Cybersecurity requires more than legal compliance; it demands constant vigilance and adaptation. A cyberattack on a third-party platform used by a Qantas customer contact centre in Manila, discovered on 30 June, made this clear.
Six million customers, not just Australians, have had names, email addresses, phone numbers, birth dates and frequent-flyer numbers stolen. Cybercriminals may weaponise this data in the days, weeks and months ahead.
After major breaches at Optus and Medibank in 2022, then minister of home affairs, Clare O’Neil, introduced a suite of new cyber legislation. The Enhanced Response and Prevention Act 2024, which amended the Security of Critical Infrastructure Act 2018 (SOCI), expanded physical and cybersecurity obligations for owners and operators of critical infrastructure. Today, SOCI applies to 11 sectors, including aviation.
The Security Legislation Amendment (Critical Infrastructure) Act 2021 introduced Systems of National Significance (SoNS), a subset of critical infrastructure, whose operators can be directed by the minister of home affairs to comply with enhanced cybersecurity obligations. Over 200 SoNS have since been declared, including in the transport sector, though their identities remain classified.
Additionally, the Cyber Security Act 2024 introduced mandatory reporting of ransomware and cyber extortion. It allows Australia’s National Cyber Security Coordinator to work with affected entities under a Limited Use obligation, which means information collected in support to the response to the incident cannot be used for law enforcement action.
Amendments to the Privacy Act 1988 in 2017 introduced the Notifiable Data Breaches scheme which require Australian businesses with a turnover of more than A$3 million to notify the Australian Information Commissioner (OAIC) and affected individuals ‘as soon as practical’. Overall, the Australian Government has built a relatively robust and comprehensive cybersecurity and data protection regime.
Yet this hack still occurred.
Not all details of the Qantas incident are yet known. What we know so far is the incident was reported within three days of discovery to the Australian Federal Police, Australian Cyber Security Centre and OAIC. Qantas assured the public there had been ‘no impact to Qantas’ operations or the safety of our airline’. No ransom demand has yet been reported. A 2017 OAIC assessment of Qantas Frequent Flyers’ management of personal information did not find significant shortcomings, though it did recommend Qantas to ‘formalise its current cyber security governance material to incorporate privacy’.
This means the Qantas data breach raises broader questions about our collective attitude towards cybersecurity.
Ultimately, the harmful effects of the breach depend on the perpetrator. Cyber incidents and data breaches don’t just happen; they need an intent and someone’s purposeful malicious activity. And we know cyberattacks today are highly organised, coordinated operations that are becoming increasingly sophisticated—particularly enabled by technology such as AI and, in some instances, state sponsorship.
It’s this persistent evolution that requires us to shift from a culture of compliance to one of permanent adaptation and best practice.
While Qantas is subject to obligations under SOCI, it’s not necessarily evident that every IT system or data repository operated by Qantas is considered ‘critical infrastructure’. The frequent-flyer database may or may not be treated as a critical system, depending on whether it is integral to the continuity of essential aviation services.
So, we now need to consider whether this distinction is still appropriate. Should data holdings be held to similar standards as core networks? Even when personal data holdings are technically non-consequential for the safe and secure operations of the critical service itself, they do serve the commercial operation of the business.
On 28 June, Google and the US Federal Bureau of Investigation issued an alert warning of a hacker group named Scattered Spider targeting the aviation sector through attempted compromises of third-party service providers. This was intended as a warning to airline across the world. The question now is: what actions did Qantas take with regards to third-party providers based outside of Australia, based on this advice?
Qantas relies on offshore third-party platforms. This is common across aviation and in fact common for many medium and large Australian businesses. Critical IT functions (including reservation management, passenger communications and crew rostering) migrated some time ago to hyperscale cloud platforms run from data centres overseas.
Building in-house systems or Australian-only platforms, as some have suggested, would be prohibitively expensive and not always available.
So, the challenge is not to onshore every function in the name of resilience but to instead build assurance. The reality is cybersecurity maturity in a country such as the Philippines—where the third-party platform was operating in this instance—is much weaker. This includes the ability to detect, protect and respond to sophisticated threat actors. The Australian government is supporting uplift across the Indo-Pacific in this regard. But uplift is not an overnight phenomenon.
While cost and convenience are important factors in selecting third-party suppliers, this latest hack highlights that critical infrastructure entities must be more vigilant than others in ensuring their overall ecosystem—including, but not limited to, essential operations—meets best practices, regardless of location. Anything less leaves them, and us, exposed.
