What does the Qantas Cyber Security breach teach us?
- KZ
- Oct 4
- 9 min read
There has been another security breach at an Australian company, so what does the recent cyber security breach teach us about cyber security readiness?
First, we will go into a brief overview of the incident with impacts to the general landscape as well as considerations for individuals caught up in this. Then we will discuss the lessons to be learned with some recommendations for companies and individuals.
Incident Overview:
What was compromised?
The Qantas security breach (9th July 2025) has resulted in compromised personal information of 5.7 million customers, this includes:
Names
Email Addresses
Frequent Flyer Details
Home Addresses*
Birthdates*
Gender*
Phone number*
Meal preferences*
(* = Appears to be for certain records only and not across the entire 5.7 million affected people).
How did this happen?
The issue occured through a third-party supplier being breached, then the access being leveraged by hackers to gain access to secure data within Qantas.
What does this mean exactly?
Third parties cover a wide range of products in an IT environment such as Firewalls, Software, Networking, Security, Maintenance etc. so it is a broad term. One common link between third party suppliers is an increased level of access and implied trust, this means they get higher privilege within secure systems as they are seen as 'part of the solution' and are usually there to help keep things running and secure (irony!).
So, when one of these companies has an issue with security, their increased privilege and access is used by malicious actors to gain access to things they should not.
In the real world you can think of this as a locksmith, you give the locksmith the trust and access to put in a nice robust lock on your front door to protect you from the criminals. The Locksmith themselves are trustworthy so you don't worry about them, what you don't know for sure is how secure their locks are. If a locksmith leaves their new locks and keys where anyone can get them (and say steal a spare or even get one copied), then as soon as your lock is installed the malicious actor waits for their opportunity and lets themselves into your property.
This is very similar to what happens in these third-party attacks.
Who carried out the attack?
While this can usually be quite tricky, this has been linked to a group named Scattered Spider due to the similar attacks against other targets. While not 100% guaranteed to be them, the confidence level in this is high enough to be named online.
(for those who are unsure what this means, think of Home Alone when Marv would flood the houses they burgled and the Police were able to identify each and every house they hit).
Impacts:
Personal:
If you were personally affected by this breach, hopefully Qantas has sent you an email by now to inform you of this. If you suspect you may have been affected but have not received an email, go to Qantas' public website and call their support phone number to query. Remember if you used an old email address or don't regularly check your SPAM or JUNK folder, you may have missed the notification.
If you were affected then you should be aware of how this data could be used by malicious actors, then you can see the recommendations further down on what steps you might want to consider.
The data could be used to sign up for accounts (Online platforms, Credit/Bank account applications, finance applications) and while most of these are likely to fail when the institution sends out verification emails/letters or phone calls - you should be mindful of someone trying to sign up for these things. If you get many of these types of communication you may want to consider methods to reduce the risk posed by the information being 'out there'.
You may also see more targeted messages trying to encourage you to click on something such as a link or document, they may have very targeted information including your name, address, food preference with things such as 'hey 'X', We deliver Vegan food in your area of 'X', click here for 75% off!' which may be just enough to pique your interest and click the link. This would then open you up to malware which may compromise your device and all information/access on that device.
With frequent flyer information, you may find similar targeted emails about where you go frequently. There is also a remote possibility that if you regularly leave for trips, they may know when your house is unoccupied - although I should stress that this is extremely remote.
Business:
The impact on the business in question (Qantas) is largely going to be reputational at least initially, trust is certainly going to be lost and with some people it will be impossible to win back. They will also find shares dropping, customers going with other airlines affecting their income as well as future possibilities of fines and legal action should it end up in courts.
The company is going to have to restore confidence by showing they are able to respond, manage and recover from this incident in an appropriate way with good communication with the affected customers at all stages. They will also want to ensure their changes to how they manage security around Third Party suppliers is also addressed and then publicly acknowledge they have changed these (although they will likely not go into specifics as this is sensitive information).
Qantas may also decide to drop that specific Third Party due to a lack of security on their end, which means a large (and potentially expensive) project to replace them with another competitor. This can take a long time to achieve with great confidence, which also means relying on that third party until the project is complete.
There is also an interesting secrecy bid for protecting the details of Qantas lawyers working on this, with the aim being to protect their safety from hackers.
The data for this breach has not been released publicly as of writing this article, if this does happen then Qantas is going to have more damage control to do as the data is then available for anyone to download and examine. Qantas will have to monitor this and have a plan in place to manage the impact should this data leak, this will also mean if the data is found to be sold privately to other hacker groups that Qantas will need to ensure that affected customers are made aware. If they find out that this is occurring and do nothing, their reputation will drop even further and may land them in some legal trouble if they could have acted to prevent the data being mis-used leading to customers becoming victims.
