Cybersecurity Expert Warns of Growing Third-Party Vendor Risks After Qantas Breach
A leading cybersecurity expert has identified the Qantas Airways data breach as a prime example of escalating supply chain security risks, warning that third-party vendor vulnerabilities represent "one of the massive and the most critical risks" facing modern organizations.
Professor Dali Kaafar, Executive Director of the Cybersecurity Hub at Macquarie University School of Computing, told ABC News Tuesday that the breach affecting six million Qantas customers demonstrates how cyber criminals increasingly target external service providers rather than primary corporate systems.
"I think that's a crucial information to know that essentially a cloud provider potentially or third party vendor that was breached," Kaafar said, analyzing the Monday attack that compromised a contact center platform used by Australia's flag carrier.
The professor's assessment comes as cybersecurity professionals warn that supply chain attacks have become a preferred method for sophisticated criminal groups seeking to access large volumes of customer data while potentially avoiding more robust security measures deployed by major corporations.
Supply Chain Security Emerges as Critical Vulnerability
Kaafar emphasized that the Qantas incident reflects a broader shift in cyber criminal tactics toward exploiting third-party relationships that many organizations have failed to adequately secure.
"I think supply chain security is one of the massive and the most critical risks that I think we have to account for in in today's operations really on the front of digital platforms this is pretty much a day-to-day operations from a security hygiene perspective," he said during the televised interview.
The cybersecurity expert stressed that organizations must apply the same rigorous security standards to external vendors that they implement for their own systems.
"Understanding that there is really this need to be very, very rigorous about the cyber implications, not only on the primary organizations, but the ones that are essentially are providing third party services," Kaafar said. "So yeah, it's pretty much really a third party risk management that has to have happened and there in the supply chain is a growing attack factor for sure."
Truth matters. Quality journalism costs.
Your subscription to The Evening Post (Australia) directly funds the investigative reporting our democracy needs. For less than a coffee per week, you enable our journalists to uncover stories that powerful interests would rather keep hidden. There is no corporate influence involved. No compromises. Just honest journalism when we need it most.
Not ready to be paid subscribe, but appreciate the newsletter ? Grab us a beer or snag the exclusive ad spot at the top of next week's newsletter.
Expert Assessment: Major Incident with Serious Implications
Despite Qantas' assurance that no financial information or account credentials were compromised, Kaafar characterized the breach as a "major cyber incident" with significant potential consequences for affected customers.
"They also confirmed that the operations and the airline safety remain unaffected and that that platform held some service records for approximately 6 million of their customers, as you mentioned, and that's a significant proportion of the data that's been expected at least to have been breached or stolen," the professor said. "So that's a major cyber incident indeed."
Kaafar warned that the stolen personal information - including names, email addresses, phone numbers, birth dates and frequent flyer numbers - could enable sophisticated identity theft and social engineering attacks.
"I think this type of personal information can be exploited in many different ways. Phishing attacks, identity theft or even social engineering efforts here is really at risk and at play," he said. "It allows malicious actors to build more complete profiles of individuals, making them more susceptible to other forms of cyber crime down the line."
Data Sensitivity Beyond Surface Appearance
The professor challenged assumptions that basic personal information poses minimal risk, arguing that details like birth dates and loyalty program numbers carry significant value for criminal exploitation.
"We may just refer to email addresses and phone numbers, things that are you know, at the surface of the data itself become a little bit more like a public knowledge, but it's actually not true. Birth dates and frequent flyers numbers are still very, very significant," Kaafar said.
His analysis positions the breach among Australia's most serious corporate data incidents in terms of both volume and potential impact.
"I think the sheer amount of data that's been breached definitely makes it one of the largest and comparable to the ones we've had a couple of years ago," he said, referencing previous major breaches at Optus and Medibank that affected millions of Australians.
Complex Attribution Challenges
Regarding potential connections to the FBI's recent warnings about the "Scattered Spider" criminal group targeting U.S. airlines, Kaafar noted that determining attack attribution requires extensive investigation and should not be rushed.
"I think it is too early. It's an early stage. You know, investigation and like the tracing and the attribution of the cyber incident, the cyber breach can take somewhere between a couple of days to months, even if this is really proven to be more of a sophisticated attack," he said.
