Back to News
Market Impact: 0.7

Qantas attack reveals one phone call is all it takes to crack cybersecurity’s weakest link: humans

RPD
Cybersecurity & Data PrivacyTechnology & InnovationRegulation & LegislationBanking & LiquidityManagement & Governance
Qantas attack reveals one phone call is all it takes to crack cybersecurity’s weakest link: humans

Qantas recently disclosed a data breach impacting up to 6 million customers, attributed to a social engineering attack on an offshore IT call center, underscoring the escalating vulnerability of third-party systems to sophisticated cyber threats. This incident follows a series of major breaches in Australia, including the superannuation sector, prompting the Australian Prudential Regulation Authority (APRA) to warn of increasing attack scope and frequency, particularly for finance and critical infrastructure. The reliance on human vulnerabilities and the potential for credential stuffing across breaches necessitate a proactive and robust cybersecurity posture, emphasizing multi-factor authentication and enhanced executive oversight to mitigate systemic risk.

Analysis

The data breach affecting up to 6 million Qantas customers, originating from a social engineering attack on a third-party IT provider, highlights a significant and escalating systemic risk within corporate Australia. This incident is not isolated, following recent major attacks on the nation's superannuation sector, and underscores the vulnerability of digital supply chains where human error can bypass millions in technical security investments. The attack vector, known as 'vishing', aligns with warnings about the 'Scattered Spider' group, indicating a sophisticated and global threat. The Australian Prudential Regulation Authority (APRA) has explicitly warned the financial sector that such attacks will likely increase in scope and frequency, citing a recent superannuation fund breach as a 'canary in the coalmine' and noting that some funds had failed to implement basic multi-factor authentication. This creates a cascading risk profile, as data from separate breaches can be collated for 'credential stuffing' attacks. Consequently, the onus is shifting towards proactive cybersecurity measures, robust third-party diligence, and board-level accountability, particularly for high-value sectors including finance, healthcare, and technology.