Experts give Qantas mixed reviews on cyber breach response
The recent cyber attack affecting nearly six million Qantas customers has cast a spotlight not only on the airline's digital defences, but also on its crisis communication strategies and obligations under evolving privacy laws.
With personal records at risk, scrutiny is intensifying over how Australia's flagship carrier has managed both the incident and its relationship with a concerned public.
Digital security experts and communications specialists are offering mixed reviews of Qantas's response.
Phoebe Netto, founder of Pure Public Relations, observed that the airline made a fundamental misstep by failing to provide sufficiently detailed updates in the immediate wake of the breach. "While they've attempted to address customer concerns through a dedicated webpage, several critical questions remain unanswered: How often will updates be provided? What specific actions should customers take? What are the security implications? How secure are other systems?" Netto said.
Netto warned that this lack of detailed, forward-looking communication can sow confusion and spur unnecessary media speculation. "This information vacuum has left room for unnecessary speculation and media coverage that only results in more chaos and confusion. This is why organisations facing significant unknowns should always err on the side of providing more information, not less," she added.
Netto urged Qantas to address questions directly and provide a clear timetable for updates. "Qantas must now focus on projecting confidence, rather than leaving room for further concern. To do this, they must immediately answer as many questions as possible and clearly communicate when customers can expect updates on unanswered concerns."
In contrast, Dr Neryl East, a communication and credibility expert, suggested Qantas may have taken positive steps when compared to the handling of previous major Australian data breaches.
"Qantas appears to have learned some lessons from past crises, taking the initiative in communicating about a cyber-attack that's impacted six million customers," East stated. Dr East highlighted how Qantas proactively contacted both customers and the media, openly acknowledging the scale and impact of the breach, and outlining next steps. This, she said, marked a departure from the much-criticised communications after the Optus incident in 2022.
"Unlike Optus and its infamous mishandling of a 2022 data breach, Qantas communicated early, acknowledged the impact and outlined next steps. It's a solid start from the national carrier; time will tell if its approach earns reputation brownie points from a wary public," she said.
Adding to the chorus of expert analysis, Teresa Sperti, Founder and Director at Arktic Fox, said the breach underscores broader weaknesses in how Australian brands are approaching privacy readiness and strategic response.
"For brands, a cyber attack is not simply a case of 'if', but 'when'. Cyber attacks and privacy management go hand in hand. A cyber attack can reveal how well or not a brand is managing privacy, which we saw in a string of very high-profile cases. These attacks expose whether brands have a clear data retention policy or if the organisation is only collecting what is required and much more," Sperti said.
Sperti warned that breaches have long-lasting consequences for consumer trust. "Cyber attacks and privacy breaches have a long tail effect on brand trust and perception and it can take a long time for brands to recover.
"What is critical in these situations is how brands respond – brands need to rapidly identify what occurred, communicate transparently and consider how to effectively compensate customers for any loss or harm caused in a way that doesn't inconvenience the customer," she said.
The regulatory context is now also far less forgiving than just a few years ago.
Lyn Nicholson, General Counsel at Holding Redlich, pointed out that the Qantas breach should remind all Australian organisations about their strict legal obligations regarding personal data. "The Qantas breach is a timely reminder of the recently amended Australian Privacy Principle 11, which is the obligation to keep personal information secure. It now includes an obligation for organisations to have in place both technical and organisational measures as part of their reasonable steps to keep information secure," Nicholson said.
Nicholson stressed that robust measures such as multifactor authentication, encryption, access controls, and effective account deactivation are now expected as standard practice. "While hackers will not always be thwarted, the need to have adequate security should be top of mind. The Medibank breach in 2022 is still making its way through the federal court where the regulator alleges it failed to take adequate steps to keep information secure."
The new amendments to the Privacy Act bring increased fines for those found wanting in either technical or organisational protections.
It is clear that the Qantas incident serves as a critical stress test for the cybersecurity standards, regulatory awareness, and communications strategies of major Australian organisations.
The expectation from commentators is unequivocal: only transparent, comprehensive, and frequent communications will begin to re-earn public trust, and only rigorous technical and organisational security will satisfy both customers and regulators in an increasingly unforgiving cyber landscape.