Months after a breach hit Qantas Airways, the airline recently confirmed that stolen customer information has now been released publicly by cybercriminals. This is despite the airline’s legal efforts to prevent the stolen data from being accessed, shared, and published. Experts are now helping Qantas to establish what data has been leaked, but early reports revealed that names, dates of birth, phone numbers, and residential addresses were among the compromised credentials.
This disclosure reflects Australia’s continuing struggle with data security, raising questions about how corporate giants manage sensitive data and whether their defences are enough for the scale and complexity of the modern digital landscape.
“Breaches like this highlights [sic] a wider challenge for large organisations: the more data that’s held, the more risk that’s created,” said Gareth Russell, Security Field Chief Technology Officer for the Asia Pacific region at Commvault.
Russell added that, over time, customer information tends to accumulate within large enterprises, stored across systems and partner platforms that were never intended to hold it indefinitely. This growing concentration of data, spread across both internal and third-party environments, inevitably attracts integrations, partners and, increasingly, attackers.
He further noted that this breach marks a longstanding issue in corporate cybersecurity, data hoarding.
“Many organisations still struggle with the mindset of keeping everything, just in case it might one day be useful. The fear of deleting data has become cultural, driven by convenience and uncertainty about future value. Yet every unnecessary record increases the potential fallout when a breach occurs. Cyber maturity is not only about defending systems but also about reducing the data you expose. Knowing what is essential, protecting it well, and confidently deleting what is not are now critical parts of resilience,” Russell explained.
This breach also exposes the persistent vulnerabilities in enterprise operations and vendor ecosystems.
“The breach demonstrates that compliance checklists and internal defenses are insufficient, with vendor oversight, microsegmentation and enhanced identity governance (remember NIST 800-207) needing to be treated as integral parts of the organization’s own attack surface,” said Agnidipta Sarkar, Chief Evangelist at ColorTokens, Inc.
The human factor, as we know also remains a concern. Sarkar expounded that despite investing billions in cybersecurity, attackers are still getting in by simply calling help desks and convincing someone to reset a password,
“A Gartner survey found that 62% of cybersecurity leaders have experienced burnout, citing reasons that include pressure to work late nights and/or weekends, risk of security incidents negatively impacting career and low morale among cybersecurity teams. But the most important factor is the fact that usually cybersecurity investments do not keep pace with phenomenal organisation growth. Until cyber budgets, audits, and board KPIs treat the entire digital supply-chain as inside the castle, the next Qantas [incident] likely is already in progress.”
As breach fatigue sets in, experts urge individuals not to become complacent. Russell emphasised that the question is no longer how to stop every leak, but how to minimise its impact when it happens. He encourages individuals to keep their digital footprint small, avoid reusing credentials, and monitor key accounts for misuse.
Sarkar shares the same sentiment, noting that everything starts with the basics,
“First, build the foundation, invest in foundational breach readiness capabilities to stop lateral movement, create microsegments which compartmentalise business units. This will help close the data taps you don’t use, stopping unauthorised operations impossible because you built your enterprise to allow only predefined allowed paths. Then lock the front door and build in cryptography based passwordless credentials.”
Sarkar went on to say that the human layer must not be overlooked as it is the weakest link in the chain,
“Ensure you train and build muscle memory to harden the human layer and finally, build in cybersecurity as a mandatory component for each digital initiative. This should help enterprise reduce up to more than 90% of opportunities of breach, building viable digital business that remains unaffected during cyber-attacks. For the rest, invoke business continuity.”
For organisations, building resilience now means more than adopting the latest cybersecurity tools. It involves cultivating a mindset where security is everyone’s responsibility, from the boardroom to the front line. This includes knowing what data is truly valuable, protecting it with intent, and having the discipline to delete what no longer serves a purpose. For individuals, the message is equally relevant. Every online interaction leaves a footprint, and while no one can eliminate risk entirely, we can all take small and practical steps to reduce it. Indeed, digital safety is not just about technology. It must be coupled with awareness, responsibility, and the collective effort to protect data and information.
