TL;DR: The Qantas breach exposed personal data for about 5.7 million customers after attackers reached a third-party customer service platform, reinforcing how social engineering, valid credentials, and lateral movement can bypass fragmented identity controls, according to Silverfort. Hybrid identity environments now need identity-layer segmentation, phishing-resistant MFA, and faster containment.
NHIMG editorial — based on content published by Silverfort covering the Qantas breach and identity attack patterns: Identity-first defense is the lesson from the Qantas breach
Questions worth separating out
Q: How should security teams limit identity-driven lateral movement in hybrid environments?
A: Security teams should segment identity paths by privilege, business criticality, and trust boundary, then enforce different controls for privileged users, suppliers, and standard users.
Q: Why do legacy protocols create more risk for identity attacks?
A: Legacy protocols create risk because they often cannot enforce modern MFA consistently, which gives attackers alternate authentication paths to abuse.
Q: What do security teams get wrong about help desk social engineering?
A: Many teams treat the help desk as a service function rather than a security boundary.
Practitioner guidance
- Map and tier every identity path across hybrid estates Inventory human, privileged, third-party, and service access together, then separate them by business criticality so a compromise in one tier cannot freely traverse the others.
- Close MFA gaps across legacy authentication protocols Find where NTLM, LDAP, and SMB still permit authentication without modern verification, then restrict those paths to the smallest possible set of systems.
- Harden help desk verification and reset workflows Require stronger identity checks before password resets, MFA changes, or account recovery actions, especially where third-party staff or outsourced service desks are involved.
What's in the full article
Silverfort's full blog covers the operational detail this post intentionally leaves for the source:
- The specific Scattered Spider techniques described in the article, including help desk impersonation, MFA fatigue, and SIM swapping.
- The article’s practical response sequence for identity-first incident response, including containment, recovery, and remediation steps.
- The discussion of Australian hybrid identity complexity and why it amplifies the effect of supplier access and legacy protocol gaps.
- The source article's detailed guidance on phishing-resistant MFA, account segmentation, and response playbooks.
👉 Read Silverfort's analysis of the Qantas breach and Scattered Spider tactics →
Qantas breach and Scattered Spider: what IAM teams should fix?
Explore further
Identity-layer segmentation is the control that breaks the attacker’s assumed freedom of movement. The article shows that once a third-party platform or help desk path is trusted, attackers can traverse environments that should have been isolated from one another. That is not just a visibility problem, it is a governance failure in how trust is scoped across privileged, non-privileged, and supplier identities. Practitioners should treat segmentation as an identity control plane issue, not a network afterthought.
A few things that frame the scale:
- Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks, according to the 2024 ESG Report: Managing Non-Human Identities.
- Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, according to the 2024 ESG Report: Managing Non-Human Identities.
A question worth separating out:
Q: Who is accountable when supplier access is abused in a breach?
A: Accountability sits with the organisation that granted the access and with the supplier governance process that failed to constrain it. If a third-party platform can be abused to expose customer data, then access scope, offboarding, and monitoring were not aligned to the relationship. IAM and third-party risk teams should review supplier access as a lifecycle control, not a one-time approval.
👉 Read our full editorial: Identity-first defense is the lesson from the Qantas breach