✈️ What Happened
On June 30, 2025, threat actors breached Qantas via a third-party offshore call center, compromising personally identifiable information (PII) of ~6 million passengers. The attack vector was social engineering—specifically, vishing (voice phishing)—which tricked helpdesk agents into handing over access credentials to internal customer support tools.
Exfiltrated data includes:
| Data Exposed | Severity |
|---|---|
| Full names | High |
| Phone numbers | Medium |
| Email addresses | Medium |
| Dates of birth | High |
| Frequent flyer IDs | Medium |
No financial or passport data was taken, according to Qantas. But the volume and sensitivity of PII exposed present identity theft and impersonation risks.
🎯 Why It Happened
The threat actors exploited human vulnerability—specifically, the trust and urgency bias that underpins many call center workflows. In short: someone called pretending to be internal IT or another staffer, and the agent on the line didn’t verify thoroughly before granting platform access.
This was likely enabled by:
- Overly permissive internal workflows.
- Inadequate real-time verification steps (e.g., internal MFA override policies).
- Lack of contextual training on modern social engineering tactics.
🔬 Why It Happened That Way
Scattered Spider—an English-speaking cyber-criminal collective specializing in social engineering—likely orchestrated the attack. Their modus operandi includes:
- Posing as internal IT via phone or chat.
- Harvesting credentials through panic or urgency.
- Using legitimate access routes to stay under radar.
These techniques sidestep traditional perimeter defenses (e.g., firewalls, AV), which likely explains the attacker’s choice of method and vector. There is no public forensic evidence linking Scattered Spider definitively—yet—but the TTPs are signature.
🕵️ Who Did It
Suspected: Scattered Spider (aka UNC3944 / Muddled Libra)
| Group Trait | Detail |
|---|---|
| Motivation | Financial gain, high-profile disruption |
| Language proficiency | Native English |
| Known for | Social engineering, SIM swapping, MFA fatigue |
| Past targets | MGM Resorts, Caesars Entertainment, multiple telcos and insurance service providers |
No formal attribution yet from Qantas or authorities, but behavioral indicators (TTPs) align with this actor group with ~70% probability.
🧯 What We Did About It (So What)
As any company operating in the with a helpdesk function, this breach matters. Here’s why:
| Impact Area | Risk to Us |
|---|---|
| Social engineering | High – Similar vishing tactics can target organisations call center agents |
| Reputational damage | Medium – A breach in the environment could erode customer trust |
| Regulatory compliance | High – Especially under APRA CPS 234 or GDPR depending on jurisdiction |
| Operational downtime | High – Incident response and recovery could delay claims/customer support |
The breach validates the threat model where voice-based social engineering bypasses traditional email/phishing defenses and directly compromises human operators.
🧠 The Intrigue
This breach wasn’t novel in tools—but in execution. A single vishing call reportedly cracked the door open. The attack underlines:
- The re-emergence of voice attacks as low-cost, high-impact vectors.
- Exploitation of trusted helpdesk workflows as an initial access point.
- Professional-level deception that thwarts basic user training.
This isn’t just a “tech breach”—it’s a psychological exploit weaponized at scale.
🔐 Recommendations for Organisations (Us)
- 🔄 Reinforce helpdesk workflows: Disallow password resets or tool access changes over phone without multi-layer verification.
- 🧠 Launch “Vishing Awareness” training: Role-play simulations to practice recognizing deceptive requests. Consider native language of the call center operators.
- 🧱 Implement adaptive access controls: Contextual MFA, geo-IP restrictions, and session logging for internal tools.
- 🧪 Conduct regular red team exercises: Specifically targeting helpdesk operations.
- 📜 Audit third-party vendor access: Ensure any offshore support teams follow the same security protocols.
- 🛑 Disable fallback authentication (e.g., shared credentials): These are magnets for social engineering.
🎤 Final Thought
In the sky or on the ground, it only takes one call center employee to forget their script—and your customer data takes a nosedive.
📝 📌 Organization-Specific Action Log
Use this space to document what your organization has done (or plans to do) in response to the advisory. This makes it easier to brief internal stakeholders, auditors, or regulators.
Note: You can copy this section into your internal confluence/wiki, risk register, or incident response notes.
🛠️ Internal Review Summary
| Review Area | Status / Notes |
|---|---|
| Exposure to vishing-style attacks | [e.g., “Reviewed helpdesk call workflows. No MFA bypass detected.”] |
| Helpdesk authentication SOPs | [e.g., “Updating to require second-person confirmation for all reset requests.”] |
| Vendor support access | [e.g., “Auditing offshore vendor access this quarter.”] |
| Incident simulation planned? | [Yes / No / Planned Date] |
| Staff training required? | [Yes / In Progress / Completed on: DATE] |
| Controls added or revised | [e.g., “Disabled SMS fallback; geo-restricted admin portal.”] |
| Leadership briefed? | [Yes / No / Scheduled] |
📅 Next Steps / Implementation Plan
- [ ] Conduct tabletop vishing scenario test with SOC/helpdesk teams.
- [ ] Draft updated SOPs and circulate for review.
- [ ] Schedule awareness session with internal teams.
- [ ] Reassess vendor contract clauses for breach notification and SOC alignment.✔️ Recommendation: Save a copy of this completed section for your risk committee, audit team, or regulatory reporting. If you’re using a GRC platform, attach this log to your ongoing control review record.
Thirdeye Intelligence 