The Register: Qantas begins telling some customers that mystery attackers have their home address

Jul 9, 2025

—

Source URL: https://www.theregister.com/2025/07/09/qantas_begins_telling_customers_data/
Source: The Register
Title: Qantas begins telling some customers that mystery attackers have their home address

Feedly Summary: Plus: Confirms less serious data points like meal preferences also leaked
Qantas says that when cybercrooks attacked a “third party platform" used by the airline’s contact center systems, they accessed the personal information and frequent flyer numbers of the "majority" of the circa 5.7 million people affected.…

AI Summary and Description: Yes

Summary: The text discusses a cybersecurity incident involving Qantas, where a third-party platform used by the airline’s contact center systems was attacked, leading to the leak of personal information of approximately 5.7 million affected individuals. The attack underscores pertinent issues in data privacy and third-party vendor risk.

Detailed Description: This incident highlights several critical aspects of security relevant to professionals in the fields of information security, cloud computing security, and compliance:

– **Cybersecurity Incident**: Qantas experienced a data breach due to a vulnerability in a third-party platform. Such incidents underline the risks associated with outsourcing services to third parties, which can expose organizations to data breaches even if their own systems remain secure.

– **Data Leaked**: The breach resulted in the exposure of personal information and frequent flyer numbers for a significant number of individuals. This type of leakage can lead to identity theft and other malicious activities, emphasizing the need for robust data protection measures.

– **Third-Party Risk Management**: The involvement of a third-party platform points to the importance of evaluating and managing vendor risks. Organizations must ensure that their third-party partners adhere to strong security protocols and practices.

– **Regulatory Compliance and Governance**: The incident raises compliance concerns in relation to data protection regulations. Organizations must be aware of laws governing personal data protection and adjust their policies accordingly to mitigate potential breaches and legal ramifications.

– **Lessons Learned**:
– Review and enhance third-party vendor security assessments.
– Implement continuous monitoring and audits of third-party systems.
– Establish incident response plans that include third-party data breaches.
– Improve stakeholder communication strategies in the wake of a data breach.

Overall, this incident serves as a reminder of the vulnerabilities present in interconnected systems and the ongoing need for vigilance, particularly as organizations increasingly rely on third-party services for their operations.

2 2025 5 7 a access Act AGI AI air and app art as assessment assessments at ated attack attackers audit Audits aware AWS Bi breach breaches by C CERN CI CIA Cloud cloud computing cloud computing security co Col communication communication strategies compliance compliance and governance Computing concerns Contact Center continuous continuous monitoring core critical Customer cyber cybersecurit Cybersecurity cybersecurity incident D data data breach Data breaches data leak data privacy Data Protection data protection measures Data Protection Regulation data protection regulations de dual e end exp experience Fly Flyer for g GIS Go governance H high Highlight http HTTPS identity identity theft in incident incident response incident response plan incident response plans information information security inter io issue J Just k l Lance law leading led Legal legal ramifications Li M malicious activities man management measures Monitor monitoring my N NGO o of on operation operations organization organizations ory oS other out outsourcing over party party Data Breaches party risk Party Risk Management party services party vendor personal data personal data protection personal information platform point policies potential practices pre privacy pro professionals protection protection measures protocol protocols ps Q R Raise rate RCE Regulation regulations regulatory regulatory compliance response Response Plan review Risk risk management risks Ro RoT s sec secure security security assessment security assessments security incident security protocols service services Sig SoC source sourcing SSE SSO stakeholder communication strategies system systems T ted text the theft third third parties third-party third-party risk third-party risk management third-party vendor security to Tor TP type under US use V val vendor vendor risk vendor risks vendor security vendor security assessment vendor security assessments vigilance vulnerabilities vulnerability Ware Wi x z