Last week, I reported that Qantas had been the target of an extortion attempt after getting pwned via a third party attack. Today the airline has confirmed that this attack compromised personal data for 5.7 million customers. The breach, disclosed after a June 30 incident, included names, email addresses, frequent flyer details, and in some cases, home addresses, birthdates, phone numbers, gender, and even meal preferences.
Andrew Obadiaru, CISO, Cobalt:
“Breaches like this reveal a systemic issue: security validation rarely extends to the third-party platforms that store massive volumes of customer data. Organizations need to evolve beyond trust-based vendor relationships and implement regular offensive testing across the entire service ecosystem. The fact that an extortion attempt followed the breach suggests the attackers know exactly how valuable this data is. Red-teaming and continuous pentesting are essential tools to uncover these weak points before adversaries do. This highlights the importance of implementing a comprehensive third party risk management program to ensure that the security posture of all vendors aligns with your organization’s security standards and expectations.”
This is pretty bad and highlights the fact that an organization is only as secure as the organizations that they work with. I hope that Qantas keeps that in mind going forward. Related to this, I have to assume that my personal data is out in the wild as I flew on this airline a few years ago. Oh joy.
Like this:
Like Loading...
Related
This entry was posted on July 10, 2025 at 11:20 am and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Qantas Confirms That A Third Party Attack Has Led To The Data Of 5.7 Million Customers Being Swiped
Last week, I reported that Qantas had been the target of an extortion attempt after getting pwned via a third party attack. Today the airline has confirmed that this attack compromised personal data for 5.7 million customers. The breach, disclosed after a June 30 incident, included names, email addresses, frequent flyer details, and in some cases, home addresses, birthdates, phone numbers, gender, and even meal preferences.
Andrew Obadiaru, CISO, Cobalt:
“Breaches like this reveal a systemic issue: security validation rarely extends to the third-party platforms that store massive volumes of customer data. Organizations need to evolve beyond trust-based vendor relationships and implement regular offensive testing across the entire service ecosystem. The fact that an extortion attempt followed the breach suggests the attackers know exactly how valuable this data is. Red-teaming and continuous pentesting are essential tools to uncover these weak points before adversaries do. This highlights the importance of implementing a comprehensive third party risk management program to ensure that the security posture of all vendors aligns with your organization’s security standards and expectations.”
This is pretty bad and highlights the fact that an organization is only as secure as the organizations that they work with. I hope that Qantas keeps that in mind going forward. Related to this, I have to assume that my personal data is out in the wild as I flew on this airline a few years ago. Oh joy.
Share this:
Like this:
Related
This entry was posted on July 10, 2025 at 11:20 am and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.