Qantas data breach highlights need for strong risk management

Qantas's approach to data management has garnered praise from cybersecurity experts following a recent data breach, highlighting both the strengths and ongoing challenges of securing sensitive information in the digital age. The airline was targeted in an attack believed to have originated via a third-party provider, but crucially, there is no evidence that personal financial or passport details were compromised.

Paul Henaghan, Managing Director for Cohesity in Australia and New Zealand, commended Qantas's strategies for mitigating the impact of the attack. "What Qantas has done well in this instance is to store data in separate systems, as opposed to having all data in one system that is managed by a third-party platform. This ensures that a single breach does not compromise all of Qantas' data and operations, and in this case has kept information like credit card, personal financial data, and passport details out of reach," he explained.

Henaghan noted that organisations with large stores of customer data, like those in the aviation industry, have become increasingly attractive targets for cybercriminals. "The attack on Qantas is a reminder that all organisations, including their third-party partners, need to stay vigilant. While the financial and insurance sector has taken much of the heat in recent times, cybercriminals will take any chance they can to exploit organisations with large amounts of data. We expect these attacks to increase as cybercriminals increasingly leverage AI to gain more data, experience, expertise, and even financial and geopolitical backing."

The attempted breach highlights the importance of robust risk management that extends beyond securing technological infrastructure. Rachael Greaves, from Castlepoint Systems, highlighted that the inevitability of data breaches means organisations must take a proactive stance on data minimisation. "It should be clear at this point that if you have data, the bad guys can get it. It's just a matter of time. Every Executive has had risk management training, and know that the first and best treatment of risk is avoidance. Trying to mitigate the harm afterwards is bad business, and trying to reduce the likelihood to zero is a fool's errand," she said. Greaves also emphasised that responsibility cannot be outsourced, adding, "Even though this was via a third party, Qantas is responsible."

One of the crucial strategies recommended by Greaves is the implementation and enforcement of strict data retention policies. She noted, "There is a reason that having and applying a retention policy is the number one factor in pricing cyber insurance premiums. You can't guarantee the security of data you have to keep, but you can (and you must) remove obsolete data from circulation. Records management is the better part of security management, and needs to be applied automatically, accurately across every single data store."

The incident at Qantas serves as a stark warning that reliance on third-party platforms and service providers does not absolve companies of their responsibilities. As data threats become more complex and criminal groups turn to advanced tools such as artificial intelligence, the industry is reminded that baseline security measures—such as data segmentation, adhering to current retention policies, and minimising the retention of unnecessary data—remain critical pillars of risk management.

Both Henaghan and Greaves agree that ongoing vigilance, robust internal policies, and a culture of responsibility across the data supply chain are essential. For airlines and other organisations entrusted with sensitive personal data, the Qantas incident is both a validation of layered defensive strategies and a call to further tighten controls in anticipation of ever-evolving threats.