Qantas has confirmed that a cybercriminal walked through a third-party Salesforce-hosted customer-service platform used by a Manila call centre and walked out with personal data on 5.7 million customers. Darktrace's Toby Lewis says the breach bears the hallmarks of Scattered Spider - the crew behind Marks and Spencer, Co-op and Harrods last spring and now WestJet, Hawaiian Airlines and Qantas. It is the first big confirmed casualty of the airline wave the FBI, Mandiant and Palo Alto Unit 42 warned about last week. Three jobs fit the 14 days before the Cyber Security and Resilience Bill's Lords second reading on Tuesday 14 July 2026: list the suppliers who can change records or reset credentials on your behalf, send them a four-question side-letter on help-desk verification, and extend your DUAA Section 164A complaints page to name the supplier route.
Key takeaways
- Qantas confirmed on Tuesday 30 June 2026 that a cybercriminal walked through a third-party Salesforce customer-service tenant operated for the airline by a Manila-based call centre and walked out with personal data on 5.7 million customers - names, email addresses, phone numbers, dates of birth and frequent-flyer numbers. Toby Lewis, global head of threat analysis at the UK cyber firm Darktrace, has said publicly that the attack bears the hallmarks of Scattered Spider, the same crew behind Marks and Spencer, Co-op and Harrods between April and May 2025 and now named in the airline wave alongside WestJet and Hawaiian Airlines.
- The vector matters more than the brand of the platform. The Salesforce tenant was working as advertised. A contact-centre agent in Manila was socially engineered - current reporting suggests via a phone call that may have used AI voice impersonation of an internal IT person - into granting unauthorised access, and the attacker pulled records out of the CRM. The same playbook took down Marks and Spencer, Co-op and Harrods. The Qantas confirmation is the first time the international-aviation-via-outsourcer version has been pinned down in a single sentence.
- Translation for UK schools, charities and SMBs: the Manila call centre maps to your outsourced finance bureau, payroll provider, school-MIS hosting partner, donor-management platform, IT helpdesk MSP, customer-service outsourcer, HR ticketing system and fundraising-platform vendor. The Salesforce tenant maps to whatever SaaS platform sits behind them - Microsoft Dynamics, Zendesk, Freshdesk, Bromcom, Arbor, ParentPay, ParentMail, Donorfy, Beacon, Iris, Sage, Civica, Capita. The 'agent on the phone' maps to whoever is empowered to reset a password, add an MFA device or change an email address on a record on your behalf.
- The Cyber Security and Resilience (Network and Information Systems) Bill heading into its Lords second reading on Tuesday 14 July 2026 expressly brings medium and large managed service providers - 'relevant managed service providers' - into the scope of the NIS Regulations for the first time. Schools, charities and SMBs are not in the direct NIS perimeter, but every one of them buys from suppliers who will be, and the autumn 2026 procurement-questionnaire cascade is the practical lever that reaches the audience first.
- Three jobs fit the 14 days before the Lords second reading. First, by Friday 3 July, list the suppliers who can change records, reset credentials or speak to your people on your behalf - eight to fifteen rows, five columns, the public-facing ones before the IT vendors. Second, by Friday 10 July, send those suppliers a four-question side-letter on phishing-resistant MFA, caller verification stronger than date-of-birth-and-postcode, cooling-off delay on credential and MFA changes, and refusal of password resets requested under time pressure. Third, by Tuesday 14 July, extend your DUAA Section 164A complaints page with a named supplier list and a single complaints inbox that covers supplier-side issues.
