The Qantas data breach: Lessons in third-party risk

1. The Qantas data breach: What went wrong?

In late June 2025, Qantas Airways suffered a major cybersecurity breach. The breach originated from a third-party customer service platform operated by a call centre in the Philippines. As a result, hackers obtained the data of approximately 5.7 million customers. This data included:

• ~4 million records with names and email addresses.
• 2.8 million frequent flyer numbers, including tier status and points balances.
• >1 million birthdates, phone numbers, addresses, gender, and meal preferences.

Notably, all financial information, passport details, and login credentials remained secure. Investigators traced the breach to a 'vishing' attack targeting the Manila call centre. Vishing (voice phishing) is a form of social engineering involving phone calls. 

2. Root causes: Third-party risk, privacy oversight and control failures

Third-party risk management failures

This breach highlights the risks associated with using third-party vendors.

Key issues may have included:

• Insufficient vetting and monitoring of third-party security practices.
• Lack of robust contractual safeguards and defined responsibilities.
• Inadequate understanding of data storage locations and access controls.

Australian Privacy Principles (APPs) non-compliance

Under the Australian Privacy Act 1988, organisations must take reasonable steps to protect personal information from misuse, interference and loss. The fact that the breach occurred suggests potential non-compliance with:

• APP 1: Failure to implement practices, procedures and systems to ensure compliance with the APPs.
• APP 11: Inadequate security safeguards to protect personal information.

It is not enough for organisations to comply with the APPs themselves. They must also ensure that any third-party vendors are compliant.

Cyber security control failures

The breach exploited weaknesses in the third-party platform, indicating deficiencies in:

• Access controls and authentication mechanisms.
• Employee training to prevent social engineering attacks.
• Monitoring and detection of unusual activities.

These control failures enabled unauthorised access to sensitive customer data.

3. Prevention strategies: Strengthening third-party risk management and cyber security controls

Third-party risk management

An appropriate third-party risk management framework should include:

• Rigorous due diligence when selecting a vendor.
• Regular audits and assessments of third-party security practices.
• Clear contractual obligations concerning data protection and compliance.

These measures can help ensure that vendors uphold your security standards. This will mitigate some of the risks associated with outsourcing.

Ensuring compliance with the Australian Privacy Principles

To align with the APPs, you must:

• Implement robust data governance policies.
• Include compliance with the APPs in contracts with third-party vendors.
• Conduct regular training and awareness programs for employees and vendors.

Addressing offshoring risks

When offshoring data processing activities, you should:

• Assess the legal and regulatory environment of the offshore location.
• Implement data localisation strategies where feasible.
• Ensure that offshore vendors have equivalent security measures in place.

Taking these steps will help you maintain control over your data. This is important to mitigate risks associated with cross-border data transfers.

Implementing NIST cyber security framework (CSF) controls

Adopting the NIST CSF can enhance your cyber security posture through:

• Govern: Establish cyber security strategy, roles, responsibilities, and oversight
• Identify: Asset management and risk assessment
• Protect: Access control and data security
• Detect: Anomalies and continuous monitoring
• Respond: Incident response planning
• Recover: Recovery planning and improvements

Integrating these functions ensures a proactive and resilient approach to cyber security.

Proactive measures for organisational resilience

The Qantas data breach is a warning to all organisations. Do not neglect third-party risk management or cyber security controls.

Be proactive. Assess and enhance your data protection strategies. Make sure you are compliant with your legal obligations. Take the right steps to safeguard customer trust.

Next steps:

1. Review your third-party vendor agreements and security practices.
2. Establish regular training programs to raise awareness of social engineering threats.
3. Adopt and integrate the NIST CSF into your cyber security framework.
4. Comply with the Australian Privacy Principles in all operations.
5. Develop and test incident response plans to prepare for potential breaches.

By taking these steps, you will strengthen your cyber security resilience. This will help protect you from similar incidents in the future. 
 

FOR MORE INFORMATION

If you would like to learn more about the topics discussed in this article, please contact your local RSM office.