What the Qantas hack reveals about cybercrime

The Qantas data breach didn’t begin with a computer but a telephone.

Earlier this year, a group calling itself Scattered Lapsus$ Hunters – a loose coalition of three criminal hacker and extortion groups – began a relatively unsophisticated but highly effective “social engineering” scam to insinuate itself into corporate databases.

In cybersecurity, “social engineering” refers to human manipulation to make the first unauthorised entrance to an otherwise protected database or network. This might be a phishing link contained in a text message or email that purports to be from a legitimate business, or it might be a phone call.

According to Google’s Threat Intelligence Group, the Qantas breach began with the latter. Qantas, like many other major companies and various government departments, uses Salesforce – an app designed for the management of huge volumes of data. To access Qantas’s data, a phone call was made to a Qantas call centre in Manila.

The caller convincingly impersonated a Salesforce IT employee, requested that the app’s set-up page be opened and then for a “connection code” to be entered. Once it was, the criminals had access. As Google’s Threat Intelligence Group wrote in an updated report in August: “This activity underscores a broader and concerning trend: threat actors are increasingly targeting IT support personnel as a primary vector for gaining initial access, exploiting their roles to compromise valuable enterprise data.”

There has been no suggestion that the Salesforce app itself is flawed. This was human error; the keys to the treasure chest were unwittingly handed over.

From Qantas alone, the personal details of almost six million customers were stolen. Dozens of other global companies were similarly affected. Qantas notified its customers in July, as the hackers demanded a sum of money for the return of the data – or else it would be sold to the highest bidder on the dark web or simply publicly exposed.

That deadline for the ransom was last Saturday at 3pm. It passed without any payment, consistent with the Australian government’s advice, and the hackers were true to their word: the personal details, which didn’t include anything about customer credit cards, passports or addresses, were published online.

This week, the Australian Cyber Security Centre (ACSC), part of the Australian Signals Directorate (ASD), released its annual cyber threat report. Canvassing a range of emerging and established threats, it referenced corporate vulnerability through its use of contracted third parties. Among cybersecurity experts there has long been a fear that with the outsourcing of responsibility comes the diminishment of accountability.

“The pattern of recent breaches – Optus, Medibank, Latitude and now Qantas – suggests that many large organisations are still not sufficiently diligent in managing their third-party risk,” Arash Shaghaghi, a senior lecturer in cybersecurity at UNSW Sydney, tells The Saturday Paper. “The Australian Securities and Investments Commission recently warned of ‘governance gaps’ and weak oversight of offshore and outsourced service providers.

“Even when the breach occurs through a vendor, the accountability and reputational damage always sit with the main company. The public doesn’t distinguish between whether it was Qantas or a contractor’s system that failed. They just see a brand that lost their data.

“Many companies still treat vendor assurance as a one-off audit or questionnaire, rather than a continuous monitoring obligation. True resilience means ongoing verification – testing, not trusting – throughout the life of the contract.”

This raises legal issues of liability and oversight, and whether the diligence of third parties is being effectively obliged through their contracts. Michael Park is a partner with global law firm Dentons and specialises in data privacy and cybersecurity.

“Increasingly, the reality is that data breaches arise from your supplier’s tech systems rather than your own,” he says. “It’s been on the radar for a long time. Yes, you need to get your own house in order but equally you must look at your supply chain. In the big corporate end of town, there’s an increased focus on this now.

“There’s also been a real shift in the way this government tries to protect personal information. This emerged from the Medibank and Optus breaches in 2022. Penalties are much, much higher than they were.

“Having said all that though, the reality will always be that cybercriminals are one step ahead, and regardless of how hard organisations work to protect their systems and those of their subcontractors, there will always be these breaches. Increasingly so, in fact.”

Then there is the issue of compromised accountability, as well as the legal confusions that come with engaging offshore parties. There is also, as the ACSC warned in this week’s report, the fact that artificial intelligence is making such breaches easier to achieve. “Cybercriminals use GenAI to automate the analysis of extensive datasets, such as identifying valuable credentials or extortion material in stolen data,” the annual threat report stated. “Cybercriminals also use GenAI to create high-quality videos, fake voices, websites, know-your-customer records and spearphishing emails to more convincingly present themselves to victims as legitimate actors with relatively minimal effort.”

The ACSC’s numbers bear this out. There was an increase this reporting year of ransomware use and data breaches. In fact, against Australian healthcare providers, the use of ransomware doubled.

“The latest ASD cyber threat report shows that while awareness and investment have improved, the tradecraft of malicious actors is evolving more rapidly, powered by automation, AI and speed,” Shaghaghi says. “The biggest shift isn’t the arrival of new, complex ‘zero-day’ exploits. It’s the industrialisation of simple attacks.

