We invite you to either listen to the article or read the below.
In the past few years, Qantas faced several high-profile security incidents involving insider threats and data breaches, highlighting critical vulnerabilities in managing internal and external security risks. These incidents are part of a worrying trend at Qantas, with insider threats emerging not only from within the organisation but also from its supply chain.
These cases might be red flags, indicating potential gaps in the organisation’s security practices and culture that could put sensitive information and operational continuity at risk. In this article, we will explore each incident, assess their implications, and suggest ways organisations can address similar gaps.
What is Insider Threat?
Let us start with definitions. Insider Threat refers to individuals who, intentionally or unintentionally, misuse their authorised access to cause harm to an entity. The Australian Security Intelligence Organisation defines an Insider Threat as current or former employees or contractors who have, or had, legitimate access to an organisation’s people, information, technology, assets, or facilities—and who exploit this access to cause harm.
Insider Threats may be driven by various motives, from personal grievances, disgruntlement, financial gain or espionage, but their actions often lead to significant operational, financial, and reputational damage. Effective risk management practices are essential for mitigating such risks, regardless of an organisation’s industry.
Insider Threat Case Studies at Qantas
Case 1: Alleged Industrial Espionage by Former Senior Pilot (October 2024): In October 2024, Qantas launched legal action against a former senior pilot accused of taking sensitive information related to the airline’s aircraft and commercial strategy. Qantas claims that, before resigning in September 2024 to take a role at competitor Virgin Australia, the pilot copied thousands of megabytes of confidential data from Qantas servers to a personal device. The data reportedly included valuable insights into Qantas’s operational planning and strategic direction, information that could give Virgin Australia a competitive advantage. This case underscores the importance of ongoing suitability assessment of employees, monitoring employee activities, particularly during offboarding, to prevent insider theft.
Case 2: Overseas Contractor Steals Qantas Client Data (August 2024): In August 2024, Qantas suffered a significant breach involving overseas contractors at a third-party service provider in India. These contractors, who had authorised access to Qantas customer data, misused their access to steal sensitive customer information, including passport numbers. This incident reveals the risks posed by insufficient oversight and data security measures when outsourcing services overseas, demonstrating that insider threats can arise within the supply chain as well.
Case 3: Cyberattack on Frequent Flyer Program (2024): In early 2024, Qantas’s Frequent Flyer program suffered a cyberattack, compromising hundreds of customer accounts. Attackers reportedly stole loyalty points and customer data, exacerbated by insufficient cybersecurity practices and poor oversight of third-party vendors managing parts of the Frequent Flyer system. This incident highlights the vulnerabilities in Qantas’s cyber defences and the importance of robust vendor management to ensure customer data security.
Case 4: Criminal Infiltration of Qantas Workforce (June, 2021): A 2021 report revealed that up to 150 Qantas employees were allegedly linked to organised crime groups, facilitating smuggling operations within airport security. These individuals, including baggage handlers and ground staff, reportedly exploited their positions to bypass security protocols. This case demonstrates the risks associated with inadequate workforce pre-employment and ongoing suitability screening and monitoring, especially for high-risk roles, and the importance of ongoing vigilance to prevent criminal infiltration.
What Do These Incidents Reveal?
These incidents at Qantas potentially point to several key security gaps:
Workforce Screening and Monitoring: Qantas Airlines are not subject to the Security of Critical Infrastructure (SOCI) Act 2018, however, are covered by a kindred predecessor of the SOCI Act – the Aviation Transport Security Act 2004 and associate regulations. Qantas employees and contractors that require access to airport secure areas are required to hold a valid Aviation Security Identification Card (ASIC). To be issued with ASIC, an applicant needs to undergo AusCheck background check.
As a brief history, the AusCheck background check was introduced following recommendations from Sir John Wheeler’s Airport Security and Policing Review after the 9/11 attacks. It was part of the Australian Government’s effort to bolster aviation and maritime security, aiming to mitigate terrorism and criminal threats. Developed between 2004-2006, the policy framework has remained largely unchanged since then.
