By Rob Vann, Cyberfort CSO
When a company like Qantas an airline synonymous with safety suffers a high-profile data breach, the message is loud and clear: no brand is untouchable, and no data is sacred. But here’s the real problem: we’re still treating breaches as anomalies. They’re not. Breaches are now a guarantee, and the only variable left is how well or how catastrophically you respond.
The Qantas breach wasn’t just a failure of security; it was a failure of imagination, of preparation and resilience. If businesses don’t wake up now, they won’t just lose customer trust they’ll lose relevance. This is your blueprint for what to do when, not if, your defences fail and how to ensure your organisation doesn’t become the next cautionary headline.
Step one: Panic smart – not fast
When the breach hits, most companies do the same thing: go silent, scramble internally, and throw together a press statement that says, “We take your privacy seriously.”
Stop. That’s PR autopilot and attackers are counting on it.
What you need is speed with clarity. Assemble your breach response team legal, security, comms, compliance and ask the hard questions:
• What exactly was accessed?
• How long has it been going on?
• Is the attacker still inside?
The longer you pretend it’s “under investigation,” the more trust you lose. Transparency isn’t just a legal risk it’s a strategic advantage.
Consumers don’t wait to be told
If you’re a Qantas customer (or one of the millions watching nervously), don’t sit around for confirmation. Assume compromise until proven otherwise. Cybercriminals won’t wait for your email to arrive they’ll be monetising your data by tomorrow.
Verify the breach – don’t fall for the follow-up scam
Ironically, the breach itself often triggers a second wave of fraud. Phishing emails pretending to be from Qantas will flood inboxes, asking you to “verify your account” or “reset your details.” Never click on email links after a breach. Go directly to the company’s website or app. Trust your paranoia it might save your identity.
Check if you’ve been exposed – and act accordingly
Not all data breaches are created equal. A leaked email is annoying. A leaked passport number? That’s catastrophic.
- Use monitoring tools like HaveIBeenPwned or sign up for dark web scanning through your bank or a cybersecurity provider.
- For loyalty and travel accounts, scrutinise redemption histories and account logins. Flag anything out of pattern.
- If ID documents were leaked, report them immediately and request replacements or fraud alerts with the relevant authorities.
The attackers won’t give you time to think. Don’t give them time to act.
Password resetting isn’t optional. It’s urgent.
Still using the same password you created in 2012? Then you’re part of the problem.
Qantas frequent flyer accounts are a prime target because people reuse those passwords everywhere – banking, email, e-commerce. One breach becomes many.
Your new password rulebook:
- Unique for every site.
- Long (at least 12 characters).
- Random (not “Qantas123!” or your child’s name).
- Managed with a password manager. You don’t have to remember 100 passwords – you just need to remember one good one.
Weak passwords don’t get guessed, they get cracked by bots running billions of combinations in seconds. If you’re still relying on “clever” variations, you’re already compromised.
Two factor authentication isn’t a luxury. It’s a minimum requirement
Two-Factor Authentication (2FA) is one of the simplest, most effective ways to stop account takeovers. So why aren’t more people using it?
Excuses like “it’s annoying” or “I don’t want to install another app” don’t hold up when your identity is at risk.
Here’s what to do:
- Enable 2FA on every account that offers it—especially loyalty programmes, email, and banking.
- Use an authenticator app (like Microsoft or Google Authenticator) -NOT SMS, which is easier to hijack.
- Never share or screenshot your authentication codes. They’re like handing out keys to your digital kingdom.
- Shop and travel smarter: Assume you’re being watched
- Cybercriminals love predictable behaviours. Travel is full of them.
- People use unsecured Wi-Fi in airports and hotels.
- They receive dozens of emails from travel brands.
- They’re often distracted, tired, or rushed -perfect conditions for phishing.
Consumer Tips:
– Don’t shop or log in to sensitive accounts over public Wi-Fi unless you’re using a VPN.
– Never use the same email/password combo across shopping and travel sites.
– Use disposable or virtual cards when booking trips or buying online.
– Set up bank alerts for any purchase or login activity.
– Treat every digital interaction while travelling like it’s under surveillance—because it probably is.
For businesses: prevention is dead. Resilience is everything.
Still thinking cyber “won’t happen to us”? Ask Qantas. Ask MOVEit. Ask anyone who’s had to face the cameras and say, “We’re investigating the incident.”
You don’t stop breaches with wishful thinking and legacy tools. You stop them with brutally honest assessments, relentless testing, and round-the-clock visibility. Three key steps all organisations should be taking in light of the Qantas breach:
1. Penetration testing – Simulate the breach before the real one hits
Static security reviews are useless in 2025. Attackers don’t use checklists, they use ingenuity. Your defences should be tested by people who think like them.
Use red teams to run real-world attack simulations to expose your blind spots, from credential stuffing to insider threats. If your internal team always passes the test, it’s not a test. It’s theatre.
2. Managed detection & response (MDR) – Eyes on everything, all the time
Breaches don’t announce themselves. Without MDR, you might not know you’ve been hit until your data is on the dark web. Market leading MDR platforms use AI to detect anomalies in real time, and expert analysts investigate alerts before they become incidents. Speed matters. Context matters more. If you’re relying on tools alone, you’re not covered, you’re exposed.
3. Secure cloud backups – Because ransomware doesn’t negotiate
When all else fails, your backup is your survival plan. But if it’s stored on the same network, with the same credentials, and hasn’t been tested in six months, you might as well not have one.
A proper backup strategy includes:
- Isolated, encrypted cloud storage
- Automated versioning
- Disaster recovery plans that are rehearsed, not theoretical
If your board doesn’t know your RTO (Recovery Time Objective), ask why they still have a seat at the table.
Final word: The real breach is the illusion of control
Let’s stop pretending we can “prevent” all cyber-attacks. That ship has sailed. What separates survivors from casualties is preparedness, transparency, and relentless resilience. Qantas didn’t choose to be breached, but they did have a choice in how ready they were when it happened.
For consumers – assume you’ve been compromised and act accordingly. For businesses – build breach response into your DNA.
This isn’t about fear. It’s about facing reality. Cyberattacks are business attacks, and the cost of not evolving is far greater than the cost of change.
Because in today’s world, data protection isn’t just a duty, it’s your credibility.
Read the full September Edition of the Cyber Defense Magazine here: https://cyberdefensemagazine.tradepub.com/free/w_cyba180/prgm.cgi
