The recent breach that exposed the personal information of over six million Qantas customers has left many Australian businesses wondering: could it happen to us?
Events like this are unsettling, but they’re also a timely reminder that good cyber security isn’t about panic or knee-jerk reactions. It’s about sensible, everyday actions done well.
Recent figures from the Office of the Australian Information Commissioner (OAIC) show that data breaches rose by 25% last year alone, with nearly 70% caused by malicious or criminal attacks — and much of the rest down to simple human error.
The reality is, even if your own systems are secure, a single weak link in your supply chain can expose you. The Qantas incident shows how attackers use sophisticated social engineering like phishing to bypass even the best technical controls.
So, what practical steps should Australian businesses take now to protect themselves and their customers?
What businesses should do after the Qantas hack
1. Read the Australian Privacy Principles (APPs)
You don’t need a lawyer to get started: the APPs are written to be accessible. If you collect and store personal data, these principles are your baseline for doing it safely and legally.
2. Audit what data you actually need
Did you know some breaches expose data from customers who left years ago? Regularly delete old data you no longer need: less data means less risk.
3. Tighten up access controls
When was the last time you checked who has access? About 1 in 10 Active Directory accounts are stale but active: perfect targets for attackers.
4. Move towards Zero Trust
Zero Trust means nobody automatically gets full access: not even employees inside the network. With so many people working remotely, assuming the network is safe is no longer realistic.
5. Test your multi-factor authentication (MFA)
MFA stops a lot of attacks, but it can be a loophole if not set up properly. Adding a new device should require confirmation through a separate, verified channel. That’s the gold standard.
6. Strengthen help desk identity checks
Help desks are common targets for social engineering. Move beyond just asking for a birth date or employee number: implement callback protocols and multi-step verification.
7. Train staff to spot urgency tactics
Phishing works because people panic when they feel pressured. Train staff to pause, verify, and stick to the process, no matter how ‘urgent’ a request seems.
8. Run regular social engineering drills
Test how your team responds to fake phishing calls and emails. People learn best when they practise. It’s cheaper to find out now than in a real attack.
9. Hold vendors to your standards
If you hold yourself to ISO 27001 or another security framework, your vendors should too. If a third-party can access your data, they must meet the same standards you do, with regular checks.

10. Understand overseas software risks
Many business tools are built offshore and may be subject to foreign government access. It’s not always obvious, but data sovereignty and privacy laws matter. Know what you’re signing up for.
Cyber security isn’t just a technology problem: it’s about people, processes and practical habits. Australian businesses have a legal and moral duty to protect customer data, and that’s not something you can outsource and forget.
Get in touch with Airteam
At Airteam, we help Australian organisations simplify complex challenges, including security. If your software, systems or tech stack needs a second look, we can help you prioritise what to tackle first and how. Whether it’s a health check, a roadmap, or a rebuild get in touch via our contact form here or email at hello@airteam.com.au and let’s make security part of the process, not just a reaction.