07/07/2025
Last week news broke of yet another data breach that has affected millions of Australians. This time, it was customers of the airline Qantas.
On Monday, 30 June 2025 Qantas detected unusual activity on one of their third-party platforms. The cyber criminals targeted a Qantas offshore call centre in the Philippines to gain access to a service platform which contained customer data. Approximately 6 million Qantas customers were affected by the breach. Compromised information included names, email addresses, phone numbers, dates of birth and frequent flyer numbers.
The human element
While the Qantas data breach is new, the method of social engineering and vulnerability that was exposed is not.
The Office of the Australian Information Commissioner (OAIC) defines social engineering as an attack that relies heavily on human interaction to manipulate people into breaking normal security procedures and best practices in order to gain access to systems, networks or physical locations.
According to the latest OAIC Notifiable Data Breaches Report (July – December 2024), social engineering accounted for 19.3% of the total data breaches notified to OAIC during the reporting period, and 28.5% of the notified malicious or criminal attacks. Further to this, human error remains the second leading cause of data breaches reported to the OAIC.
Third party vulnerability
Another notable feature of the Qantas breach is that it occurred via a third party – to be precise, via a third-party platform used by an offshore Qantas contact centre. While outsourcing handling of customer information to third parties may be cheaper and easier, it also introduces additional vulnerabilities which need to be pro-actively managed.
What can you do prevent a data breach?
The lesson arising from the Qantas data breach is one learned from countless other data breaches: protect and empower your people. So far as possible, control the human element.
It is essential for organisations and agencies to adequately train staff and contractors to detect and report social engineering attempts. If your employees and contractors handle large volumes of personal information or sensitive information (including for example, health information), training should be more robust and frequent.
Your best protection in a data breach event, including a social engineering attack, is to have a workforce empowered with the right knowledge and tools to make the right decisions and deny cyber criminals access to the information they are seeking.
To do this, we recommend organisations and agencies:
- develop detailed policies and procedures on things like transferring money, sharing account login details, and accessing large files or systems. Policies and procedures should also cover how staff and contractors can report suspicious communications and requests;
- implement training videos, quizzes, presentations;
- schedule simulated attack events so that employees and contractors can practice responding to a social engineering or phishing attack;
- for situations where contractors and third parties will be working from and accessing information and systems, ensure service contracts include:
- privacy and data breach training requirements; and
- clear responsibilities, timelines and procedures for data breaches, so that when the unthinkable happens you can know about it immediately and act to minimise impact.
GL offers a range of privacy training services and are experts in privacy governance. For information on how we can help empower your workforce to respond effectively to data breach events, please contact enquiries@griffinlegal.com.au.