What businesses should do after the Qantas hack

What businesses should do after the Qantas hack

Airteam Executive Director Rich Atkinson is an expert architect of scalable platforms and software designed locally for Australian businesses and governments. He is available for comment on this story.

 

In the wake of the Qantas customer data breach, which exposed the personal information of over six million people, Australian businesses are being urged to take practical steps to protect themselves and their customers.

 

“Events like this are unsettling, but they’re also an important reminder that good cyber security isn’t about panic, it’s about sensible, everyday actions done well,” said Rich Atkinson, Executive Director, Technology at Airteam.

 

Recent figures from the Office of the Australian Information Commissioner (OAIC) show that data breaches rose by 25% last year, with malicious or criminal attacks making up nearly 70% of incidents: and human error accounting for much of the rest.

 

“The reality is, even if your own systems are secure, a single weak link in your supply chain can expose you,” Atkinson said. “The Qantas incident shows how attackers are using sophisticated social engineering like phishing to bypass even the best technical controls.”

 

So what should Australian businesses do next?

 

 

1. Read the Australian Privacy Principles (APPs)

You don’t need a lawyer to get started: the APPs are written to be accessible. “If you collect and store personal data, these principles are your baseline for doing it safely and legally,” Atkinson said.

 

2. Audit What Data You Actually Need

“Did you know some breaches expose data from customers who left years ago?” Atkinson said. Regularly delete old data you no longer need: less data means less risk.

 

3. Tighten Up Access Controls

When was the last time you checked who has access? “About 1 in 10 Active Directory accounts are stale but active: perfect targets for attackers,” Atkinson warned.

 

4. Move Towards Zero Trust

Zero Trust means nobody automatically gets full access: not even employees inside the network. “With so many people working remotely, assuming the network is safe is no longer realistic,” said Atkinson.

 

5. Test Your Multi-Factor Authentication (MFA)

MFA stops a lot of attacks, but it can be a loophole if not set up properly. “Adding a new device should require confirmation through a separate, verified channel. That’s the gold standard,” Atkinson said.

 

6. Strengthen Help Desk Identity Checks

Help desks are common targets for social engineering. “Move beyond just asking for a birth date or employee number: implement callback protocols and multi-step verification,” he advised.

 

7. Train Staff to Spot Urgency Tactics

“Phishing works because people panic when they feel pressured,” said Atkinson. Train staff to pause, verify, and stick to the process, no matter how ‘urgent’ a request seems.

 

8. Run Regular Social Engineering Drills

Test how your team responds to fake phishing calls and emails. “People learn best when they practise. It’s cheaper to find out now than in a real attack,” Atkinson said.

 

9. Hold Vendors to Your Standards

If you hold yourself to ISO 27001 or another security framework, your vendors should too. “If a third-party can access your data, they must meet the same standards you do, with regular checks,” said Atkinson.

 

10. Understand Overseas Software Risks

Many business tools are built offshore and may be subject to foreign government access. “It’s not always obvious, but data sovereignty and privacy laws matter. Know what you’re signing up for,” Atkinson said.

 

 

 

“Cyber security isn’t just a technology problem: it’s about people, processes and practical habits,” said Atkinson. “Australian businesses have a legal and moral duty to protect customer data, and that’s not something you can outsource and forget.”