The AusCheck background check is a point-in-time evaluation with key components being: identity verification, right to work in Australia check, criminal history check, criminal intelligence check and the ASIO National Security Assessment.
I note that Australia’s security landscape has evolved since early 2000s, and the threats to aviation sector have expanded beyond terrorism and traditional criminality. The AusCheck background check is valuable for mitigating risks related to terrorism and criminal activities, however, while it aids in satisfying meeting legal requirements to ‘have a background check’ it does not provide a comprehensive mitigation of insider threat as many insiders will not be recorded in the indices that AusCheck addresses.
Third-Party Security Oversight: The 2024 data breach involving overseas contractors highlights the critical need for stronger oversight and rigorous security protocols among third-party vendors, particularly those with access to sensitive customer information. Organisations should enforce strict workforce screening and monitoring processes for both employees and suppliers, ensuring alignment with data protection standards.
Regular insider threat training can also help personnel recognise and respond to early warning signs, reducing risks. Additionally, implementing technology solutions like open-source intelligence (OSINT) can enhance the organisation’s ability to detect potential insider threats before they escalate.
Insider Threat Programs: The alleged theft of data by the senior pilot highlights potential gaps in Qantas’s Insider Threat Program (if it has such a program). Effective monitoring, particularly during the offboarding process, could have flagged suspicious activity such as large data transfers, enabling proactive measures to prevent the data exfiltration.
Inadequate Cybersecurity and Vendor Management: The cyberattack on the Frequent Flyer program underscores vulnerabilities in Qantas’s cybersecurity framework. Ensuring vendor compliance with stringent cybersecurity standards, particularly for systems that store sensitive customer data, is essential.
Solutions and Best Practices
To address these gaps, organisations can adopt the following strategies:
Implement Comprehensive Insider Threat Programs: An effective Insider Threat Program is designed to deter, detect, and respond to internal security risks. Such a program includes pre-employment screening, ongoing monitoring, structured offboarding processes, and post-employment follow-ups. Regular monitoring of data access patterns and behaviour analysis can help detect and mitigate insider threats.
Enhance Supply Chain and Third-Party Risk Management: Organisations can use frameworks like Pentagram’s Supply Chain Risk Management Framework to assess suppliers, establish stringent data access protocols, and conduct continuous monitoring of third-party activities. This approach includes conducting security assessments and enforcing clear contractual obligations for data protection.
Strengthen Cybersecurity Defences and Third-party Management: Organisations must implement robust cybersecurity measures, including access control, multi-factor authentication, and data encryption. Regular training, risk assessments, and audits are essential to maintain secure systems. Stringent vendor requirements and ongoing assessments ensure that third-party service providers meet the organisation’s security standards. Cybersecurity must address the ‘people component’ of the cyber domain – it’s not technology and software.
Cultivate a Culture of Security Awareness: Educating employees and fostering a culture of vigilance can empower staff to recognise and report potential security threats. Regular training and security awareness programs encourage proactive engagement with security measures, reducing the likelihood of insider threat incidents. People are the key component of an effective Insider Threat Program.
Conclusion
The security incidents at Qantas illustrate the importance of comprehensive security practices across workforce management, third-party oversight, and cybersecurity. Implementing an effective Insider Threat Program, coupled with rigorous supply chain risk management and proactive cybersecurity measures, strengthens an organisation’s resilience against insider threats and external attacks.
While Qantas is not currently covered by the SOCI Act, aligning its security practices with best-in-class standards outlined in the SOCI framework would enhance protection of Qantas’s critical assets and operational integrity. For all organisations, these incidents showcase that proactive security risk measures are not merely regulatory requirements but essential components of a resilient operational strategy. Indeed, such measures are good for business.
Interested in Learning More? Pentagram’s eLearning Hub offers a range of online courses designed to address insider threat management, supply chain security, and best practices in workforce screening. These courses provide practical tools and guidance, helping organisations of all sizes strengthen their security resilience and adopt proactive measures for safeguarding critical infrastructure. Explore our eLearning Hub to find out more about how these insights can support your organisation’s security objectives.