The first confirmed casualty of the airline wave landed on the UK desk this morning. Qantas, Australia's flag carrier, has confirmed that a cybercriminal walked through a third-party customer-service platform used by one of its contact centres and walked out with personal data on 5.7 million customers — names, email addresses, phone numbers, dates of birth and frequent-flyer numbers. No payment-card data, no passport numbers, no passwords. The compromised platform was a Salesforce tenant operated for Qantas by a Manila-based call-centre provider, and Toby Lewis, global head of threat analysis at the British cyber firm Darktrace, has said publicly that the attack bears the hallmarks of Scattered Spider — the same crew that took down Marks & Spencer, Co-op and Harrods between April and May 2025 and that the FBI, Mandiant and Palo Alto Networks' Unit 42 warned last week had pivoted to aviation. WestJet and Hawaiian Airlines are already in the same bracket. Qantas is the third airline casualty in three weeks, and the first big public one to confirm — to the customer count, to the data fields, to the third-party-platform vector — within twelve hours of the incident being detected.
Yesterday's post on this blog walked through the help-desk social-engineering vector and prescribed three jobs to do in the fifteen days before the Cyber Security and Resilience (Network and Information Systems) Bill's Lords second reading on Tuesday 14 July 2026. The window is now fourteen days. The Qantas confirmation does two things for the UK schools, charities and small businesses I write for. First, it converts an FBI advisory and three vendor warnings into a worked example that the audience can map onto their own outsourced customer-service, support and back-office providers. Second, it shifts the centre of gravity from the help-desk inside your own organisation — yesterday's frame — to the help-desk inside your suppliers' organisations. Most schools, charities and SMBs do not run their own call centre. Most of them do run on at least one outsourced or SaaS-hosted platform where a third-party operator's help-desk is the front door to their data. That is the front door Scattered Spider walked through at Qantas.
The vector matters more than the brand of the platform. Salesforce in itself is not the story; the Salesforce tenant was working as advertised. The story is that a contact-centre agent in Manila, hosted on that tenant, was socially engineered — current reporting suggests via a phone call that may have used AI voice impersonation of an internal IT person — into granting unauthorised access. From there, the attacker pulled customer data out of a CRM record-by-record. Mandiant's Charles Carmakal walked through the same playbook last week: legitimate logins, no exploit, no malware, just a human being on the help desk who said yes to the wrong caller. The Qantas confirmation is the first time the public can read it as a single sentence: a vishing call to a Manila call centre, hosted on a SaaS CRM, pulled 5.7 million customer records. M&S, Co-op and Harrods last year were the UK retail version. WestJet and Hawaiian Airlines the past three weeks have been the North-American aviation version. Qantas is the international-aviation-via-outsourcer version.
Translate that to a primary-school MAT, a mid-sized charity or a fifty-person SMB. The Manila call centre maps to your outsourced finance bureau, your payroll provider, your school-MIS hosting partner, your CRM partner, your donor-management platform, your IT helpdesk MSP, your customer-service outsourcer, your HR ticketing system, your fundraising-platform vendor and the cloud-PBX number on the front of your phone tree. The Salesforce tenant maps to whatever SaaS platform sits behind any one of those services — Microsoft Dynamics, HubSpot, Zendesk, Freshdesk, Bromcom, Arbor, ParentPay, ParentMail, Donorfy, Beacon, Salesforce itself, Iris, Sage, Civica, Capita, the lot. The "agent on the phone" maps to whatever human being is empowered to reset a password, add a multi-factor-authentication device, change an email address on a record, or grant access to a parent or trustee on your behalf. The FBI advisory of 27 June covered that human being. Qantas confirms what happens when that human being is sitting at someone else's desk on someone else's payroll under your contract.
This is also where the Data (Use and Access) Act 2025 tightens the screws. We are on Day 11 of the DUAA complaints duty under Section 164A. The Cyber Security Breaches Survey 2025/2026 baseline — 38 per cent of UK businesses hit by phishing in the past twelve months — was already the audience's diagnostic before the airline wave landed. A breach at a supplier that holds your data is still your breach for the purposes of the duty to data subjects: when a parent, donor or customer writes to you in the next fortnight asking what happened to their record because it was held on a platform you no longer fully control, the law expects a structured response within thirty days. Posting a notice on your website that says "we use a third-party platform and we are looking into it" is not, on its own, a structured response.
