The cyberattack targeting Qantas customers’ personal data is the latest in a series of breaches affecting millions of Australians. Detected on June 30, the breach originated from a third-party customer servicing platform used by one of the airline’s contact centres. Cybersecurity experts warn that this incident underscores a broader issue: corporate Australia’s cybersecurity measures are inadequate.
Dr Hammond Pearce, a lecturer in computer science and engineering at UNSW, described the breach as “disappointing and frustrating,” highlighting a dangerous complacency among major companies. “It’s disappointing and frustrating that a company of this size and means, one which has tremendous importance to everyday Australians, is unable to safeguard our data,” Dr Hammond said.
Though the breach was contained, it potentially compromised names, phone numbers, email addresses, dates of birth, and frequent flyer numbers. Fortunately, credit card details, passports, and login credentials were not affected. The cybercrime group Scattered Spider is suspected of orchestrating the attack, known for targeting large organizations through helpdesk systems operated by third-party platforms.
Surge in Cyberattacks Across Australia
This breach comes amid a significant increase in cyberattacks across various Australian sectors. In April, thousands of AustralianSuper and Rest members were affected by “credential stuffing” attacks, where hackers used stolen login details from past breaches to access accounts, siphoning off $500,000 from just four accounts.
The Australian Signals Directorate responded to over 1100 cybersecurity incidents and 36,700 hotline calls in 2023–24, marking a 12% increase from the previous year.
Healthcare remains the most targeted industry, with 102 reported breaches in the latter half of last year. Financial institutions and manufacturers are also under siege, with attackers exploiting stolen credentials, ransomware, and legacy technologies to halt operations or access sensitive information.
Data as a Liability
Dr Hammond emphasized that large datasets of personal information should be “treated as liabilities, not assets.” He noted, “In Australia, as in many countries, the mass collection and retention of data is usually encouraged from a business point of view. Only the government has the abilities to bring in privacy-first rules which can motivate changes to this practice,” urging regulatory reform to force companies to treat personal data with the seriousness it deserves.
He warned that the accumulation of personal data is not only a risk in itself but a direct path to further harm. “There is the very real potential for downstream attacks whereby the stolen data is used for scams and other schemes; they might reach out to you pretending to be someone they are not,” he said.
Supply Chain Vulnerabilities and the Role of AI
The Qantas breach follows a rising number of incidents linked to third-party vendors. Experts say supply chain vulnerabilities now account for the majority of data breaches in Australia, and organizations must hold external providers to the same high cybersecurity standards as internal systems.
Stephen Kho, a cybersecurity expert at Avast, stressed the importance of preparation. “Businesses, no matter their size, need to accept that cyberattacks are no longer a matter of ‘if’, but ‘when’. That means shifting from a purely defensive mindset to one of preparation and resilience,” Mr Kho said.
While AI was not involved in the Qantas incident, cybersecurity professionals warn that artificial intelligence will enhance future threats. Scammers are now using AI to craft phishing messages, mimic voices, and create deepfakes to deceive victims. As technology advances, impersonation attacks and targeted scams are becoming harder to detect and more damaging.
Preventive Measures and Government Initiatives
Mr Kho advises using a password manager to generate strong, unique logins for every account, keeping devices and apps updated, and staying alert to anything suspicious. “A healthy dose of skepticism online is one of the best defenses you have,” he said. He also urges quick action if something seems off, such as receiving unexpected verification codes or strange messages, as these may indicate a compromised account.
The federal government has pledged up to $20 billion by 2033 to strengthen Australia’s cyber defenses and launched awareness campaigns like “Stop. Check. Protect.” to help Australians recognize and avoid online scams. However, Dr Hammond argues that meaningful progress requires more than public awareness — it demands a systemic overhaul. “It is fast becoming time for a proper regulatory overhaul to require that these companies treat our data with the concern that it deserves,” he said.
Until then, Australians are urged to take their own precautions, as the Qantas breach illustrates that even the largest and most trusted companies are not immune.
