On the 2nd of July Qantas reported a data breach potentially resulting in the exposure of up to 6 million customer records occurred. The organisation detected malicious activity on an external system at one of its contact centres. Qantas reports they contained the presence of any malicious actors on their system. Importantly, it should be noted that response efforts to this incident are ongoing and Qantas continues to provide timely updates as they discover further information.
The recent events with Qantas is a reminder that no organisation is immune to a breach; which is why risk management must always be front and centre.
To the Qantas security and IR teams, we commend you for your quick, transparent handling of the situation, as it’s never easy being in the spotlight during times like these.
In our latest blog, we explore what we know, how it’s being handled, and the proactive steps organisations can take to reduce the impact when (not if) something goes wrong
On the 9th of July, Qantas confirmed the scale of the breach affected 5.7 million customer records, of which 4 million records included only name, email addresses, and loyalty program identifiers.
The remaining 1.7 million customer records reportedly contained sensitive customer information ranging from addresses (including residential and business addresses), dates of birth, contact numbers, gender, and meal preferences.
Qantas continues to communicate that the breach did not result in the exposure of any sensitive customer financial information such as credit card details or any identifiable passport details. It should be noted that post-incident communications to date are aligned with better practice standards.
Qantas reported the breach occurred due to an attack on one its call centres. The threat actor had been able to access a third-party Software as a Service (SaaS) solution storing sensitive customer data. Qantas is yet to identify the specific attack vector exploited by the malicious actor; however, reports suggest that a phishing attack on a call centre operator had allowed the actors to obtain unauthorised access to Qantas’ tenancy on Salesforce. The duration and extent of the attackers’ presence within Qantas systems is yet to be confirmed.
As an active and ongoing incident, the scale and full extent of the ramifications of this incident are yet to be known. To date Qantas has confirmed the incident resulted in the exfiltration of sensitive customer data. In efforts to mitigate the impact of this incident Qantas has demonstrated strong incident response efforts with responses involving:
A data breach of this extent has the capability to cripple an organisation due to potential regulatory, financial, and reputational ramifications. A strong incident response framework is therefore crucial to navigating through these rough waters to enable the containment and mitigation of any negative outcomes of a cyber-attack affecting the confidentiality, integrity, and availability of information.
The Office of the Australian Information Commissioner in 2024, received a total of 1,113 data breach notifications, noting a 25% increase from 2023. Given these statistics such events are unfortunately not uncommon, underscoring the need to integrate security into the design and operation of businesses.
Risk-Based Approach
Security starts by identifying what matters most to your business and implementing measures to protect assets based on their importance. The goal is never the elimination of risk in its totality but rather the mitigation of it based on the importance of the asset to the organisation, This priority is determined through a Business Impact Analysis (BIA) and aligned with a company’s risk appetite. By assessing the opportunity cost of security controls, businesses can make more informed decisions. A risk-based approach ensures assets are protected at concomitant to the risk; minimising obstacles to efficiency and maximising cost-effectiveness.
Zero Trust Architecture
Once your crown jewels have been identified, a layered security approach should be implemented. Organisations should start by designing systems with strong verification controls, based on the principle of least privilege and an assume breach mentality. Essentially, assume a breach could happen at any time. This means limiting cross-functional access and using segmentation to minimise potential damage (including third party suppliers and services). When granting user access, organisations should enforce the least privilege principle and once access is granted continuously verify what users can do through continuous authentication and authorisation checks and validation efforts.
Third Party Management Frameworks
Implementing a robust security system internally does not automatically guarantee security across the organisation. In today’s interconnected world, service providers consistently rely on each other for support, making it vital to ensure that their security measures align with your own. A third-party management framework comprising measures to assess the security posture of service providers prior to, during, and even after their engagement is crucial to building a secure information management system.
Fostering a Culture of Cyber Awareness
Employees are often the primary targets of malicious actors, making them the first line of defence for any business. Since staff members are provisioned access to sensitive data, they hold a level of trust that requires protection. To defend against increasingly sophisticated attacks like phishing and social engineering, it's essential that employees are equipped with the knowledge and skills to recognise and respond to these threats. Training employees on best practices such as phishing awareness should therefore be a key priority for any organisation.
Strong Incident Response Frameworks
The best security systems in the world are all susceptible to vulnerabilities and exploitation. Strong incident response processes are therefore key to ensuring containment and mitigation of incidents, as demonstrated by Qantas during their most recent breach. It's clear, however that it is not enough to have a set plan in place. These plans need to be regularly tested, and incident response teams should be trained frequently to execute them effectively when an attack occurs. Practice makes perfect. You don’t want to be trialling critical response activities and plans for the first time. It’s likely there are many creases you may wish to iron out; something achieved through effective testing of your response plans, including having clarity on triggers for when to invoke Business Continuity and Disaster Recovery plans during an incident.
Official Communications/Statements made by Qantas:
Opinions from Affected Persons:
Updates about the incident:
