Teen hackers behind M&S cyber attack stole personal data of 5.7 million Qantas customers, airline reveals

The hacking group, known as Scattered Spider, is mostly made up of teenagers from the UK and US, according to the FBI, and began attacking airlines in recent weeks after successfully breaching industries spanning telecom, finance, gaming, hospitality and retail.

In an updated statement to customers, Qantas said that phone numbers had been stolen, as well as email addresses, addresses, dates of birth, genders and in some cases meal preferences.

The company added that no payment details or passport information were lost, while current evidence suggests that none of the personal data has been released by the hackers.

“Our absolute focus since the incident has been to understand what data has been compromised for each of the 5.7 million impacted customers and to share this with them as soon as possible,” said Qantas CEO Vanessa Hudson.

“Since the incident, we have put in place a number of additional cyber security measures to further protect our customers data, and are continuing to review what happened.”

A forensic investigation into the incident is currently underway.

The update from Qantas comes as four people alleged to be associated with Scattered Spider were arrested in the UK.

The three males and one female were arrested on suspicion of blackmail, money laundering and offences related to the Computer Misuse Act.

“The fact that arrests have been made so quickly in connection with a ransomware campaign – all too often regarded as an ‘anonymous’ crime, whereby the perpetrators remain out of reach behind the borders of the nations who harbour and tacitly encourage them – is notable,” Ted Cowell, head of cyber security at S-RM, told The Independent.

“Intelligence sharing and proactive cooperation is better in this space than it’s ever been, and I think that is a big part of the success story here.”