Qantas, the flag carrier airline of Australia, has confirmed a sweeping cyberattack that compromised the personal information of 5.7 million customers, raising urgent questions about cybersecurity across both the aviation sector and its vast network of third-party suppliers. The incident, which targeted a third-party call centre platform, is the latest in a string of high-profile breaches affecting international airlines and highlights a shifting approach among cybercriminal groups.
The breach, disclosed after an incident at the end of June, resulted in the theft of a broad array of customer information. Among the data compromised were names, email addresses, frequent flyer details, and, in certain cases, home addresses, birthdates, phone numbers, gender, and meal preferences. The incident has placed renewed scrutiny on third-party risk management, as the attack did not directly breach Qantas' internal defences, but rather exploited vulnerabilities within an external service provider.
This attack follows warnings from the Federal Bureau of Investigation concerning the activities of hacker groups such as Scattered Spider, which has recently shifted its focus to the global airline industry. Praneil Kumar, Coalition's Incident Response Lead for Australia, observed distinct similarities between the tactics used in the Qantas breach and those employed by Scattered Spider in earlier incidents. "Scattered Spider, a cybercriminal group known for its multifaceted and highly coordinated attack tactics, has recently pivoted its focus to the airline industry," Kumar noted. He detailed how the group operates: "Scattered Spider is known to target large organisations and their IT help desks, using various tactics including social engineering, credential theft, double extortion, and supply chain extortion. Essentially, any business that relies on help desks, third-party vendors, or remote access systems is at risk."
Andrew Obadiaru, Chief Information Security Officer at Cobalt, said the Qantas incident "reveals a systemic issue: security validation rarely extends to the third-party platforms that store massive volumes of customer data." Obadiaru highlighted the critical need for organisations to move beyond simple trust-based vendor relationships, advocating for ongoing offensive security testing throughout the entire service ecosystem. "Red-teaming and continuous pentesting are essential tools to uncover these weak points before adversaries do," he said, urging the adoption of comprehensive third-party risk management to ensure all vendors adhere to robust security standards.
The tactic observed in the Qantas breach is known as 'island hopping' - an approach where hackers infiltrate a business by first compromising a more weakly defended link in its supply chain. Tim Eades, CEO and co-founder at Anetac, described the Qantas incident as a "textbook case of island hopping" and warned that as organisations enhance their own security, attackers are increasingly targeting third-party platforms with less stringent controls. "Once inside, they exploit identity vulnerabilities - compromised credentials, excessive privileges, or poorly monitored access - to move laterally into the core environment," he explained.
Eades also pointed out that the growing adoption of artificial intelligence is accelerating the sophistication and scale of such threats. AI technologies can generate convincing phishing campaigns and automate the exploitation of identity weaknesses, rapidly increasing the impact of cyberattacks. Bringing attention to a recent breach at McDonald's involving an AI-powered chatbot, Eades cautioned that the rapid deployment of AI tools without proper controls is expanding the attack surface for businesses globally. He stressed, "This identity security challenge touches every industry worldwide. Enterprises must respond with equal intelligence: applying continuous identity verification, enforcing least-privilege access, and extending Zero Trust to their partner ecosystems."
Smaller businesses face particular danger, Coalition's Kumar added. While large-scale breaches at companies like Qantas capture headlines, smaller enterprises, with fewer resources and less comprehensive cybersecurity infrastructure, are even more vulnerable. Coalition's research indicates that although large corporations might be better equipped to recover from such attacks, smaller firms often lack the means to respond effectively, making cyber risk a critical threat to business continuity.
Experts have responded by outlining a series of practical recommendations for enterprises of all sizes. Kumar advocated for the strengthening of multi-factor authentication protocols, the bolstering of help desk and call centre security, rigorous review and monitoring of third-party access, and the investment in round-the-clock threat detection and incident response capabilities. The consensus from cybersecurity professionals is clear: businesses cannot afford to rely solely on internal defences, and must proactively manage risks across their entire network of suppliers, contractors, and digital partners.
