On the first of July, a Cyberattack took place targeting the Qantas Frequent Flyer Database. The day after at 9.04 AM Qantas responded by releasing a Press Release confirming this cyberattack. Having an iconic organization like Qantas as the recipient of a Cyberattack is not new (Optus, Medibank etc). Cyberattacks are more than ever more frequent and affects a wider kind of public, private and Ngo’s. This seems to be the price the world is paying for increasing reliance on digital technology.  While organisations cannot avoid being attacked, they have however a full range of options on the way they respond to this kind of crisis.

The following is a summary of our analysis of the Qantas Crisis response, so far.

Overall Qantas Narrative

The media releases built a crisis narrative positioning Qantas as a “Victim” of this cyberattack and acknowledged “customers impact” without taking responsibility in any way to address the negative impacts related to the loss of private information. According to the 2^nd of July initial Media release, Qantas identified from the distance the impact that this attack had in its customers … “We understand this will be concerning for customers. We are currently contacting customers to make them aware of the incident, apologise and provide details on the support available”.  Qantas talked about understands that clients are concerned about the attack without assuming in any shape or form the impact that these cyberattack may have in the privacy of the clients most impacted by identifying ways to alleviate the potential damage done.  Qantas mentions “support available” through its “dedicated support line”.  The email sent to customers mentions support “with access to specialist identity protection advice and resources through this team”. In this sense the Qantas apology was nopt backed up by concrete actions to compensate anyone who may have been affected the most by this digital breach. Qantas was also quick to blame a third party of it … “The incident occurred when a cyber criminal targeted a call centre and gained access to a third-party customer servicing platform.” Qantas does not mention how the cybercriminals accessed the call centre and breached the third-party servicing platform.   A strong strategy to avoid a Cyberattack must be followed by third party service providers.

Qantas followed best practices in several areas, ad hoc in others and fell short in some of these.

Qantas Aligned Responses to Best Practice:

• Immediate Detection and Containment: Qantas acted swiftly to detect unusual activity on a third-party platform and immediately contained the system, ensuring all core Qantas systems remained secure. This aligns with the best practice of moving quickly to secure IT infrastructure and contain damage.

• Engagement of Forensic Experts: The airline promptly engaged "specialist cyber security experts" for forensic analysis to understand the impact of the incident. Hiring a third-party forensics team is a key best practice for identifying the source, scope, and remediation steps of an attack.

• Notification to Authorities: Qantas notified relevant authorities, including the Australian Cyber Security Centre (ACSC), the Office of the Australian Information Commissioner, and the Australian Federal Police (AFP). This is a crucial step for law enforcement engagement and regulatory compliance.

• Customer Support and Resources: Qantas established a dedicated customer support line and increased contact center resourcing to assist affected customers. They also offered access to specialist identity protection advice and resources. Providing support and resources to affected individuals is a recommended action during a crisis.

• Security Reinforcement: Qantas implemented additional security measures and strengthened system monitoring and detection. They also highlighted that Frequent Flyer accounts have multi-factor authentication (MFA) enabled by default. Proactive security enhancements are vital for future resilience.

• CEO Visibility and Initial Apology: Qantas Group CEO Vanessa Hudson fronted the media and issued a "sincere apology," acknowledging customer concern and committing to transparency. Visible leadership and expressions of empathy are important in crisis communication to build trust.

• Clarification of Compromised Data (and what wasn't): Qantas made it clear that no credit card details, personal financial information, or passport details were stored on or accessed from the compromised system. They also later provided specific details about the types of personal data (names, email addresses, frequent flyer numbers, etc.) that were affected for specific customer subsets. Being accurate and transparent about the extent of the breach helps manage the narrative and prevents misinformation.

Areas where Qantas response strategies fell short or could have improved:

• Proactive Disclosure / "Stealing Thunder": Reports indicate that customers initially learned about the data breach through app alerts or media leaks, rather than direct, proactive communication from the airline. The strategy of "stealing thunder," which involves proactively disclosing crisis information before it is discovered by the media, has been shown to result in higher credibility ratings and perceptions of the crisis as less severe. Qantas reacted to the social media disclosure of the Cyberattack, leaving in doubt whether Qantas was going to inform the public about it.