The Bill heading into its Lords second reading on 14 July sharpens this further. As techUK and Travers Smith have both walked through, the Bill expressly brings medium and large managed service providers — what the Bill calls "relevant managed service providers" — into the scope of the Network and Information Systems Regulations for the first time. The MSP that runs your IT helpdesk, the MSP that hosts your CRM, the MSP that operates your contact-centre platform on your behalf: all three were outside the NIS perimeter under the 2018 Regulations, and all three will sit inside the perimeter once the Bill clears Royal Assent later in 2026. Phasing is expected through to 2028, which is a long runway in legislative time and a short one in attack-cycle time. The audience this blog is written for is not in the direct scope of the new NIS duties — schools, charities and SMBs below the relevant headcount and turnover thresholds remain outside — but every one of them buys services from suppliers who will be in scope, and the autumn 2026 procurement-questionnaire cascade from those suppliers is the practical lever that will reach the audience first. Job Two below uses that lever.
Three jobs for the next fourteen days. None of them are about your perimeter. The perimeter work — the patch hygiene the FortiBleed cleanup post walked through eight days ago — still has to happen, and the help-desk work inside your own four walls from yesterday's post still has to happen. These three add the supplier-side layer that Qantas has just made the most concrete example of.
Job One: list the suppliers who can change records, reset credentials or speak to your people on your behalf. By Friday 3 July. Open a spreadsheet. One row per supplier. Five columns: who they are, what platform they run on, who at the supplier is allowed to reset passwords or change records or add MFA devices, what verification they perform on the caller before they do that, and who at your organisation has signed off on that process. Do not start with the IT vendors. Start with the ones who handle members of the public on your behalf — the call-centre overflow line, the donor-services bureau, the parent-payments helpline, the recruitment-application desk, the trustee-portal support inbox. Add the IT vendors second. Eight rows is enough; fifteen is plenty. If the fifth column is blank for any row, that row is a Qantas waiting to happen.
Job Two: send a four-question side-letter to the suppliers on the list by Friday 10 July. Four questions, on email, asking for an answer in writing in five working days. Question one: confirm that the platform you run on our behalf has phishing-resistant multi-factor authentication enabled for every administrator and every agent who can change a customer record, and tell us which factor — a hardware key, a passkey, or a platform-bound authenticator. Question two: confirm that your help-desk staff verify callers using something stronger than a date of birth, a postcode or the last four digits of a number on the record itself, and tell us what that something stronger is. Question three: confirm that credential resets, MFA-device additions and email-address changes on records carry a cooling-off delay long enough for the legitimate account holder to spot and stop a malicious change, and tell us what the delay is. Question four: confirm that your help-desk staff are instructed to refuse password resets, MFA additions and record changes requested under time pressure on a phone call, and tell us how that is enforced. The questions are written so a competent supplier can answer them in a single email. The autumn 2026 procurement-questionnaire frame the GCHQ "moment of consequence" post walked through becomes much easier if the answers are already on file.
Job Three: extend your DUAA complaints page so it names the supplier route. By Tuesday 14 July, the day of the Lords second reading. The Section 164A duty already requires a complaints route. The Qantas case shows that data subjects need to be able to complain when their record was held by a supplier, not just when it was held by you. Add two lines to the public-facing page. Line one: a list of the suppliers who hold your data subjects' records on your behalf, named, with a one-sentence description of what each one does. Line two: a single complaints inbox at your organisation that handles supplier-side issues as well as your own, with a thirty-day acknowledgement promise. This is the same complaints inbox the DUAA Day-One post walked through, extended to cover the supplier tier. Put the named board sponsor from the Cyber Resilience Pledge Action 1 on the page as the responsible owner.
What is not in this post. We are not predicting whether Scattered Spider, or the affiliate cluster that some researchers are calling Scattered Lapsus$ Hunters, will name a UK casualty in the next fortnight. The major UK carriers — British Airways, easyJet, Virgin Atlantic, Jet2 and Wizz Air UK — have not been reported hit, and the M&