Qantas Cyberattack Exposes Sensitive Data of Millions, Underlining Third-Party Risks
Qantas, the national airline of Australia, has reported a significant cyberattack that has compromised the personal information of approximately 5.7 million customers. This breach, which targeted a third-party call center platform, raises pressing concerns about cybersecurity across the aviation industry and its extensive network of external suppliers. The incident follows a trend of high-profile breaches affecting international airlines, highlighting an evolving strategy among cybercriminals.
The disclosure of the breach, which occurred at the end of June, revealed that a vast array of customer data was stolen. Compromised information includes names, email addresses, frequent flyer details, and in some cases, home addresses, birth dates, phone numbers, gender, and meal preferences. This incident has prompted increased scrutiny of third-party risk management, as the attack did not penetrate Qantas’ internal systems but exploited weaknesses in an external service provider.
This breach aligns with recent warnings from the Federal Bureau of Investigation regarding the activities of hacker groups such as Scattered Spider. Cybersecurity experts like Praneil Kumar, Incident Response Lead for Coalition in Australia, have highlighted parallels between the tactics utilized in the Qantas breach and those previously employed by Scattered Spider. “This group is known for its sophisticated and coordinated attack techniques and has recently shifted its focus toward the airline industry,” Kumar noted, elaborating on the group’s modus operandi. They target large organizations and their IT help desks through methods including social engineering, credential theft, and supply chain extortion, making any business reliant on remote access systems vulnerable.
Andrew Obadiaru, Chief Information Security Officer at Cobalt, emphasized that the Qantas incident underscores a systemic issue: security validation often fails to extend to third-party platforms handling significant volumes of customer data. Obadiaru advocates for organizations to move past trust-based vendor relationships and instead implement continuous offensive security testing across their service ecosystem. “Tools like red-teaming and ongoing penetration testing are essential to identify vulnerabilities before adversaries do,” he stated, calling for comprehensive third-party risk management to ensure all vendors maintain robust security protocols.
The tactic employed in the Qantas breach, known as “island hopping,” involves cybercriminals gaining access to a business by first infiltrating a less-secure link within its supply chain. Tim Eades, CEO and co-founder of Anetac, characterized the Qantas attack as a textbook example of this approach, warning that as organizations fortify their own defenses, attackers are increasingly targeting third-party platforms that may have weaker controls. “Once they gain entry, they can exploit identity vulnerabilities—such as compromised credentials or poorly monitored access—to navigate into the core environment,” he explained.
Eades also pointed out that the increasing use of artificial intelligence in such attacks is accelerating their complexity and reach. AI technologies can facilitate convincing phishing schemes and automate identity exploitation, amplifying the impact of cyber incidents. Referencing a recent AI-driven breach involving McDonald’s, Eades cautioned against the rapid rollout of AI tools without sufficient oversight, noting that this expansion of the attack surface poses significant risks across all sectors. He stressed the importance for enterprises to implement continuous identity verification, enforce least-privilege access, and adopt a Zero Trust framework throughout their partner ecosystems.
The threat landscape is particularly daunting for smaller businesses, Kumar noted. While breaches at large corporations like Qantas dominate headlines, smaller organizations often lack the resources and cybersecurity infrastructure to effectively respond to attacks. According to Coalition’s research, while larger firms may have more robust recovery capabilities, smaller enterprises can suffer devastating consequences, making cyber risk a critical issue for their business continuity.
In response to the Qantas breach, experts are advising enterprises of all sizes to take actionable steps toward bolstering their cybersecurity posture. Enhancements to multi-factor authentication, improved security protocols for help desks and call centers, rigorous monitoring of third-party access, and investment in continuous threat detection capabilities are all critical measures that organizations should consider. The consensus among cybersecurity professionals is that businesses must not solely rely on their internal defenses but instead proactively manage risks across their entire network of suppliers and digital partners, using frameworks such as the MITRE ATT&CK Matrix to guide their risk management efforts.
