The Qantas Breach: A Wake-Up Call on Third-Party Privacy Risks

This month, Qantas confirmed a cyber incident that compromised the personal data of up to six million customers. The breach didn’t stem from Qantas’ internal systems, but rather from a third-party customer service platform operated offshore. This incident is a stark reminder that privacy risks don’t stop at the firewall—they extend deep into the vendor ecosystem.

Why this Matters for Australian Businesses?

This breach highlights several critical issues:

• Vendor vulnerabilities: The attack didn’t target Qantas directly—it exploited a trusted third-party provider;

• Offshore risk exposure: Many Australian businesses outsource IT and customer service functions overseas, where cybersecurity maturity may be lower;

• Regulatory accountability: Under the Privacy Act 1988 and the Notifiable Data Breaches (NDB) scheme, Qantas remains responsible for protecting customer data—even when handled by a vendor;

• Reputational damage: Qantas’ stock dropped and public trust took a hit, despite the breach occurring outside its core systems.

What is the OAIC’s position on third party breaches?

Where more than one party could potentially report a breach, the Office of the Australian Information Commissioner (“OAIC”) expects that only one notification be made under the Notifiable Data Breaches (“NDB”) scheme, to avoid duplication and confusion. The entity with the most direct relationship to the affected individuals is expected to notify.

Lessons for Australian Businesses

The Qantas incident underscores the need for robust third-party risk management:

• Be certain that your cyber insurance provides coverage for third party vendor breaches;

• Map your vendor ecosystem: Know who has access to sensitive data and where it’s stored;

• Conduct due diligence: Assess vendors’ compliance with standards like ISO/IEC 27001, Essential Eight, and APRA CPS 234;

• Embed privacy clauses: Contracts should include breach notification timelines, data handling protocols, and audit rights.

• Simulate breach scenarios: Test how quickly you can respond if a vendor is compromised.

Final Thought

The Qantas breach is not an isolated event—it’s part of a growing pattern where third-party failures become first-party liabilities. As cybercriminals grow more sophisticated, Australian businesses must shift from a culture of compliance to one of resilience and proactive governance. Because when a vendor slips, it’s your brand, your customers, and your legal standing that take the fall.

For further information, please contact:

Richard Smith

Richard.Smith@syncuw.com.au

Mobile – 0477 377797

Sync Underwriting Pty Ltd (“Sync Underwriting”) (ABN 17 678 294 712) is an insurance underwriting agency and distributes and administers insurance policies on behalf of Insurers. Sync Underwriting is a Corporate Authorised Representative, CAR No. 1312389, of Halo Underwriting Pty Ltd (ABN 48 008 497 318). The article contains commentary of Sync Underwriting’s cyber insurance policy, Policy Wording v 1.0, and coverage contained within. This article does not form part of the policy terms and conditions. You must read the full policy wording for a full description of the terms and conditions. Please note that any individual claims will be determined on the facts of the incident and any claims examples contained within this article do not relate to individual circumstances.