Qantas breach sparks calls for stricter data security laws

Qantas has confirmed a significant data breach after hackers accessed a third-party platform holding large volumes of customer information. The airline says the attack was contained, but a "significant amount of data" was likely stolen.

But the bigger story isn't the breach itself - it's the pattern.

The incident has sparked a new wave of criticism, not just about Qantas's own security posture, but about the broader systemic failure of Australian companies to properly govern the external vendors they rely on.

Despite repeated warnings and recent high-profile breaches, many large organisations continue to outsource critical data functions without rigorous oversight - effectively handing over sensitive customer data to vendors they can't fully control.

John Pane, Chair of Electronic Frontiers Australia, questioned whether Qantas ever performed a meaningful assessment of the third-party involved.

"When will organisations like Qantas stop boasting about how 'trusted' they are and actually pay more attention to the security and safety of the personal data they collect?" he asked. He labelled the response a case of "privacy-washing" - marketing trust while failing to build it into systems and processes.

Pane also pointed the finger at government inaction. "When will the Australian government pass the necessary and long overdue reforms to Australia's Privacy Act?" he asked. "Once again, a 'trusted' Australian company suffers another massive data breach in the hands of a 'trusted' third party."

That trust, increasingly, looks misplaced.

Richard Taylor, managing director at Digital Balance, said the incident demonstrates that reliance on external vendors is becoming a liability.

"The Qantas breach highlights that the reliance on third-party providers for critical functions is a ticking time bomb," he said. While regulators now have sharper tools to penalise serious breaches, Taylor argued that penalties alone won't shift the underlying problem.

"You can't outsource accountability. To genuinely protect customer data and the bottom line, large corporations must bring vital services and the security that underpins them back in-house."

Ashwin Pal, Partner at RSM Australia, added that the breach should serve as a "wake-up call" to all industries—not just aviation.

"Regardless of size, industry, or influence, cyber-readiness must be a key business priority," he said. Internal compliance isn't enough, he warned, especially when vendors or supply chain partners are the weakest link. He urged companies to regularly stress-test third-party scenarios as part of any serious risk program.

The breach has reignited calls for stronger legislation, stricter oversight of supply chain partners, and a cultural shift away from box-ticking security compliance.

Experts warn that unless companies overhaul how they manage third-party risks - and unless government strengthens the laws that hold them accountable—Australians will continue to see their private data caught in the crossfire.