Exclusive: Qantas ‘hacker’ gave airline 72-hour deadline

The incident reportedly involved cyber criminals using AI to impersonate a Qantas employee and then tricking a customer service operator in Manila into divulging crucial information.

While no group has publicly claimed responsibility, reports suggested that a hacking collective known as Scattered Spider may be behind the attack. In total, nearly 6 million customers were thought to be affected.

The documents, obtained by Australian Aviation’s sister brand, Cyber Daily, showed how, as Qantas was attempting to shape the media narrative, the apparent hackers were preparing their next moves.

Qantas first confirmed that one of its offshore offices, which hosted customer data on a third-party platform, had been compromised on 2 July, and that the initial incident of unauthorised access had occurred the day before, on Monday, 1 July.

On 4 July, at just after 6am, Qantas published another update on the incident, outlining its ongoing response and investigation to the incident, and noting that, at that time, “Qantas has not been contacted by anyone claiming to have the data, and we’re continuing to work with the government authorities to investigate the incident.”

However, later on that same day, the hackers sent Qantas several emails outlining the scope of the data impacted. Qantas provided the emails to the Supreme Court as part of its efforts to obtain an injunction against the publication or sharing of the stolen data.

VIEW ALL

Qantas received at least three emails on 4 July, all with the same subject line: “[CRITICAL – REPLY] Qantas Airways Limited Databreach/Cyberattack”. As provided to Cyber Daily, the emails were heavily redacted, but it appeared the hackers identified themselves to Qantas.

“Hello, we are [REDACTED],” the email said.

“We’re contacting you to inform you that we’re the collective that’s behind the Qantas Airways Limited (qantas.com) data breach, one of the biggest in Australia’s history, close in the rankings of the Optus, Medibank, and Latitude hacks.”

The next sentence was entirely redacted, and following that, the hackers revealed the total count of compromised records (also redacted), as well as details of what they possess, including full names, email addresses, phone numbers, dates of birth, and Frequent Flyer numbers.

The hackers also warned they had “much more” than that and said: “We will provide large samples of the data below.”

What followed was almost nine pages of what appear to be lines of data, likely each corresponding to a single customer’s data, in much the same way hackers share sample data on hacking forums.

This list was also redacted, and at the end of the email, the hackers provided a Tox address for initial contact.

The other letters were largely similar in content, though with the headers redacted, it’s impossible to know if they’re from the same individual and sent to the same Qantas representative, or from different members of the so-called collective, and sent to several contact points at the airline. All the emails included a 72-hour deadline to make contact.

What appeared to possibly be a fourth email, or perhaps a separate attachment, was entirely redacted, but appeared both lines of text and, possibly, images, all obscured.

Qantas did not initially return the hackers’ emails, and on 7 July, the apparent hacker sent a follow-up. Again, this email was heavily redacted, but it appeared to be lengthier and may outline the consequences if Qantas did not enter into negotiations with the hackers.

“This is our second attempt at reaching out to resolve this matter,” the email said. The next four or so lines are redacted, but the email continues after that.

“At this time, no information has been disclosed or distributed,” the hackers said. “If you are not the appropriate contact for this matter, please forward this message to someone with the authority to address confidential risk-related issues.”

What followed were more lines of redacted customer data, though the hackers gave Qantas another 72-hour deadline to respond. Still, the requested nature of that response was also redacted.

At this point, Qantas finally contacted the hackers, and while Qantas provided this correspondence to the court, the version provided was, understandably, almost completely redacted. All that’s readable was the subject line of the Qantas email reply, “Reaching out”.

In the exchange of emails that followed, a Qantas spokesperson sent a total of six emails after the first one, of varying lengths. In response, the airline received 11 emails, with the last three all appearing to be without a response from the airline.

In a description of the documents provided to the court, dated 16 July, Qantas said it had provided a “complete log of the email exchange between Qantas and the defendant between 4 and 15 July 2025”.

Qantas revealed on the evening of 7 July that it had been in contact with “a potential cyber criminal” but that, as the incident was an ongoing criminal matter, it “won’t be commenting any further on the detail of the contact”.

Qantas’ latest update, posted to its online News Room, said investigations were ongoing and that it was “progressively emailing affected customers”.

“We remain in constant contact with the National Cyber Security Coordinator, Australian Cyber Security Centre and the Australian Federal Police,” Qantas CEO Vanessa Hudson said in the 9 July update.

“I would like to thank the various agencies and the federal government for their continued support.”

Qantas has declined to offer additional comment.