we recognize the uncertainty this will cause. Our customers trust us with their personal information, and we take that responsibility seriously."

"We are contacting our customers today, and our focus is on providing them with the necessary support," she added.

We sincerely apologise to customers impacted by a recent cyber incident that occurred in one of our contact centres. The system is now contained.

We’re currently contacting customers to make them aware of the incident, apologise and provide details on support available to them.…

— Qantas (@Qantas) July 2, 2025

The breach has already shaken investor confidence, with Qantas shares falling 3.5% during morning trading, underperforming the broader Australian market, which saw a 0.4% rise.

Read more: 16 billion logins, Apple included, exposed in massive data breach

Cyber vulnerability

Australia has faced an increasing number of major cyberattacks in recent years. In 2022, Medibank, a leading private health insurer, was targeted in a ransomware attack attributed to Russian hackers, affecting 9.7 million customers and led to the leak of sensitive medical data on the dark web.

The government responded by publicly identifying and sanctioning a Russian national alleged to be a member of the REvil ransomware group, which had also carried out attacks on US institutions before facing a crackdown from Russian authorities.

This latest breach reflects ongoing vulnerabilities in third-party digital infrastructure and raises further questions about how Australian companies manage customer data in an era of increasing cyber threats.