Qantas hack: Experts react to data breach that could affect millions of Australians

There is also a possibility of class action where consumers seek compensation for breaches of these obligations. This has happened before in the case of Optus in 2022, where 160,000 Optus customers have joined a class action seeking redress for the mishandling of their personal data. For Qantas customers, they must stay informed and monitor for any suspicious activity. They have the right to make a formal complaint to the Office of the Information Commissioner or explore legal options if harm results.

Professor Richard Buckland
UNSW Computing Science and Engineering

What can the government do? Here’s my two cents.

Introduce a mandatory minimum penalty of $x per record. Even just $50 would sharpen the mind wonderfully and maybe get more people asking why these attractive, huge CRMs exist where nothing is ever deleted.

All levels of government to stop collecting and aggregating citizen data themselves. Encourage the massive needed growth of the cyber security profession at all levels: TAFE, university and job reskilling. Uplift public cyber awareness literacy and skills – we all know about road rules and how to cross the road safely.

Have a well-funded national body to help people who have had credentials stolen/ identities stolen/been scammed – rather than just logging the data. Require orgs to retain a physical presence for identity verification – not just moving everything to digital identity, which is great and convenient when it works, but when compromised it fails catastrophically.

VIEW ALL

Government and corporations need to consider and get signed off on cyber safety and privacy risks, not by the people doing it, but by some arms-length professionals. Major buildings need an independent engineering sign-off, and network security should be no different.

Honi Rosenwax
Cyber communications specialist and CEO of Arize Communications

The aviation industry has known a data breach of this scale was a matter of when, not if. We expect Qantas will have planned for this moment – but the real test is in the execution.

Currently, there are countless decisions being made behind the scenes. What matters most is that Qantas puts itself in its customers' shoes and puts them first. Clear, consistent updates about what happened and what's being done to fix it will be critical to maintaining real trust.

Miguel Fornés
Cyber security expert at Surfshark.

When personal data such as email addresses, phone numbers, birth dates are breached, it has a dangerous impact on the whole of a person's digital life. Hackers can exploit this data through phishing, identity theft, and account takeover – not only on the platform that was hacked but also on any other service where this data is reused or linked. Even a single leaked email can be a gateway to more targeted attacks, especially if it is combined with other previously leaked data.

The risk is not only in terms of stolen access but also in terms of losing control of your digital identity.

Marijus Briedis
Chief technology officer at NordVPN

When cyber-criminals target third-party platforms that airlines rely on, it exposes the interconnected vulnerabilities in the digital ecosystem. Organisations must adapt and continuously learn from these attacks to strengthen their security posture.

What makes this breach particularly concerning is that it originated from a third-party customer servicing platform, not Qantas' core systems. It is a blind spot many organisations have. They focus on securing their own infrastructure while overlooking the security practices of their vendors and partners. Your security is only as strong as your weakest third-party link.

For the six million affected Qantas customers, good cyber hygiene is now more important than ever. I recommend that everyone immediately change passwords associated with their Qantas accounts and enable two-factor authentication wherever possible. Use a password manager to create unique, strong passwords for all your accounts. Most importantly, be cautious of phishing attempts. Cyber-criminals often follow data breaches with targeted scam campaigns using the stolen information.

The FBI sent warnings about global airline cyberattacks, which suggests we're seeing a coordinated attack on the aviation sector. Airlines hold all kinds of sensitive information and cyber-criminals are looking to take it. The industry needs to implement proactive, multi-layered security approaches that assume breaches will happen and focus on minimising their impact.

Rob Allen
Chief Product Officer at ThreatLocker

Personal information remains highly valuable to cybercriminals because it enables a wide range of malicious activities. One of the most common ways that the stolen information is used is in targeted phishing attacks.

When attackers have access to specific details about you – such as your name, address, birth date, or even recent travel history – they can craft convincing messages that appear legitimate, increasing the chances you'll click on a malicious link or share more sensitive data. Depending on how extensive the leaked information is, they may also be able to steal your identity and even open credit cards under your name.

While this specific attack did not include passwords or financial information, that is often stolen as well. These can be even more useful to attackers, allowing them to access other accounts if you reuse your password or use your credit card information elsewhere.