The recent data breach at Qantas exposed the personal details of nearly six million customers. The breach was traced to a third-party call centre, not to a technical exploit like ransomware or firewall compromise.
Between June 30 and July 2, attackers gained access to a customer service platform used by a Qantas contact centre in Manila. From that interface, they were able to view and extract personal data including names, addresses, dates of birth, frequent flyer numbers, and in some cases, more sensitive details like meal preferences. The breach affected an estimated 5.7 million unique customer records.
Qantas has confirmed that core systems were not compromised. Financial data, passwords, and passport numbers were not stored in the affected system. And yet the breach is serious. Frequent flyer numbers, when paired with contact information and personal details, are enough to enable social engineering, credential stuffing, impersonation, and fraud. Already, phishing campaigns are targeting customers under the guise of Qantas notifications.
There is still uncertainty about how attackers gained access, but there is no evidence of a technical exploit. Investigators and cybersecurity analysts believe this breach was the result of social engineering. A support agent may have been tricked, manipulated, or impersonated. Possibly, an insider was recruited. The details are still emerging. The mechanism wasn’t novel. It relied on human fallibility.
Once someone is inside a support interface, even with limited access, they can often retrieve or manipulate more information than expected.
This kind of attack is not unique to Qantas. In the past year alone, similar tactics have been used to breach Hawaiian Airlines, WestJet, and numerous financial institutions. Attackers often focus on help desks, contact centres, and vendors, where identity verification is weakest. They exploit the assumption that people are who they claim to be.
That assumption remains a critical risk. Once someone is inside a support interface, even with limited access, they can often retrieve or manipulate more information than expected. The Qantas incident illustrates this clearly. Training improvements are not enough to prevent these breaches. Preventing them requires removing unauthenticated support workflows entirely.
A secure communication system should not allow someone to call or email pretending to be a customer, an employee, or a vendor, and then receive support or access based on unverifiable communication alone. The system should require identity-verified channels. Password resets, approvals, and file transfers should only happen inside environments that verify who is making the request, and that automatically expire sensitive data once it's delivered.
And I hate to say it, but all of this is what Traceless does.
The platform is designed to take the burden of verification out of the hands of support agents, and that's exactly what every company should want. It requires that every sensitive request, whether it's a password reset, a file transfer, or an access approval, must come through an identity-verified channel. It connects with systems like Okta, Duo, and Microsoft Authenticator to confirm that the person making the request is who they say they are. And it does this quietly, in the background, without leaving a trace of the message or file behind. It also integrates with heaps of platforms, allowing teams to secure what are typically unsecured comms channels like Slack or Teams without overhauling existing workflows.
If Qantas had relied on a system like that, this breach may have never happened. Without human interaction, the attacker would have had nothing to exploit.
These incidents are not about infrastructure gaps. They reflect failures in how trust is managed and enforced. Unless that changes, the attacks will continue. These incidents are preventable when authentication is embedded in the process.
Your team might not run a national airline, but it does manage sensitive systems every day. Traceless builds identity verification into every conversation, so trust doesn’t become a liability. See how it works at traceless.com/