Qantas has confirmed that a “significant” amount of customer data has been stolen in a cyber attack.
The attack targeted a third-party platform used by a Qantas’ contact center that holds customer service records for six million people.
A preliminary review has confirmed that the stolen data includes customer names, contact details, dates of birth, and frequent flyer numbers.
The Australian flagship airline is currently notifying those who may have had their personal details compromised.
While the company has confirmed that some information has been exposed, it was also quick to emphasize that its core systems are secure and no sensitive data – such as credit card, financial, or passport details – was stolen.
Additionally, the airline reassured customers that frequent flyer accounts and login credentials were not compromised.
Following the hack, Qantas Group CEO Vanessa Hudson issued the following apology:
“We sincerely apologize to our customers and we recognize the uncertainty this will cause.
Our customers trust us with their personal information and we take that responsibility seriously.
“We are contacting our customers today and our focus is on providing them with the necessary support.
“We are working closely with the Federal Government’s National Cyber Security Coordinator, the Australian Cyber Security Centre and independent specialized cyber security experts.”
So … Why Does This Breach Matter for CX Leaders?
It’s easy for CX leaders and contact center professionals to see the news about Qantas, think ‘thank goodness it wasn’t us’ and move on with their day.
Unfortunately, it doesn’t matter how robust you believe your security systems to be, there is always the chance that a hacker might find a weak spot.
As customer service and experience technology has become more sophisticated and powerful, so has the hacker’s toolset.
And these cyber incidents are evolving into CX emergencies, not just IT hiccups.
Industry data shows cyber events aren’t abstract risks. A recent breach is enough to cause customers to walk away, with poorly handled breaches often resulting in lasting migration away from a brand.
That lost customer loyalty can hit hard, affecting acquisition costs and CX ROI in real terms.
Even though Qantas’ breach did not include traditionally ‘sensitive’ information, it is enough to cause significant issues for customers, which may well encourage them to boycott a brand.
In an article published by The Australian, Dr Hammond Pearce from UNSW Sydney’s School of Computer Science discussed the dangers associated with having ‘insensitive’ data stolen.
“When other businesses use those pieces of personal information as well, we run the risk of whoever obtains that data being able to impersonate you and also being able to target you,” he explained.
“So when that information is leaked … it’s very frustrating.
The biggest thing that we’re worried about is impersonation … where they [hackers] can pretend to be you with other businesses that you might be registered with.
So, how should businesses respond?
It’s clear that CX can no longer be treated as an afterthought when responding to cyber attacks.
In a post on LinkedIn, Jaideep Khanduja, the Chief CX Analyst at CX Quest, summed it up nicely:
“The next time ransomware hits, it won’t just be an IT incident. It will be a CX emergency.”
CX and IT teams can’t work in silos anymore; they need to be on the same page well before an attack hits.
That means building shared protocols for how to communicate internally, what messages to send to customers, and how to escalate issues quickly and clearly.
Silence, meanwhile, is a luxury no brand can afford after a breach.
The gap left by silence invites speculation, rumors, and worse – distrust.
Qantas’ swift apology and coordinated outreach with the Australian Cyber Security Centre exemplifies how crisis communications should work.
For CX professionals, delays in addressing customer concerns only deepen suspicion, while upfront transparency can help rebuild trust faster.
The messaging needs to be clear, honest, and empathetic – spin or vague reassurances won’t cut it.
