LevelBlue to Acquire Trustwave, Becoming Largest Pure-Play MSSP. Learn More

Request a Demo

LevelBlue to Acquire Trustwave, Becoming Largest Pure-Play MSSP. Learn More

Submit RFP
Request a Demo
Services
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

View All Trustwave Services
Solutions
BY INDUSTRY
BY REGULATION
BY TOPIC
Microsoft Security
Unlock the full power of Microsoft Security
Offensive Security
Solutions to maximize your security ROI
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
We reduce cyber risk and fortify organizations
Awards and Accolades
Recognition by analysts and media outlets
Trustwave SpiderLabs Team
Global researchers, ethical hackers, and responders
Trustwave Fusion Security Operations Platform
Unprecedented security visibility and control
Trustwave Security Colony
Access to cybersecurity threat protection resources
Partners
Microsoft Security
Unlock the full power of Microsoft Security
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
Register
Login
Resources
BLOGS
UPCOMING
MEDIA & ASSETS
NOTICES
HELP

The Breach Beyond the Runway: Cybercriminals Targeted Qantas Through a Trusted Partner

Change theme to light The Breach Beyond the Runway: Cybercriminals Targeted Qantas Through a Trusted Partner
4 Minute Read by Nikita Kazymirskyi

On July 3, 2025, Qantas confirmed in an update statement that a cyber incident had compromised data from one of its contact centers, following the detection of suspicious activity on June 30. The breach didn’t strike at the heart of Qantas’ systems; it snuck in through a third-party provider.

The attack allegedly exposed the data of 6 million Qantas customers.

Information_for_customers_on_cyber_incident
Figure 1. Qantas’ latest statement posted on July 3, 2025.

According to Qantas’ official statement, attackers targeted a third-party customer servicing platform used by a call center, successfully extracting personal records that included names, email addresses, phone numbers, dates of birth, and Frequent Flyer numbers. While no credit card, passport, or login credentials were taken, the scale of the breach is still under investigation and expected to be significant.

In response, Qantas has taken swift action to contain the intrusion, notified regulators, and is now reaching out directly to affected customers. The airline has also reiterated that no operational systems or flight safety processes were impacted, and that all core Qantas systems remain secure.

This incident underscores why even the most established companies must maintain vigilant oversight of their entire digital supply chain — and why proactive communication with customers is essential when trust is on the line.

 

Suspected Actors Behind the Attack

Qantas has not officially attributed this breach to any specific threat group but many security analysts believe it closely aligns with the methods of Scattered Spider, also known in the cybersecurity community as UNC3944 or Muddled Libra.

This group has built a reputation for highly effective social engineering campaigns, targeting help desks and call centers to gain access to large corporate networks. Their hallmark tactics include impersonating employees or IT staff over phone and email, manipulating call center workers to hand over credentials or approve multifactor authentication requests — sometimes through so-called “MFA fatigue” attacks, where repeated prompts wear down vigilance.

Adding weight to this theory, just days before the Qantas breach became public, the FBI issued a formal alert warning that Scattered Spider had shifted focus to the airline industry. According to the FBI’s statement, the group is actively expanding operations worldwide, specifically seeking out third-party service providers within airlines’ ecosystems to exploit weaker security controls. The attackers’ methods, timing, and choice of target — a customer service platform used by an offshore call center — are all consistent with Scattered Spider’s established playbook.

FBI’s statement on X posted on June 28, 2025
Figure 2. FBI’s statement on X posted on June 28, 2025.

Dedicated to hunting and eradicating the world’s most challenging threats.

SpiderLabs
Although Qantas is still conducting its investigation and has not confirmed the attackers’ identity, the close resemblance to Scattered Spider’s techniques, coupled with the FBI’s explicit warning about imminent airline attacks, makes this group the leading suspect behind the intrusion.
 

Possible Attack Timeline and Vector

Even though the details of the attack remain unknown, Trustwave SpiderLabs, using Qantas’s official statements, public disclosures by Australian authorities, reputable media coverage, and known tactics used by Scattered Spider has reconstructed the likely sequence of events behind this breach timeline.