“Basic techniques like phishing, credential theft and social engineering are now supercharged by AI tools that personalise scams, generate convincing messages and operate at scale. In effect, AI has lowered the barrier to entry for cybercrime. The Qantas leak illustrates this perfectly: the attack was not technically complex. It relied on social engineering a third-party provider. But it was devastating in scale once customer data reached the dark web.”

Shaghaghi paints a picture of defensive capabilities always playing catch-up to ever-accelerating threats. In 2023/24, the number of exploitable vulnerabilities found in software increased nearly 30 per cent – and these were being exploited within hours of their public disclosure. “While Australia’s awareness has grown,” he says, “our collective resilience still lags the pace of threat evolution.”

This week’s annual threat report is significant for continuing a relatively recent policy of explicitly naming foreign adversaries. References to China and Russia recur throughout the report, whereas in the
recent past they would have been concealed behind the diplomatic vagueness of unnamed “state actors”.

In July last year, the ACSC released a public advisory about the tradecraft of the Chinese state-sponsored group Advanced Persistent Threat 40 (APT40). This was the first time the Australian government had explicitly attributed malicious cyber activity to China.

Such public disclosure of foreign tradecraft is now preferred to discretion, so that the detailing of foreign tradecraft might better help “network defenders” against it. “APT40 regularly conducts malicious activities against Australian and regional networks that possess information of value to the PRC [People’s Republic of China],” the threat report said. “These activities represent a security threat to many government and critical infrastructure networks.”

The ACSC’s report was also fascinating – or alarming – for its reference to the potential threats of quantum computing. There were four “big moves” the centre recommended for improving national cybersecurity. One of those was effectively managing third-party risk. Two others were ensuring best-practice event logging by network administrators and the replacement of legacy IT. The last was preparation for post-quantum cryptography (PQC).

Currently, quantum computers aren’t sufficiently powerful to break contemporary encryption. There is an assumption that one day soon – perhaps in five years, perhaps in 20 – they will be. This will render all current encryption algorithms obsolete. Such a moment is referred to as Q-Day, and there’s a race to design post-quantum cryptography.

Another assumption is that adversaries will now commit to a “harvest now, decrypt later” strategy – stealing hoards of data today that they might conceivably decrypt in a post-quantum future. “For information that needs to remain secret for years – for example, medical data, defence communications or government archives – the risk is already live,” Shaghaghi says. “It’s not tomorrow’s panic, it’s today’s planning problem … Globally, the shift toward [post-quantum cryptography] is already under way. The US National Institute of Standards and Technology has finalised its first suite of quantum-resistant algorithms. A critical milestone that gives governments and industry a clear technical standard to begin migration.”

The ACSC is recommending that organisations begin planning their transition now, aiming for the adoption of post-quantum algorithms by 2030. This seems ambitious given Australian government entities themselves – who are expected to be “cyber exemplars” in the words of its 2023 national cybersecurity strategy – are routinely found by national audits to lack cybersecurity “maturity”. In 2022/23, 31 per cent of cybersecurity incidents reported to the Australian Signals Directorate were from government entities. The directorate’s posture report from 2023 acknowledged “overall maturity level” across all entities remained low.

The Australian National Audit Office, which tests government entities for compliance against the directorate’s “Essential Eight” risk mitigation strategies, frequently finds imperfect compliance and “low levels of cyber resilience”.

It is in this imperfect environment that the transition to post-quantum cryptography must occur, something Shaghaghi describes as one of the most complex and expensive technological shifts in decades. “This isn’t a software patch – it’s a fundamental rebuild of global digital infrastructure,” he says. “PQC algorithms behave very differently from today’s encryption. They use larger keys and signatures, which affect everything from network bandwidth to processing power and storage. Many existing systems, especially legacy IT and embedded devices, will struggle to handle the new cryptography.

“Because the migration could take five to 10 years, and we don’t know exactly when Q-Day will arrive, planning must start now. Waiting until quantum computers are here would be far too late. By then, sensitive data harvested today could already be decrypted.”

Subscriber exclusive

Send this article to a friend for free.

Share this subscriber exclusive article with a friend or family member using share credits.

Give this article

Used 1 of ... credits

use share credits to share this article with friend or family.

You’ve shared all of your credits for this month. They will refresh on February 1. If you would like to share more, you can buy a gift subscription for a friend.

SHARE WITH A FRIEND
? CREDITS REMAIN SHARE WITH A SUBSCRIBER
UNLIMITED

Loading...

SHARE COPY LINK EMAIL LINK

USES 1 SHARE CREDIT

CREATE SHARING LINK

SHARE COPY LINK EMAIL LINK

Share credits renew each month and allow a non-subscriber to read a full article.

RELATED READING

News

The Burke interview: ‘A tinderbox for the angriest voice’

Karen Barlow The home affairs minister says divisive voices are the loudest they have ever been in Australia – but a ‘ballast’ of cohesion remains and economic policies will calm the electorate.