Qantas 2025 data breach: what it means for third-party identity risk

TL;DR: A third-party contact-centre breach exposed personal data tied to up to 6 million Qantas customers after attackers used social engineering and indirect access paths associated with Scattered Spider, according to Unosecur. The case shows that vendor identity governance, not just internal perimeter controls, now determines breach containment.

NHIMG editorial — based on content published by Unosecur covering the Qantas 2025 data breach: third-party cybersecurity risks in the aviation sector

Questions worth separating out

Q: How should security teams reduce third-party identity risk in customer support platforms?

A: Start by mapping every supplier account, API, and admin workflow that can reach customer or operational data.

Q: Why do offshore support vendors increase breach risk in aviation and similar sectors?

A: They extend the trust boundary beyond the core enterprise while often using shared platforms, remote administration, and delegated support workflows.

Q: What breaks when MFA is bypassed through help desk or vendor workflows?

A: The access control model loses the assumption that identity proofing happens before privilege changes.

Practitioner guidance

• Map third-party identities to data reach Inventory every offshore contact-centre account, supplier token, admin path, and remote support workflow that can reach customer data.
• Tighten identity verification for help desks and vendor admins Require step-up verification before resets, device changes, permission grants, or remote access approvals.
• Monitor bulk reads from supplier channels Alert on high-volume queries, abnormal export patterns, and repeated access from contact-centre or partner platforms.

What's in the full article

Unosecur's full analysis covers the operational detail this post intentionally leaves for the source:

• The full incident timeline showing how the third-party platform was detected, isolated, and taken offline.
• The article's breakdown of the exposed data fields and what was not stored on the compromised system.
• The source discussion of FBI and CISA context around Scattered Spider targeting patterns.
• The legal and containment actions Qantas used after the breach, including monitoring and injunction steps.

👉 Read Unosecur's analysis of the Qantas 2025 third-party data breach →

Qantas 2025 data breach: what it means for third-party identity risk?

Explore further

View Full Forum →  |  NHI Foundation Course →  |  Our Services →