Qantas breach and Scattered Spider: what IAM teams should fix

TL;DR: The Qantas breach exposed personal data for about 5.7 million customers after attackers reached a third-party customer service platform, reinforcing how social engineering, valid credentials, and lateral movement can bypass fragmented identity controls, according to Silverfort. Hybrid identity environments now need identity-layer segmentation, phishing-resistant MFA, and faster containment.

NHIMG editorial — based on content published by Silverfort covering the Qantas breach and identity attack patterns: Identity-first defense is the lesson from the Qantas breach

Questions worth separating out

Q: How should security teams limit identity-driven lateral movement in hybrid environments?

A: Security teams should segment identity paths by privilege, business criticality, and trust boundary, then enforce different controls for privileged users, suppliers, and standard users.

Q: Why do legacy protocols create more risk for identity attacks?

A: Legacy protocols create risk because they often cannot enforce modern MFA consistently, which gives attackers alternate authentication paths to abuse.

Q: What do security teams get wrong about help desk social engineering?

A: Many teams treat the help desk as a service function rather than a security boundary.

Practitioner guidance

• Map and tier every identity path across hybrid estates Inventory human, privileged, third-party, and service access together, then separate them by business criticality so a compromise in one tier cannot freely traverse the others.
• Close MFA gaps across legacy authentication protocols Find where NTLM, LDAP, and SMB still permit authentication without modern verification, then restrict those paths to the smallest possible set of systems.
• Harden help desk verification and reset workflows Require stronger identity checks before password resets, MFA changes, or account recovery actions, especially where third-party staff or outsourced service desks are involved.

What's in the full article

Silverfort's full blog covers the operational detail this post intentionally leaves for the source:

• The specific Scattered Spider techniques described in the article, including help desk impersonation, MFA fatigue, and SIM swapping.
• The article’s practical response sequence for identity-first incident response, including containment, recovery, and remediation steps.
• The discussion of Australian hybrid identity complexity and why it amplifies the effect of supplier access and legacy protocol gaps.
• The source article's detailed guidance on phishing-resistant MFA, account segmentation, and response playbooks.

👉 Read Silverfort's analysis of the Qantas breach and Scattered Spider tactics →

Qantas breach and Scattered Spider: what IAM teams should fix?

Explore further

View Full Forum →  |  NHI Foundation Course →