The Third-Party Risk Wake-Up Call: What We Can All Learn from the Recent Qantas Cyber Attack
In July 2025, Qantas, Australia’s flagship airline, confirmed a significant cyber incident. The breach did not stem from Qantas’ own systems, but rather from a third-party platform used by its contact centre.
The event exposed the personal data of up to six million customers, including names, email addresses, phone numbers, dates of birth, and frequent flyer numbers.
While sensitive financial and passport data were not affected, the incident has sent ripples through the business and cybersecurity community, highlighting the urgent need to address third-party risks in our digital supply chains.
Third-party access dilemma
Modern organisations rely heavily on third-party vendors for everything from customer service platforms to payment processing and analytics. While these partnerships drive innovation and efficiency, they also introduce new vulnerabilities.
In the Qantas case, the breach occurred not through a direct attack on Qantas, but via a third-party servicing platform, demonstrating how attackers can exploit the weakest link in the chain.
What can we learn?
- Third-party data storage is a major risk: Allowing third parties to store or process your customer data can expose your organisation to risks beyond their direct control. Once data leaves your perimeter, you inherit the security posture of your partners.
- API and privilege vulnerabilities: APIs are essential for integration but can become attack vectors if not properly secured. Privilege escalation – where attackers gain higher-level access than intended – is a common outcome of weak third-party controls and poor API security.
- Suspicious activity detection: The Qantas incident was detected through unusual activity on a third-party platform. This underscores the importance of continuous monitoring, not just internally but across all partner systems.
The scale of third-party breaches in Australia
Australia has experienced a wave of third-party data breaches in recent years. Notable examples include:
- 2025, Qantas: Up to 6M customers affected
- 2024, Hertz Australia: UP to 1.5M customers affected
- 2023, Latitude Financial: Up to 14M customers affected
- 2023, The Good Guys: No. of customers affected not disclosed.
In fact, a recent survey found that 41% of Australian businesses experienced at least one data breach in the past year, with a significant portion attributed to third-party providers.
Why third-party controls are a big issue
Limited visibility and control
Once data is handed to a third party, the original organisation often loses oversight of how it’s handled, stored, or protected.
Inherited vulnerabilities
Your security is only as strong as your weakest vendor. If a third party has poor security practices, those weaknesses become your own.
API and privilege management
APIs, if not properly secured, can allow attackers to bypass controls. Over-privileged accounts and lack of proper authentication can lead to data exposure or escalation of access.
Practical takeaways for your organisation
Minimise data sharing
Only share what is absolutely necessary with third parties. Avoid letting vendors hold or store sensitive customer data unless essential.
Strengthen third-party controls
Conduct thorough due diligence before onboarding vendors. Regularly review and audit their security practices.
Secure APIs
Implement strong authentication, least privilege principles, and continuous monitoring on all API integrations.
Monitor for suspicious activities
Use automated tools to detect unusual access patterns, both internally and on third-party systems.
Final thoughts
The Qantas incident is a stark reminder that your cybersecurity is only as strong as your weakest third-party partner.
By learning from these events and adopting robust third-party risk management practices, your organisation can better protect your customers, your reputation, and your digital future.
Reach out to us today
If you need guidance on securing your digital supply chain, our certified team of cybersecurity advisors and experts are ready to help you navigate the evolving threat landscape with confidence.
FAQ
What can Northbridge Systems advise Australian companies on best practice for third-party risk management?
Supported by more than 25 years’ experience in the Australian ICT industry, our engineers recommend a layered approach:
- Vendor assessment: Rigorously vet all third-party vendors for security certifications and past incident history.
- Data minimisation: Limit the amount and type of data shared with vendors.
- Contractual controls: Ensure contracts specify security requirements, incident response obligations, and regular audits.
- Continuous monitoring: Deploy tools to monitor API traffic, privilege usage, and detect anomalies in real time.
- Incident response plans: Prepare for third-party breaches with clear response protocols and communication strategies.
What can Australian companies do right now to reduce third-party cyber risk?
- Inventory and map data flows: Know where your data goes, who has access, and why.
- Apply least privilege: Restrict third-party access to only what is strictly necessary.
- Encrypt data: Ensure all data exchanged with third parties is encrypted in transit and at rest.
- Regularly review vendors: Schedule periodic security reviews and update access controls as needed.
- Educate staff: Train employees to recognise phishing and social engineering attempts, which are common entry points for attackers.
Are APIs a source of vulnerability for third-party breaches?
Yes. APIs are essential for business integration but are a common target for attackers. Risks include:
- Broken authentication: Failing to verify user identities properly.
- Poor authorisation: Allowing users or systems to access data or functions beyond their role.
- Over-privileged accounts: Granting more access than necessary, which can be exploited if compromised.