• Consistency and Full Transparency in Messaging: While the CEO emphasized transparency, some sources suggest Qantas "quietly downplayed" the incident as a "technical issue," avoiding the term "cyberattack". A former staff member claimed an early press release was "not factual and truthful," and feedback from investors was denied on Telegram. Best practices advise against concealing important details, using clichés, or downplaying the incident, as this can lead to public scrutiny and damage reputation. Consistent and accurate messaging across all channels is crucial.

• Timeliness of Detailed Information: Although general notification was sent quickly to frequent flyers, detailed information on specific types of personal data compromised was promised for "next week" (after the initial announcement), and call center staff were reportedly still "no wiser" about the specifics more than a week after the breach. Rapid and precise communication is expected in a crisis.

• Perceived Accountability and Leadership: Qantas pilots and former senior pilots openly criticized the airline's management for "blame deflection" and the board for "sticking their heads in the sand" without the chairman making public comments or offering reassurance. They also linked the incident to a pattern of "hollowing out internal capacity and outsourcing critical functions". Best practices emphasize the board's role in proactive prevention, ensuring management takes ownership, and demonstrating accountability.

• Addressing Root Causes (Outsourcing): The breach occurred in a "third party customer servicing platform" in Manila. While Qantas stated it was focusing on strengthening security companywide, the criticisms from internal stakeholders about outsourcing suggest a deeper, unaddressed vulnerability related to third-party risk management. Understanding and managing third-party risks are crucial for crisis preparedness.

• Pre-Crisis Preparedness Testing: The recurrence of "IT-related debacles" and the reported confusion among call center staff regarding specific data compromised could imply that Qantas's crisis response plan, while existing, might not have been adequately tested or adapted to cover scenarios involving outsourced services and detailed customer communications.

• Addressing Customers biggest impact on their privacy:   Qantas did not specify if it was prepared to offer more concrete support (financial compensation, assistance to vulnerable people who find difficult adressing the online solutions offered by Qantas).

• Apologia:  the apologies offered by Qantas and its CEO have to be reframed to have meaning.  A general apology that does not recognise loss of privacy and pain is not conducive to build trust.

What would Red River had done differently

1                               Qantas could have implemented a “Stealing Thunder” strategy

immediately after knowing about the crisis, to have more influence on the way the media introduce the crisis to the public. There is a misconception to think that you must know everything about the crisis before alerting the public.

2                               The apologia strategy presented by the CEO was very poor.

Ambiguous at best, without meaning at worst. Apologies for the sake of an apology can be counterproductive if there is not substance in the message.

3                               The initial message contained in the first Media release was crafted to be impersonal and showed no care for the impact on customers, not in relation to the words used by in relation to the actions Qantas was willing to take to minimize the impact of the Cyberattack on individual and most vulnerable customers. It does appear that Qantas was not message prepared for this kind of crisis.  

4                               A more proactive and direct strategy to offer compensation and/or direct assistance to key and vulnerable customers would have assisted Qantas to improve its reputation after its catastrophic performance during and after COVID 19.  Qantas investment would have been minimum. It would have set a different tone and would have been accepted well by the public and spread out by the media more effectively.

In conclusion, Qantas implemented strong technical and customer- facing support measures, demonstrating adherence to best practices in immediate response and containment. However, the airline faced considerable criticism for its communication strategy, confirming the Cyberattack after the social media went public, staggering the release of information and the lack of prompt, visible leadership. The incident also highlighted broader concerns about Qantas's long-term preparedness, management of third-party risks, and overall organizational culture regarding accountability and transparency, which are crucial elements of comprehensive crisis management and a potential willingness to support worst affected customers either financially or by other direct kinds of support.

Qantas was in that sense... lucky, as the most critical information of its customer base seems not to have been breached.   It can take note of this Cyberattack experience and put a more robust way to respond to the next Cyberattack, as we know. The next crisis is not coming as an “IF” but as a “When”.