🟠 High  |  Source: The Register — Security


A tech support scam targeting a Qantas employee led to a data breach exposing the personal information of 5.7 million customers, making it one of Australia’s largest airline data incidents. The breach highlights how social engineering — rather than sophisticated technical exploits — remains a highly effective attack vector. Notably, despite the scale, Qantas reportedly did not breach Australian privacy rules, raising questions about the adequacy of existing data protection legislation.

Security Architect’s Take: Review your organisation’s privileged access controls and ensure customer-facing data stores are segmented with least-privilege access, so a single compromised support agent cannot access millions of records. Supplement technical controls with robust anti-impersonation policies and mandatory verification workflows for any support channel that can access PII at scale.

Original advisory: Tech support scam caused massive data breach at Australian airline Qantas