Qantas data breach reveals third-party vulnerabilities and scam risks

In late June 2025, Qantas Airways experienced a significant cybersecurity breach impacting approximately 5.7 million customers. 

The breach originated from a third-party customer service platform operated by a call centre in Manila, Philippines. 

The compromised data included:

• Names and email addresses (approximately 4 million records)
• Frequent flyer numbers, including tier status and points balances (2.8 million records)
• Birthdates, phone numbers, addresses, gender, and meal preferences (over 1 million records) 

Whilst no financial information, passport details, or login credentials were compromised, this breach has raised serious concerns, not only about privacy, but also about the potential for the stolen data to be used in phishing and scam campaigns targeting unsuspecting customers.

Understanding Text and Email-Based Scams and Their Connection to Data Breaches

Email and text-based scams – commonly referred to as phishing and smishing respectively, are fraudulent communications designed to trick recipients into revealing personal information, clicking malicious links, or downloading harmful software. These scams often impersonate trusted organisations, using familiar branding and language to deceive their targets.

In the context of the Qantas breach, scammers can exploit stolen customer data to craft realistic-looking messages that appear to come from the airline. For example, a scammer might send a fake Qantas itinerary update or Frequent Flyer alert to trick users into providing passwords or credit card information.

At a personal level, as a Qantas frequent flyer, the number of phishing and smishing scams I am receiving has skyrocketed since the Qantas data breach. The most common ones are ATO and Australia Post scams with malicious links embedded. 

How to Spot and Prevent Email and Text-Based Scams

There are several red flags that can help individuals identify scam messages. These include poor grammar or spelling, urgent or threatening language, unfamiliar links, and sender addresses that don’t match the official domain of the organisation. Be particularly cautious if a message asks you to provide sensitive information like passwords, banking details, or one-time verification codes. To prevent falling victim to these scams, individuals should:

• Enable two-factor authentication (2FA) wherever possible.
• Verify the sender by cross-checking with official contact channels.
• Avoid clicking on links or downloading attachments from unknown sources.
• Use spam filters and regularly update security software.
• Report suspicious messages to the organisation being impersonated and relevant cybercrime authorities.

Next Steps for Enhanced Protection

To further protect themselves, individuals should consider the following actions:

• Monitor accounts and credit reports for any unusual activity.
• Change passwords regularly, especially for accounts that may use the same credentials exposed in a breach.
• Sign up for breach notification services such as "Have I Been Pwned" to receive alerts when personal information is leaked.
• Educate friends and family, especially those less familiar with digital threats, about recognising and avoiding scams.

Conclusion

The Qantas data breach serves as a sobering reminder of how exposed information can fuel sophisticated scam campaigns. While organisations must strengthen their cybersecurity posture, individuals also have a crucial role to play in protecting themselves. By staying informed, vigilant, and proactive, people can reduce the risk of falling victim to phishing and smishing scams and ensure their personal data remains secure in an increasingly connected world.

To learn more contact your local RSM office.