  • Day 1, Reconnaissance

    • Attackers, possibly linked to the Scattered Spider group, identified a call center platform overseas — often the least-protected piece of a big organization’s ecosystem.

  • Day 2, Social Engineering

    • Using fake calls or phishing emails, they impersonated internal staff.

    • Employees are pressured or tricked into sharing credentials or approving login attempts.

  • Day 3, Breach and Access

    • Armed with real credentials — and perhaps MFA fatigue tactics — attackers logged in.

    • From there, they quietly queried customer records.

  • Day 4, Exfiltration

    • Names, emails, phone numbers, and frequent flyer numbers were extracted.

    • While no payment data or passwords were taken, the volume of personal data increases the risk of fraud.

  • Day 5, Detection and Containment

    • Qantas spotted unusual access patterns and shut down the system, notifying authorities and launching an investigation.

The attack likely began with careful target identification, as the intruders searched for third-party services with access to Qantas’ customer data.

Once they pinpointed the call center platform as a promising entry point, they moved into reconnaissance and pretexting, crafting convincing scenarios to impersonate IT support staff or internal employees, complete with plausible details to build trust. Through these social engineering efforts, the attackers were able to harvest credentials, persuading employees to share usernames and passwords or to approve multifactor authentication (MFA) prompts without realizing the danger.

Armed with legitimate credentials, the attackers gained silent access to the system, logging in undetected and blending in with normal workflows. From there, they systematically queried the platform’s databases and extracted customer records in batches, ensuring they collected as much data as possible without triggering alarms. To reduce the chances of discovery, they likely took steps to cover their tracks, disguising their activity to resemble routine support operations and minimizing obvious signs of intrusion.

 

Remediation

This incident reinforces a hard truth about modern cybersecurity: even organizations with strong internal controls can be compromised through trusted partners. The Qantas breach demonstrates how attackers increasingly target third-party service providers, exploiting less mature security practices to bypass the defenses of major brands. It also highlights the rising sophistication of social engineering techniques, which remain among the most effective tools in the attackers’ arsenal.

To reduce the risk of similar breaches, organizations should prioritize a combination of technical safeguards and rigorous oversight of their extended supply chain. Third-party vendors must be held to the same security standards as internal teams, including requirements for strong authentication, activity monitoring, and incident response readiness.

Recommended remediation measures include:

  • Strengthen Vendor Risk Management: Conduct regular security assessments of all partners with access to sensitive data and require evidence of compliance with your security policies.

  • Implement Phishing-Resistant Authentication: Use hardware security keys or app-based verification rather than SMS codes and deploy controls that can detect and block suspicious login attempts, even with valid credentials.

  • Enhance Employee Awareness Training: Provide targeted training for customer service and help desk staff on how to recognize pretexting, MFA fatigue attacks, and other social engineering tactics.

  • Deploy Anomalous Behavior Detection: Invest in monitoring tools that can flag unusual data access patterns, such as large exports during off-hours or logins from unexpected locations.

  • Review Data Minimization Practices: Limit the volume of customer data accessible to third-party platforms and staff, reducing the impact of potential breaches.

  • Test Incident Response Plans: Simulate scenarios where attackers compromise vendor systems, ensuring your teams can coordinate rapid containment and communication.

This breach is a reminder that cybersecurity isn’t only about defending your own perimeter; it’s about creating a resilient ecosystem in which every link in the chain is prepared to detect and repel attacks.

ABOUT TRUSTWAVE

Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.

News Vulnerabilities Data Breach Database Protection DFIR

Latest Intelligence

Tracing Blind Eagle to Proton66
Trustwave SpiderLabs’ 2025 Risk Radar Report: Technology Sector
Dire Wolf Strikes: New Ransomware Group Targeting Global Sectors

Discover how our specialists can tailor a security program to fit the needs of
your organization.

Request a Demo