However, the professor acknowledged concerning parallels between the Qantas attack and recent threats identified by law enforcement agencies.
"It's certainly an interesting coincidence, if you like, you know, understanding that there's been really threats and warnings from FBI and other organizations that essentially are really referring to the targeting of call centers and targeting of cloud platforms, leveraging social engineering tactics," Kaafar said.
Human Factor in Cyber Attacks
The professor's analysis suggests the Qantas breach involved human manipulation rather than purely technical system vulnerabilities, reflecting a sophisticated approach by the attackers.
"So this is potentially not just a technical vulnerability, it's potentially also involving people," Kaafar explained, highlighting how cyber criminals increasingly combine technical skills with psychological manipulation to breach security systems.
This assessment aligns with broader industry observations about the evolution of cyber threats toward multi-vector attacks that exploit both technological weaknesses and human factors.
Immediate Customer Protection Recommendations
Drawing on his expertise, Kaafar provided specific guidance for Qantas customers seeking to protect themselves from potential fraud following the breach.
"So very first thing I think everyone should be doing right now, if you're a customer of Qantas, is to go and change your PIN number. That's a very, very immediate thing to do," he advised.
The professor also recommended implementing enhanced security measures across customer accounts to prevent further exploitation of stolen data.
"Things like making sure that there is a multi-factor authentication to the Qantas mobile app, for instance, making sure that these cyber criminals are not further exploiting the data that they've gained access to, to access further services within the customers," Kaafar said.
Industry-Wide Risk Management Imperative
Kaafar's assessment positions the Qantas incident within a broader context of escalating cyber threats targeting critical infrastructure and consumer services across Australia and internationally.
The professor emphasized that effective response requires comprehensive communication between organizations and affected customers during investigation and remediation processes.
"The rest, I think, is really up to a very good conversation, transparent conversation with Qantas representatives to understand how they're really going with the forensics investigation and the remediation of that," he said.
Academic Perspective on Corporate Responsibility
From his position at Macquarie University, Kaafar stressed the importance of immediate emergency response protocols when major data breaches occur.
"There is really good practice that needs to be implemented right now in an emergency type of situation like this, which is making sure that no further access to other services are allowed by the loss of such sensitive data," he said.
The professor highlighted customer communication as a critical element of effective breach response.
"I think that customer communication support is really crucial at this moment," Kaafar concluded.
Research Implications for Cybersecurity Field
The Qantas incident provides valuable case study material for cybersecurity researchers and practitioners studying supply chain vulnerabilities and third-party risk management strategies.
Kaafar's analysis suggests that organizations across all sectors must reassess their approach to vendor security management and implement more rigorous oversight of external service providers handling sensitive customer information.
The professor's expertise in cybersecurity research positions him as a leading voice in Australian discussions about corporate data protection and the evolving threat landscape facing businesses and consumers.
Long-term Industry Impact
Beyond immediate customer protection concerns, Kaafar's assessment indicates the breach could influence regulatory discussions about mandatory security standards for third-party service providers and enhanced disclosure requirements for supply chain vulnerabilities.
The incident reinforces academic and industry warnings about the growing sophistication of cyber criminal operations and the need for comprehensive security frameworks that address both technical and human factors in data protection strategies.
Professor Kaafar's analysis of the Qantas breach demonstrates the critical role academic cybersecurity experts play in interpreting complex incidents and providing practical guidance for both organizations and consumers navigating an increasingly dangerous digital environment.
Got a News Tip?
Contact our editor via Proton Mail encrypted, X Direct Message, LinkedIn, or email. You can securely message him on Signal by using his username, Miko Santos.
As well as knowing you’re keeping The Evening Post (Australia) alive, you’ll also get:
Get breaking news AS IT HAPPENS - Gain instant access to our real-time coverage and analysis when major stories break, keeping you ahead of the curve
Unlock our COMPLETE content library - Enjoy unlimited access to every newsletter, podcast episode, and exclusive archive—all seamlessly available in your favorite podcast apps.
Join the conversation that matters - Be part of our vibrant community with full commenting privileges on all content, directly supporting The Evening Post (Australia)
Not ready to be paid subscribe, but appreciate the newsletter ? Grab us a beer or snag the exclusive ad spot at the top of next week's newsletter.
