The airline offered a “sincere apology” to customers impacted by the issue, and said investigations indicated it was related to recent system changes.

“At this stage, there is no indication of a cyber security incident,” said a Qantas spokesman on Wednesday.

He said the issue was isolated to the Qantas app, adding that the data breach was limited to customers’ names, upcoming flight details, points balance and status.

“No further personal and financial information was shared and customers would not have been able to transfer or use the Qantas points of other frequent flyers,” the spokesman said.

“We’re not aware of any customers travelling with incorrect boarding passes.”

Top tier frequent flyer Alborz Fallah, the founder of carexpert.com.au, was among those caught up in the incident, which he described as a “massive security breach” of the Qantas app.

“Every time I launch the app it gives me someone else’s account, their boarding pass, points score and status tier,” said Mr Fallah.

“Not only can I see where these random people are flying, I can also seemingly initiate a frequent flyer points transfer or book a flight under their name. I can also see all their booking reference numbers, so I could cancel their flights — everything, really.”

Posts on the Frequent Flyer Australia Facebook group revealed widespread issues, with some users getting access to boarding passes and personal details of other travellers.

Troy Foster said “first I was Sally now I am Caroline, and I’m going to Singapore, not Brisbane. Serious data breach”.

Earlier, Qantas said it was “urgently working to resolve the issue” and investigating whether it was caused by recent system changes.

Mr Fallah said it was “funny in some ways but also a genuinely serious issue” particularly for high level frequent flyers with points balances in the millions.

“It really is a pretty shocking security breach,” he said.

The Qantas spokesman recommended customers logged out and then in again to their frequent flyer account on the Qantas app.

Texts were being sent to travellers informing them the issue had now been resolved, and apologising.

It is the second time in a year that Qantas has experienced a major IT issue as a result of internal work.

In September 2023, a change to a cloud-based management system for Qantas’ freight operations, resulted in a huge backlog of cargo with containers building up at ports, unable to be delivered for days or even weeks.

Monash University cybersecurity expert Muhammed Esgin said it was cause for concern when people could see personal information about other Qantas customers.

“Many companies store customer information in a database and mobile applications need to first authenticate a customer to make sure that it is really the right person being granted access,” said Dr Esgin.

“Then typically the app is allowed to retrieve information from the database about that particular user only and not others, unless permission is granted. The issue seems to be that somehow the app is retrieving private information about other users.”

The Qantas frequent flyer program has more than 15 million members who are encouraged to use the app for flight bookings, boarding passes, flight details and updates on their points balance.

More Coverage

Qantas’s job offer to Bonza crew amid uncertainty

Robyn Ironside

Bonza vows to ‘fight this’ after appointing administrators

Robyn Ironside, David Ross

Originally published as Qantas blames ‘systems change’ on app privacy breach