Australia’s privacy regulator has warned that data breaches involving impersonation and deception – known as social engineering – are increasing, following a recent incident involving Qantas.
The airline confirmed this week that personal information belonging to millions of customers may have been accessed through a third-party service provider.
Qantas said its internal systems were not directly compromised, but attackers gained access to customer data via a system operated by an external contact centre partner. The breach has prompted the airline to implement tighter access restrictions and enhance security monitoring.
While the party responsible for the breach has not been confirmed, security analysts have noted similarities with previous attacks carried out by the group known as Scattered Spider.
This group has previously targeted airlines by using “vishing” – a tactic involving phone calls to IT support lines where attackers impersonate employees to obtain login credentials or reset access.
The Office of the Australian Information Commissioner (OAIC) warned that 28% of malicious breaches covering the second half of 2024 involved social engineering.
Government agencies experienced the highest number of incidents in this category, representing a 46% increase from the previous six months.
Tony Burke, Minister for Cyber Security, said he had been briefed on the Qantas breach but did not confirm any link to known threat actors.
“The reality is with these networks, they’ll go where they can find vulnerability,” he said, as reported by The Guardian.
A global survey conducted by Beazley in its 2025 Risk & Resilience report showed a growing concern among business leaders regarding cyber threats.
Nearly 30% of respondents listed cyber risk as their primary concern – an increase from 26% in 2024.
However, 83% of respondents also indicated they feel equipped to respond to these risks.
The report suggested that while confidence levels have grown, the pace of threat evolution – particularly in areas such as AI-driven attacks, data theft, and geopolitical cyber activity – may outstrip current preparedness efforts.
Key risk areas cited include third-party vulnerabilities and attacks driven by ideological motives.
To improve resilience, 79% of surveyed companies plan to engage more with cybersecurity vendors, while 37% will increase investment in internal defences.
However, regulatory pressures and operational complexities continue to pose challenges to implementation.
In a separate report, Aon highlighted the financial impact of cyber incidents that lead to reputational damage.
The 2025 Cyber Risk Report found that organisations experiencing public fallout from cyber attacks saw an average decline of 27% in shareholder value – up from 9% in a similar analysis from 2023.
Aon’s research, based on more than 1,400 incidents globally, linked reputational harm to extended recovery periods and loss of investor confidence.
The report reinforces the growing concern that data breaches can affect not just operations, but also long-term financial performance.
