Qantas, Australia's flagship airline, suffered a massive data breach and it all started with a phone call. Back in June, hackers contacted staff at the Qantas call center in Manila, Philippines. They pretended to be employees, knowing exactly what to say. They sounded legitimate enough that when they asked for access to the company systems, staff granted it. That technique, tricking people over the phone, is called vishing, or voice phishing.

Once inside, the hackers had access to about 6 million customer records: names, emails, phone numbers, home addresses, and dates of birth. They started pulling the data out of the system immediately. Qantas detected the breach the same day and moved quickly to contain it, locking down systems and stopping the intrusion. But by then, it was too late. The hackers had already extracted what they came for.

Mid-July, the attackers made contact with a ransom demand. "Pay up or we release everything" was essentially their message. Qantas refused. The Australian government's position was clear: don't negotiate with cyber criminals. It only encourages more attacks.

So the hackers made good on their threat. In October, they dumped all 5.7 million customer records onto the dark web. A criminal collective, consisting of Scattered Spider, Lapsus$, and Hunters claimed responsibility. But Qantas wasn't their only target. They'd been running the same playbook against Disney, Google, IKEA, Toyota, Air France, and KLM. All hit using the same method. All compromised the same way.

What makes this breach particularly unsettling is how low-tech it was. There was no zero-day exploit, no sophisticated malware, no years of planning. Just a phone call and someone convincing enough to sound like they belonged.