Lessons learned:
Public:
Sadly the main lesson to learn for the public is to be aware of the signs, the way the world works means you can not get away with keeping a lot of this information private without becoming a hermit. However here are a few tips to help you adjust your approach and minimise the impact these breaches will have:
Multiple email addresses
Create multiple email addresses (at least 2) so that you can have one for companies and one for financial or secure services.
If your email address is compromised in the Qantas leak, but you have a different email address for your bank - you are in a stronger position with less to fix.
Multi factor authentication (MFA)
Enable MFA on all your accounts that offer it, whether this is through an Application, Email, Text or Phone call - you should ensure it is set up.
If a site/service does not offer MFA - ensure you use that email address that has nothing sensitive attached to it.
MFA is often your first alarm when something goes wrong, get a sign in notification that is not you? then you need to change the password immediately.
Be very suspicious of all emails
Every email you receive could be a finely crafted message to trip you up, usually when you are in a hurry.
Consider using a service to check and monitor for your data being used.
Several services exist out there who monitor your data, where it exists and if your details are used to apply for anything. These services usually offer a service where they remove your data for you, this can help you keep your online fingerprint as small as possible without having to invest time and effort.
Always ensure if you use a third party service to check the reviews and evaluations to ensure it is legitimate.
Example services:
Incogni
Deleteme
Optery
Privacy Bee
These are just some of the methods that can help you reduce the impact of these incidents, but remember that you will never stop these things happening. Companies will be breached, even if they do everything right - the threats evolve and can sometimes get ahead of companies. This means that your best approach is to prepare to minimize the impact when these events occur.
Business:
Businesses should learn that security is something you can not afford to be complacent with, you may have ticked all the boxes several years ago but how often do you do an in depth review?
Companies need to ensure their Third-Party suppliers don't just take a box ticking approach to their security, that they adopt it as a culture and maintain it. You will need to ensure you audit them and get the evidence to back up their claims, an excel spreadsheet with tick boxes and 8 word sentences does not cut it. You may want to hire an outside company to red team (pen test) not just your company, but the third party as well - this of course needs to be agreed with said third party in some way. If a company outright refuses to let you test them, that should be a red flag and you may want to investigate further.
Lets say you want a blind test of your supplier, the best way is to contact the CEO and confirm with them that only a limited number of people are to be aware this will happen (dates should be unclear and in a window of time) but are not to tip off their teams or go hands on themselves. This will give you a good idea of how the company performs, their reaction to proposing this type of test will also be very telling of their confidence level in the service they provide.
Companies need to ensure they have the right monitoring, response teams, policies, playbooks and all the other apparatus of a good Cyber Security environment ready. This includes in house specialists, you may not be able to hire a full team, but you should have someone who knows the ins and outs of Cyber Security to manage the third parties and ensure coverage of the whole spectrum of threats. If you are trusting your security to outsiders entirely, you are taking a risk on people who do not have a direct interest in your company.
Bring in external consultants, the scope of this will vary depending on our company - but Penetration testing companies, Governance and Compliance audits, Consultants, Specialists and more are available to come into your company and help highlight focus areas. Often these teams can guide you towards solutions and suppliers who are trusted and within your budget.
How can we help?
Well you all knew this section was coming! We can help the public with articles such as these where we help to guide you in security related matters. Got a question? Send us a message and we will aim to get back to you (free of charge) with some advice, if the problem is serious we may direct you to someone in your area who can help with more complex issues - however our advice will be free.
For companies, we can consult on any of your issues, we have services that provide 24x7 Anti Virus, Incident Response, Backup and Recovery, Patching and remote patching/support, Monitoring and alerting and Awareness training. We also handle more complex issues including security standards (PCI DSS, ISO27001, GDPR) with recommendations and project guidance. We also offer next gen CCTV, access management, environment sensors and alarms.
How do we, a small company, manage this type of work? We have partnered with industry leaders who provide the end solution, they have the personnel - hardware - support and capacity to manage the solutions. We design the solution with you and manage the delivery of the projects with all the headaches taken away, with a solution that fits your budget (thanks to our partners providing us with special rates and deals).
Summary:
In summary, this is another breach that affects Australia, it is not unique and the breaches are just going to keep coming. The key thing for people and businesses alike is not to panic and live in fear, just prepare and be aware.
Keep up to date with news, alerts and bulletins - and a quick fix when the issue occurs will save you a lot of hard work later! Let us know if we can help you!
Comments