The Australian airline Qantas disclosed it detected a cyberattack on Monday after threat actors gained access to a third-party platform. This specific platform is used by a Qantas airline contact center and contains a significant amount of customer data. Qantas stated that the attack has now been contained, but a significant amount of data was likely stolen. There are six million customers that have service records in this platform, which is a very large number. The breach began after a threat actor targeted a Qantas call centre and gained access to the platform.
An initial review has confirmed the stolen data includes some customers’ names, email addresses, and phone numbers. It also includes birth dates and frequent flyer numbers for some of the six million affected Qantas customers. Qantas says no credit card or personal financial information was exposed in this particular security breach. Frequent flyer account passwords, PINs, and login details were also not impacted by this significant security incident. After detecting the breach, Qantas notified the Australian Cyber Security Centre and the Australian Federal Police about it.
This attack comes as cybersecurity firms warn that hackers known as “Scattered Spider” have begun targeting the aviation industry.
While it is unclear if this group is behind the Qantas attack, the incident shares some notable similarities. Scattered Spider is a group known for conducting social engineering and identity-based attacks against organizations worldwide. They commonly use phishing, SIM swapping, and help desk phone calls to gain access to valuable employee credentials. In September 2023, they escalated their attacks by breaching MGM Resorts and encrypting over one hundred servers.
The threat actors have been employing a sector-by-sector approach to their attacks, targeting many different industries. After recently focusing on retail and insurance companies, cybersecurity firms warned they had shifted to the aviation sector. Recent attacks on Hawaiian Airlines and WestJet are believed to be linked to these very dangerous threat actors. Organizations defending against this type of threat should start by gaining complete visibility across their entire infrastructure. This includes securing self-service password reset platforms, help desks, and all of their third-party identity vendors.
Reference:
