IT Brief Australia - Technology news for CIOs & IT decision-makers
Australia

Guides

#
artificial intelligence
#
digital transformation
#
disaster recovery
#
hybrid & remote work
#
internet of things

Search

Digital shield over interconnected servers with kangaroo australian cybersecurity
#
UC
#
Data Protection
#
Ransomware

Qantas cyber breach highlights urgent need for supply chain security

Wed, 2nd Jul 2025
Author image
By Sean Mitchell, Publisher

A major cyber incident involving Qantas has brought renewed attention to the growing threat of data breaches via third-party suppliers, forcing organisations across Australia to re-examine the resilience of their digital ecosystems. The attack, reportedly originating through a compromised subcontractor's computer system linked to the airline's customer contact centre, highlights a rising wave of third-party cyber risks that now account for the majority of data breaches in the country.

According to Ben Le Huray, Solutions Architect Team Leader at Ingram Micro Australia, the incident demonstrates that cyber resilience must extend beyond a company's own walls. "You can do everything right inside your business but if a supplier is compromised, you're still exposed. Third-party risk management needs to be part of your core governance process," he stated. Le Huray advises organisations to carefully map out what access their vendors possess, examine their security credentials, and weave supply chain monitoring into overall cyber strategies.

Le Huray also stressed the importance of regular security reviews, proactive incident response planning, and the use of up-to-date threat intelligence. These measures, he argued, are vital for spotting and responding to risks before they escalate into full-scale breaches. "Even if an external partner is the source of a breach, the consequences are still yours to manage," Le Huray warned, pointing to new mandatory reporting requirements on ransom payments under recent cyber regulations, which carry steep civil penalties for non-compliance and create significant reputational risks.

Louise Hanna, General Manager at Excite Cyber, echoed concerns about the proliferation of third-party attacks. "While most organisations are taking strong steps to protect their own systems and data, it is important that third parties are held to the same standard. In some cases, this may even require supporting third parties that provide essential services to ensure your data is not compromised," Hanna remarked.

Kash Sharma, Managing Director for the ANZ region at BlueVoyant, highlighted that the aviation industry's complex digital supply chains make it especially susceptible to such attacks. Sharma described the Qantas incident as a "stark reminder of the growing cyber risks facing the aviation sector". The sector, he noted, is currently grappling with a range of challenges, including worker shortages, economic pressures, and geopolitical tensions – all of which are exacerbated by an ever-expanding network of third-party dependencies. "It's clear that attackers are exploiting systemic weaknesses, particularly in sprawling supply chain ecosystems that often lack rigorous security governance," said Sharma. He referenced guidance from the International Civil Aviation Organization, which has identified insecure supply chains and digitised operations as primary risk factors for aviation cyberattacks.

Sharma warned that cybercriminals now have access to customisable, AI-powered toolkits, facilitating more sophisticated attacks targeting sensitive data such as passengers' names, contact details and frequent flyer numbers. He called on organisations to strengthen cyber resilience by prioritising supply chain security, embedding clear roles and responsibilities for vendors, and adopting recognised frameworks like ISO27001 and NIST 2.0. While he welcomed the Australian government's sector-wide threat-sharing investment of AUD $6.4 million, Sharma contended that "sustained, coordinated action is essential" to keep pace with professionalised cybercrime.

The need for a holistic approach to cyber resilience was further underscored by Le Huray: "Being proactive means preparing for the "when", not the "if". That includes regular staff training, patching systems, and a tested incident response plan. Resilience depends on more than technical safeguards. It's about cultivating a culture where employees feel empowered to pause, question, and report threats without hesitation." He also warned that the repercussions of a breach can linger, as stolen data often re-emerges months or years after an initial attack.

The Qantas incident is the latest in a series of attacks highlighting the vulnerability of even the most well-defended organisations to weaknesses in their extended third-party networks. As law and regulatory expectations tighten, the spotlight is firmly on boards and executive leaders to embed robust cyber risk management across their entire supply chain, ensuring that both internal and external standards are high enough to protect critical data and maintain public trust.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Ping Identity launches platform to secure & manage AI agents
Gigamon unveils quantum-safe cryptography in GigaVUE update
Barracuda unveils AI assistant to boost security team efficiency
Australians warned over AI-driven scams ahead of Christmas sales
SentinelOne & AWS enhance AI security with new integrations

Top stories

Milestone unveils generative AI plug-in for smarter video analytics
Avanade unveils suite of Microsoft-powered tools for midmarket firms
Forrester predicts AI errors to cost B2B firms over USD $10 billion
Adobe deepens AI strategy with hybrid models & agentic tools
Drata appoints Aneal Vallurupalli as CFO amid global expansion