At the beginning of this month, Qantas confirmed a cyberattack on one of its customer centers. While the system has since been contained, customer data was still impacted. 

In the affected platform, there are 6 million customers with service records. It is currently unknown how much data was stolen, although the statement anticipates that “it will be significant.” 

Below, security leaders share their insights on this data breach. 

Security Leaders Weigh In

Toby Lewis, Global Head of Threat Analysis at Darktrace:

Qantas’ cyber breach bears the hallmarks of Scattered Spider, the same group behind recent attacks on Hawaiian Airlines, WestJet, and Marks & Spencer — likely through compromising a third-party SaaS platform like Salesforce or Zendesk.

The attack follows their typical playbook: steal legitimate login credentials to walk into systems where critical security protections often aren’t enabled by default, while operating from Western countries to appear as legitimate users and bypass standard security filters.

Expect the stolen customer data — names, emails, birthdates, frequent flyer numbers — to fuel convincing phishing campaigns targeting loyalty programs and tricking customers with fake payment requests using real booking details.

Mr. Kobi Nissan, Co-Founder & CEO at MineOS:

The Qantas incident highlights a growing blind spot in enterprise risk: third-party exposure. A company can invest heavily in its own internal security, but if its vendors fall short, customer data is still at risk.

This wasn’t just a technical failure, it reflects a breakdown in governance. Enterprises must have continuous visibility into who has access to their customer data, what platforms are being used, and how that access is secured. One-time assessments or signed policies are not enough. Businesses need living, ongoing intelligence about their third-party ecosystem.

This is also a critical moment for leadership. Trust is not something you announce, it is something you operationalize. Every vendor you bring into your environment becomes part of your brand promise. If you can’t verify how they manage data, you can’t promise your customers that it’s protected.

Chad Cragle, Chief Information Security Officer at Deepwatch:

The Qantas breach came through a third-party contact center platform. That’s what makes it so concerning. The attackers didn’t need to compromise Qantas’ systems; they found a weaker point in the supply chain and used it to access sensitive data, including names, emails, phone numbers, birthdates, and frequent flyer numbers, for potentially millions of customers.

This aligns with what we’ve seen from Scattered Spider: they rely on social engineering, MFA fatigue & SIM swapping, credential harvesting, and targeting service desks or outsourced support platforms. Their attacks focus on trust-based systems and human processes, rather than firewalls and servers.

The timing isn’t a coincidence. With July 4 travel in full swing, attackers recognize that data tied to loyalty programs or travel plans is valuable, providing them with leverage without requiring access to core infrastructure.

Here’s the key point: your security is only as strong as your weakest vendor. From a customer’s perspective, the safest approach is to assume compromise. Reset your passwords and PINs, monitor your accounts, and take action now.

Security isn’t about reacting to headlines; it’s about staying ahead of them.