Why Third Party Risk Is Everyone’s Problem: A Look at the Qantas Breach

In July 2025, Qantas, Australia’s national airline, reported a breach affecting over 5.7 million customers. The source wasn’t Qantas’ own internal systems. Instead, it came through a third party vendor, a contracted call center that was compromised by a known threat group. This case offers a sharp reminder of something we often overlook: an organization’s cybersecurity is only as strong as the least protected part of its ecosystem.

This post breaks down what happened, what it reveals about organizational trust and vendor risk, and what we can learn from it.

What Happened?

On June 30, 2025, Qantas detected unusual activity linked to a third party call center handling customer service. By July 2, the breach was confirmed. An attacker, likely affiliated with the group Scattered Spider, had accessed sensitive customer information including names, birth dates, frequent flyer numbers, email addresses, and even meal preferences.

The attackers used social engineering tactics, including phone-based pretexting, to manipulate call center agents into exposing access pathways. Once inside, they exfiltrated large datasets that later appeared on the dark web

Why It Matters

This incident highlights three critical areas that matter for Governance, Risk, and Compliance:

Third Party Risk

Vendors can be the weakest link. Even with strong internal controls, if external partners lack the same standards, the organization stays exposed. Third party risk assessments must be more than a checkbox. They need to be rigorous, recurring, and enforceable through contracts and monitoring.

Behavior and Social Engineering

This wasn’t a technical exploit. It was a behavioral one. The attacker didn’t need to break through a firewall. They just needed someone to believe the right story. Social engineering tactics work because they play on trust, urgency, and confusion. Training must go beyond phishing simulations. It should include real world examples and emotional cues.

Transparency and Response

Qantas reported the breach quickly and began notifying affected customers in phases. They also sought legal measures to prevent the spread of stolen data. This shows a degree of maturity in their response, although questions remain about their vendor oversight leading up to the breach.

Lessons for GRC Teams

If our role involves governance, security, or compliance, this case offers some clear takeaways:

• Audit your vendors. Not just at onboarding, but regularly. Include behavioral security in your due diligence.

• Define minimum security standards in contracts. Enforce them with regular reporting and spot checks.

• Invest in social engineering awareness. Make security a cultural habit, not a compliance task.

• Plan for breach transparency. A quick, clear response builds trust. Delays erode it.

A Behavioral Lens

One of the reasons this case resonates is because it’s about people. Someone on the phone believed something that wasn’t true. That’s not just a technical error. It’s a design flaw in how we think about people and systems.

Security fails when we assume people are the problem. It succeeds when we assume people are part of the system, and we build processes that anticipate real behavior, not ideal behavior.

Final Thoughts

Incidents like the Qantas breach aren’t isolated. They are part of a pattern we see across industries. Trust is extended to vendors. Vendors become targets. Attackers exploit the human element. Data is stolen and reputations take a hit.

The GRC response isn’t just to harden systems. It is to create structures that make trust measurable, human behavior manageable, and risk visible.