top of page

Qantas Data Breach - What/Why/How?

Updated: Jul 25

One of Australia’s major airlines, Qantas, is currently dealing with a data breach (of one of its contact centres - impacting 6 million airline customers' data). We understand these situations are stressful for all involved. We wish the impacted company and its partners the best (and are ready to assist if needed 💙 )


Quick recap of the situation:


🔍 𝑾𝑯𝑨𝑻?


Scattered Spider, a sophisticated threat group, has evolved from simple phishing attacks into full-scale, hands-on-keyboard ransomware operations. They’re known for targeting IT service desks, bypass MFA and gain elevated access; often going after Telecom, Tech, and critical services providers, especially those relying on third-party support teams.



❓ 𝑾𝑯𝒀 𝑫𝑶𝑬𝑺 𝑰𝑻 𝑴𝑨𝑻𝑻𝑬𝑹?


This isn’t an average phishing campaign. Scattered Spider is now:


  • 𝐀𝐜𝐭𝐢𝐯𝐞𝐥𝐲 𝐜𝐚𝐥𝐥𝐢𝐧𝐠 𝐡𝐞𝐥𝐩 𝐝𝐞𝐬𝐤𝐬, impersonating users to reset credentials

  • 𝐁𝐲𝐩𝐚𝐬𝐬𝐢𝐧𝐠 𝐌𝐅𝐀 𝐭𝐡𝐫𝐨𝐮𝐠𝐡 𝐬𝐨𝐜𝐢𝐚𝐥 𝐞𝐧𝐠𝐢𝐧𝐞𝐞𝐫𝐢𝐧𝐠, then deploying tools like remote management software, Sliver C2, and even BitLocker for extortion

  • 𝐎𝐟𝐭𝐞𝐧 𝐠𝐨𝐢𝐧𝐠 𝐮𝐧𝐧𝐨𝐭𝐢𝐜𝐞𝐝 without mature detection and response measures in place


In short, they’re combining technical skill with aggressive social engineering, exploiting human and procedural weaknesses just as much as technical ones.



🛠️ 𝑯𝑶𝑾 𝑺𝑯𝑶𝑼𝑳𝑫 𝒀𝑶𝑼 𝑹𝑬𝑺𝑷𝑶𝑵𝑫?


As a vCISO consultancy, in relation to this event, we’re advising our clients to:


  • 𝐑𝐞𝐯𝐢𝐞𝐰 𝐡𝐞𝐥𝐩 𝐝𝐞𝐬𝐤 𝐩𝐫𝐨𝐜𝐞𝐝𝐮𝐫𝐞𝐬: No password resets or MFA re-enrolments without strict verification

  • 𝐓𝐢𝐠𝐡𝐭𝐞𝐧 𝐫𝐞𝐦𝐨𝐭𝐞 𝐚𝐜𝐜𝐞𝐬𝐬 𝐜𝐨𝐧𝐭𝐫𝐨𝐥𝐬: Disable unused remote management tools, enforce strict whitelisting

  • 𝐑𝐮𝐧 𝐚 𝐭𝐡𝐫𝐞𝐚𝐭 𝐬𝐢𝐦𝐮𝐥𝐚𝐭𝐢𝐨𝐧: Test your company's response to helpdesk impersonation scenarios

  • 𝐇𝐚𝐫𝐝𝐞𝐧 𝐢𝐝𝐞𝐧𝐭𝐢𝐭𝐲 𝐬𝐲𝐬𝐭𝐞𝐦𝐬: Enforce phishing-resistant MFA where possible 



💡 𝑭𝒊𝒏𝒂𝒍 𝒕𝒉𝒐𝒖𝒈𝒉𝒕


Scattered Spider isn’t just a technical threat; it’s another remainder to close the human and procedural gaps in security programs. 


If you’re unsure how prepared your organisation is, let’s talk. A threat readiness session now could save weeks of cleanup later.


bottom of page