Qantas Data Breach: Why Vendor Oversight Must Be a Compliance Priority

A recent Qantas data breach compromising the personal information of 5.7 million customers has highlighted the ongoing cybersecurity risk that third-party service providers pose to enterprises.  The incident, which took place in June, exposed data like names, dates of birth, phone numbers, emails and information from customers’ Qantas Frequent Flyer loyalty scheme accounts. Financial, passport information and passwords were not affected, though.

But rather than breaching the Australian airline’s internal IT systems, the perpetrators behind the breach stole this information by tricking a third-party, offshore contact centre into thinking they were Qantas employees needing to reset multi-factor authentication information. After this crucial security information was changed, the hackers gained unauthorised access to an outsourced cloud platform containing Qantas customer databases.

It’s believed that cybercrime group Scattered Spider, whose hackers are dispersed across the US and UK, was behind the hack. The FBI has since warned that the group is increasingly launching social engineering attacks on global airlines. This comes as research from cyber insurer Cowbell shows that software supply chain attacks have increased by 431% in the past four years. With this in mind, what can firms do to secure their supply chains and prevent incidents like the Qantas breach?

Important Lessons To Learn

One of the biggest lessons from the Qantas cyber breach is that even though multi-factor authentication is designed to act as an additional layer of security, making it harder for cybercriminals to hack into accounts, it’s not completely impenetrable. That’s according to Jake Moore, global cybersecurity advisor at antivirus maker ESET, who says nefarious humans are capable of hacking “even the best defences”.

A second lesson from Moore is that businesses should realise their supply chains hold “inevitable weaknesses” that are easy for hackers to exploit, like simply impersonating genuine employees, and that can “take out a great deal in their wake”.

This sentiment is echoed by Vijay Dilwale, principal consultant at application security software provider Black Duck. He argues that even if companies have robust cyber protections in place, they are essentially useless if the vendors upon which businesses rely don’t pay the same level of attention to cybersecurity. He tells ISMS.online: “Qantas’ core systems weren’t breached, but millions of records still ended up in the wrong hands because of a gap at a third party.”

When personal information is breached in this way, Dilwale says it can result in “serious” ramifications for businesses. These include eroded customer trust, regulatory fines, and news articles that place blame on both the company and the vendor, even if the former is not at fault. He adds: “In today’s digital world, the traditional perimeter doesn’t really exist. Every supplier, every outsourcer, every SaaS platform is part of your attack surface.”

Compliance Implications

Given that enhanced cybersecurity protections, such as MFA, alone aren’t enough to protect organisations from devastating data leaks while supply chain attacks continue to grow, organisations clearly need to do more.

For Dilwale of Black Duck, that means treating vendor risk assessment as an ongoing exercise rather than a single tick-box activity when onboarding new suppliers. Along with carefully vetting third-party service providers, he says organisations must continuously monitor the cyber risks vendors pose and stipulate that vendors take cybersecurity seriously in formal contracts. In these, organisations should get suppliers to agree to cybersecurity audits and incident notifications.

But, these efforts aren’t just about protecting face — they’re also a regulatory obligation. Dilwale explains that, in Australia, the Australian Privacy Principles compel companies to report any type of cyber breach. Meanwhile, industry standards such as ISO 27001 underscore the importance of supply chain risk management. He adds: “The message is clear: oversight of your vendors isn’t optional anymore.”

When it comes to managing these risks, Dilwale recommends that organisations adopt an Information Security Management System (ISMS), as it’ll allow them to monitor and identify supply chain vulnerabilities throughout every stage of a supplier relationship, from onboarding to offboarding.

“You can make sure audits aren’t just scheduled but actually followed up with remediation. You can build a complete picture of your extended supply chain, so you don’t miss those fourth-party connections,” he says. “And you can include vendors in your incident response drills so when something goes wrong, you already know how to respond together.”

In addition to using an ISMS, Michael Tigges, senior security operations analyst at enterprise cybersecurity platform Huntress, urges organisations to develop dedicated frameworks using standards like ISO 27001, monitor and audit their suppliers regularly as part of “clear” service-level agreements, be transparent about the movement of data and invest in detection and response systems.

Other Steps

Vendor health checks are another crucial step in eliminating supply chain security risks, according to Tigges of Huntress. They should cover areas such as adequate access controls, multi-factor authentication, incident logs, and incident simulations.

As part of these efforts, he encourages companies to conduct tabletop cybersecurity exercises, in which they undergo a realistic cyberattack and assess how their team responds, in order to identify and close security gaps. Third-party vendors can also be included in these.

Tigges also stresses the importance of effective stakeholder management. He tells ISMS.online: “Start by having realistic conversations; what do we hope to achieve here, what risks can we tolerate, and where can we shore up our defences in other ways to help mitigate that risk?”

Ross Brewer, vice president of EMEA at log management and security analytics firm Graylog, agrees that organisations should factor supply chain risks into their cybersecurity drills. Doing so will allow them to “test detection, escalation and response” procedures within their organisation.

Looking Ahead

With supply chain cyber attacks showing no signs of slowing down, Moore of ESET believes that organisations will have no choice but to make vendor security assessments a vital part of their governance posture going forward. This means treating third-party suppliers “as an extension of the organisation” with the “same accountability” to ensure survival in a fast-evolving regulatory landscape.

Because so many businesses now outsource different parts of their organisations to third-party suppliers, Dilwale of Black Duck says they need to view the security posture of vendors with the same level of importance as their own. He continues: “Supply chain security can’t be bolted on as an afterthought; it has to be baked into governance as accountability and compliance are core requirements of doing business.”

In the long term, Tigges of Hunttress says businesses and their vendors will need to be “transparent and cohesive” in their cybersecurity and data management practices due to the sensitivity of the information being shared. He concludes: “Organisational reputation and individual data are at stake, and all individuals handling that data are stakeholders in this process.”

Although the Qantas cyber breach wasn’t due to cybersecurity negligence on the part of the Australian airline, the incident could have been prevented if the airline had stronger supply chain security practices in place. For other organisations, it provides a valuable lesson: that the security of your vendors is just as important as your own. That should be reinforced in comprehensive vendor contracts, regular supply chain health checks and cybersecurity drills that take into account supply chain security risks.