When Australia’s largest airline confirmed a cyber incident affecting millions of passengers, it wasn’t a sophisticated hack that triggered alarm bells—it was a trusted third-party vendor.
Although no sensitive data was exposed, the incident has sparked serious concerns about customer privacy — and brought attention to one of cybersecurity’s most persistent weak spots: human error.
Here’s what happened and what every organisation can learn from it.
On 30 June 2025, Qantas detected unusual activity on a third-party platform used by their airline contact centre. Qantas confirmed that this major cybersecurity breach is affecting up to 6 million customers. The breach exposed personal data including:
Although the airline stated that sensitive data such as credit card details, personal financial information and passport details are not held in that system, brief unauthorized access to personal travel data can cause lasting reputational damage.
This incident isn’t just about Qantas. It’s a warning for any organisation with third-party suppliers, customer data, and human operations. Here are five takeaways:
The breach came from a third-party call centre. If your vendors aren’t being regularly audited for security training, access controls, and data handling — your defences are only as strong as their weakest link.
Hackers don’t need to write code to breach your systems. They just need someone to click the wrong link, answer the wrong call, or ignore security protocol. Human risk isn’t theoretical — it’s everyday reality.
Underestimating the value of customer information like email addresses or loyalty numbers leads to poor data hygiene. These are prime targets for identity theft, scams, and fraud.
The Australian Notifiable Data Breaches (NDB) scheme and upcoming Privacy Act reforms are clear: if a breach is likely to cause harm, you must act fast. A strong incident response plan — and proof of due diligence — can limit regulatory fallout.
Security training must go beyond tick-box compliance. It should be continuous, role-specific, and extended to third parties. A culture of awareness and accountability reduces the chances of human error turning into a full-blown breach.
The Qantas breach is a reminder that even global brands with sophisticated IT infrastructure are vulnerable when human risk isn't adequately managed. As regulators around the world, including in Australia, continue to scrutinize data protection practices, the cost of overlooking human risk will only increase.
Investing in ongoing cybersecurity awareness training, implementing robust access control, and fostering a security-by-design culture are essential next steps—not just for airlines, but for any organisation handling sensitive customer data.
usecure helps businesses tackle human risk with automated training, phishing simulations, policy management and dark web monitoring—all designed to improve security behaviours across your workforce. Get in touch with us today to learn how usecure can help your organisation build a security-first culture.