The recent data breach of Qantas Airways has sparked major outrage over the lack of protection for personal information in Australia. In the wake of the breach, millions of Australians have called for better privacy protections and more rigorous safeguards over their data. The office of the Australian Information Commissioner has done five such surveys over the years. These surveys 1, 2, 3 have produced the same result: an overwhelming call for better privacy legislation.
Principal lawyer Lizzie O’Shea from Maurice Blackburn highlighted the existing deficiencies in Australia’s data privacy laws. She noted that it’s the breach that has pushed thousands of people into her law firm’s services, just for starters. This very much rings true with growing frustration over the bizarre incident.
This kind of event had occurred. Most Australians have been calling for stronger protections of their personal information and enhanced privacy rights,” O’Shea said. That’s been proven time and again across dozens of those same surveys, including the one done by the office of the Australian Information Commissioner over these last five years.
So far, the breach has served to highlight the pivotal attack methods used by hackers – most notably a group called “Scattered Spider.” La Trobe University Professor Daswin De Silva discussed the nature of these attackers on the SBS On the Money podcast. He described them as a more recent cyberattack group that’s operating out of the US and the UK.
“Scattered Spider seems to have improvised from incidents that took place in the US into the UK, and now in Australia,” De Silva explained. He noted that so far in 2024, arrests had been made involving the same techniques used in hacks to these regions.
De Silva underscored that for big entities, there’s a tendency to focus on getting services out really quickly. Unfortunately, this focus can unexpectedly create vulnerabilities that hackers are salivating over. “The main technique is social engineering or impersonation attacks where phishing attacks, SIM swapping, and multi-factor authentication fatigue attacks are prevalent,” he said. This circumvention of help desk activities is just one quick Password Reset Attack Maneuver II trick that undermines stronger security processes.
The egregiousness of this breach, O’Shea said, underscores the urgent need for reform. He stressed the broader impact for Australian data privacy at large. She argues that the patchwork of privacy laws we have today doesn’t reflect what people truly want when it comes to protecting their data.
As like many Australians, I feel that our privacy laws are inadequate. I strongly believe that companies are not doing enough to protect our personal information as they lead us to expect them to. O’Shea remarked.
This incident raises important questions about third-party providers’ cybersecurity practices and compliance. De Silva pointed out that while companies often outsource certain operations to save costs, they may inadvertently expose themselves to risks if these third-party providers do not uphold the same cybersecurity best practices as the parent company.
“I believe Qantas could explore how these are implemented across their third party providers,” he suggested. “Sometimes third-party outsourcing comes at a cost saving, but this could mean that some of those third-party providers are not adhering to the same cybersecurity safeguards.”
A typical complaint has been filed with the City in light of the leak. This historic step gives the Privacy Commissioner freer rein to investigate potential breaches of the Privacy Act. This enforcement action serves as an important reminder of the strong authority given to the Privacy Commissioner to act on such breaches and hold organizations accountable.
The Australian public’s desire for stronger privacy protections couldn’t be more obvious. These are some of the laws that have made Americans feel betrayed, O’Shea said. They are frustrated that these regulations fail to sense their needs and protect their private information.
“We at Maurice Blackburn were approached by many people in the wake of this data breach who were upset and frustrated,” she stated. “So many people feel very annoyed that the laws don’t reflect what they expect in terms of protecting their personal information and that they are the ones that have to suffer the consequences when companies lose control.”
