Beyond Qantas’ data leak, Australian finance companies are also at risk of offshore hacks

Australians are once again being warned to tighten their online security and be extra alert to scammers, after up to 5.7 million Qantas customers’ personal details^[1] – including phone numbers and birthdays – were leaked to the dark web^[2] on Sunday.

Cyber crime supergroup Scattered Lapsus$ Hunters accessed the data^[3] back in June by convincing a Manila-based call centre operator^[4] to give the hackers access to their Salesforce system.

On Monday, federal Cyber Security Minister Tony Burke said^[5]: “You can’t simply outsource to other companies and think suddenly you’ve got no obligations on cyber security… There are very serious penalties.”

But what are those potential penalties for Qantas? And why is a corporate watchdog warning about even more serious data theft risks when Australian finance companies outsource their work overseas?

What penalties could Qantas face?

Law firm Maurice Blackburn has lodged a complaint^[6] over the Qantas data breach with Australia’s independent privacy regulator – the Office of the Information Commissioner – alleging the airline breached privacy laws by failing to adequately protect customer information.

When asked by the ABC, the commissioner’s office wouldn’t comment^[7] on whether Qantas would be fined over this latest breach.

So how much is the maximum fine for breaches like this?

Under the Privacy Act, serious or repeated privacy breaches can now incur fines^[8] of up to A$50 million^[9] or 30% of a company’s adjusted turnover during the period of the breach – whichever is greater.

This Qantas data breach is less serious than those that hit Optus^[10] and Medibank^[11] in 2022. For instance, hackers shared Medibank customers’ highly sensitive medical history data, and stole valuable identity document data, including credit card, passport and driver’s licence details. That matter is still before the courts.

While the Qantas data was still sensitive – including customers’ dates of birth, phone numbers, addresses, emails and frequent flyer numbers – it presents less of a risk for individual customers.

Besides penalties under the Privacy Act, Qantas also faces a potential class action^[12], which affected Qantas customers can join.

Another potential outcome for Qantas could be a court-ordered payment scheme, in which individuals affected by the breach may be eventually entitled to compensation from Qantas.

We saw a similar arrangement^[13] for Facebook users affected by the Cambridge Analytica data breach a decade ago.

What are the rules for companies sharing your data overseas?

The Australian Privacy Act has specific provisions^[14] covering how companies handle your data when they send it overseas.

Importantly, when an Australian company gives your data to an offshore entity, the Australian company remains accountable for ensuring your data is kept safe.

This is why it’s important for Australian companies to consider carefully the potential risks of sending Australians’ data overseas.

These risks should be front of mind for Qantas, which in 2024 suffered a much smaller data breach^[15] due to alleged misbehaviour of overseas contractors.

However, these risks extend well beyond flagship companies such as Qantas.

Warnings over even more sensitive data

The Australian Securities and Investments Commission (ASIC) regulates Australian markets and financial services companies. Only days ago, it warned^[16] of “governance gaps” when financial services companies outsource work overseas – and potentially put Australians’ sensitive data at risk.

This year, ASIC has taken separate court action against Fortnum Private Wealth^[17] and FIIG Securities^[18], alleging they failed to manage cybersecurity risks affecting thousands of customers.

In FIIG’s case, ASIC alleges^[19] a hacker was able to steal sensitive data including passport, bank account and tax file numbers. Those court cases are yet to be heard.

The finance sector – including banks, financial advisors and superannuation funds – consistently reports^[20] the third highest number of data breaches, after the health sector and government.

What we all need to do next

As individuals, we have relatively little control over how Australian companies handle our data, let alone the overseas companies they work with. But we can all do more to make ourselves more secure.

Be on scam watch: given how many Australians were exposed in the Qantas breach, be on the lookout now^[21] for scammers.

History suggests scammers target data breach victims, or people who think they may have been impacted by a data breach. If you receive a message you suspect is a scam, don’t respond – report it to Scamwatch^[22].

Practise good “cyber hygiene”: avoid using the same password on multiple websites. Instead, use a password manager^[23] that saves your passwords across your computer and mobile phone.

That way, if your data is breached at Company A, it has less chance of impacting your security with Company B.

Companies need to step up too: Australian company executives would do well to ensure their governance, risk and compliance practices are up to scratch, especially on how they manage third-party risks^[24].

As consumers, we entrust our cyber security to all of the companies with whom we interact. Those companies, in turn, owe it to us to ensure the drive to maximise profits doesn’t come at the cost of leaving customers worse off.

References

1. ^{^} Qantas customers’ personal details (www.qantas.com)
2. ^{^} leaked to the dark web (www.abc.net.au)
3. ^{^} accessed the data (www.afr.com)
4. ^{^} Manila-based call centre operator (www.crikey.com.au)
5. ^{^} said (www.abc.net.au)
6. ^{^} lodged a complaint (www.mauriceblackburn.com.au)
7. ^{^} wouldn’t comment (www.abc.net.au)
8. ^{^} now incur fines (www.corrs.com.au)
9. ^{^} A$50 million (www.oaic.gov.au)
10. ^{^} Optus (theconversation.com)
11. ^{^} Medibank (theconversation.com)
12. ^{^} class action (www.mauriceblackburn.com.au)
13. ^{^} similar arrangement (www.oaic.gov.au)
14. ^{^} specific provisions (www.oaic.gov.au)
15. ^{^} much smaller data breach (www.theguardian.com)
16. ^{^} warned (www.asic.gov.au)
17. ^{^} Fortnum Private Wealth (www.asic.gov.au)
18. ^{^} FIIG Securities (www.asic.gov.au)
19. ^{^} ASIC alleges (www.asic.gov.au)
20. ^{^} reports (www.oaic.gov.au)
21. ^{^} on the lookout now (www.abc.net.au)
22. ^{^} Scamwatch (www.scamwatch.gov.au)
23. ^{^} password manager (www.cyber.gov.au)
24. ^{^} third-party risks (www.aicd.com.au)