TL;DR: A third-party contact-centre breach exposed personal data tied to up to 6 million Qantas customers after attackers used social engineering and indirect access paths associated with Scattered Spider, according to Unosecur. The case shows that vendor identity governance, not just internal perimeter controls, now determines breach containment.
NHIMG editorial — based on content published by Unosecur covering the Qantas 2025 data breach: third-party cybersecurity risks in the aviation sector
Questions worth separating out
Q: How should security teams reduce third-party identity risk in customer support platforms?
A: Start by mapping every supplier account, API, and admin workflow that can reach customer or operational data.
Q: Why do offshore support vendors increase breach risk in aviation and similar sectors?
A: They extend the trust boundary beyond the core enterprise while often using shared platforms, remote administration, and delegated support workflows.
Q: What breaks when MFA is bypassed through help desk or vendor workflows?
A: The access control model loses the assumption that identity proofing happens before privilege changes.
Practitioner guidance
- Map third-party identities to data reach Inventory every offshore contact-centre account, supplier token, admin path, and remote support workflow that can reach customer data.
- Tighten identity verification for help desks and vendor admins Require step-up verification before resets, device changes, permission grants, or remote access approvals.
- Monitor bulk reads from supplier channels Alert on high-volume queries, abnormal export patterns, and repeated access from contact-centre or partner platforms.
What's in the full article
Unosecur's full analysis covers the operational detail this post intentionally leaves for the source:
- The full incident timeline showing how the third-party platform was detected, isolated, and taken offline.
- The article's breakdown of the exposed data fields and what was not stored on the compromised system.
- The source discussion of FBI and CISA context around Scattered Spider targeting patterns.
- The legal and containment actions Qantas used after the breach, including monitoring and injunction steps.
👉 Read Unosecur's analysis of the Qantas 2025 third-party data breach →
Qantas 2025 data breach: what it means for third-party identity risk?
Explore further
View Full Forum → | NHI Foundation Course → | Our Services →
Third-party identity is now core identity. The Qantas breach shows that a supplier platform with customer data can become a primary attack surface even when the airline's own network is not breached. That means identity governance has to extend to offshore contact centres, remote support paths, and vendor-operated admin workflows. The practitioner conclusion is straightforward: if third-party access can reach sensitive data, it is part of the identity programme, not an exception to it.
A few things that frame the scale:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
- Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, according to The 2024 ESG Report: Managing Non-Human Identities.
A question worth separating out:
Q: Who is accountable when a supplier platform exposes customer data?
A: The organisation that owns the data and the relationship remains accountable, even if the breach originates in a vendor environment. Regulators and customers will expect clear evidence of access governance, monitoring, contractual controls, and incident response across the extended enterprise. Supplier use does not transfer accountability. It only expands the control surface.
👉 Read our full editorial: Qantas 2025 breach shows third-party identity risk is board-level