In the ever-present landscape of cyber threats, it is not a matter of if a company will face an incident, but how it responds. The recent cyber incident impacting Qantas customer data has provided a notable example of responsible corporate communication, even as it serves as a critical reminder of persistent vulnerabilities in data security.
While any data breach is a cause for concern, Qantas’s swift, transparent, and proactive communication sets a benchmark. By immediately acknowledging the issue, offering a sincere apology from their CEO, and promptly informing all customers, Qantas has demonstrated a seriousness that many other companies have failed to show in similar crises. This approach, which avoided the common pitfalls of hiding or downplaying an incident, is a positive sign and a crucial step in maintaining customer trust.
What Happened?
Qantas has been open about the sequence of events. On a Monday, unusual activity was detected on a third-party platform utilised by one of the airline’s contact centres. The response was immediate: the system was contained to prevent further impact. Qantas has reassured customers that there is no impact on the airline’s operations or safety and that all core Qantas systems remain secure.
In a demonstration of their commitment to resolving this issue, the airline is working closely with the Australian Cyber Security Centre, the Office of the Australian Information Commissioner, and the Australian Federal Police. They are also collaborating with independent cybersecurity experts to manage the response.
The Compromised Data
The investigation has confirmed that the compromised data includes some customers’ names, email addresses, phone numbers, birth dates, and frequent flyer numbers.
Crucially, Qantas has clarified what was not exposed. No credit card details, personal financial information, or passport details were held in the system that was accessed. Furthermore, no Frequent Flyer accounts, passwords, PINs, or login details were compromised.
The Problem with Using Your Birthday as a Password
The inclusion of dates of birth in the breached data highlights a significant and widespread security weakness. For years, organisations have relied on personal details like a birth date to verify a person’s identity. In an era where this information is readily available, this practice is dangerously outdated.
When your personal identifiable information (PII) is stolen, it provides criminals with the building blocks for impersonation. Armed with a name, email, and date of birth, an attacker can more convincingly impersonate you to other service providers, potentially gaining access to highly sensitive accounts like your banking or telecommunications services. This can lead to identity theft and significant financial loss. Relying on such easily obtainable information for security is a fundamental flaw.
Systemic Failures and Third-Party Risk
This incident also underscores the critical importance of managing third-party risk. Cybercriminals often target the weakest link in a supply chain, which can be an external vendor or partner. The responsibility lies with the primary organisation to ensure that any third-party platform handling its data meets the highest security standards, including regular audits, penetration testing, and robust access controls.
How You Can Protect Yourself
While Qantas is taking steps to support affected customers, it is prudent for everyone to practice good cyber hygiene.
- Use Unique and Complex Passwords: A password manager is an excellent tool for creating and storing strong, unique passwords for all your online accounts.
- Enable Multi-Factor Authentication (MFA): Always enable MFA where it is available. It provides a critical layer of security that can prevent unauthorised access even if your password is stolen.
- Be Wary of Phishing Attempts: Be suspicious of any unsolicited emails, texts, or calls asking for personal information. Cybercriminals will use the details from this breach to create highly convincing and targeted scams.
- Question Security Practices: Be mindful of the information you share and question companies that still rely on your date of birth as a primary form of identity verification.
Qantas has established a dedicated support line for assistance, which includes specialist identity protection advice.
How Vertex Cyber Security Can Help
Navigating cybersecurity challenges is complex for any organisation. At Vertex Cyber Security, we provide expert guidance and a comprehensive suite of services designed to strengthen your security posture. From penetration testing and security audits to cyber security training and incident response, our team can help you identify vulnerabilities and implement effective, forward-thinking security strategies.
A proactive approach to cybersecurity is the best defence. By identifying and addressing weaknesses before they are exploited, we can help protect your business, your customers, and your reputation.
If you are concerned about your organisation’s cybersecurity or wish to learn more about protecting your business from the ever-evolving threat landscape, we encourage you to contact us.
