VERICODE vericode.com.au

Qantas didn't get breached. Its contact centre did.

Vericode · 30 June 2025


It is not a Qantas breach. The press will call it one, the share price will move on it, the apology emails will come from a qantas.com address. But what got breached was a third-party contact-centre platform, a layer of plumbing two suppliers removed from the airline. Up to six million customer records. Names, contact details, frequent-flyer numbers. The kind of data that does not stay where it lands. The kind of data that turns up six months later in a phone call that knows who you are.

That is the part worth slowing down for.

The first day of a breach is usually treated as a containment story. Who got in. What was accessed. Which systems were not touched. How many records might be involved. Those questions matter, but they are not the whole shape of the thing.

Customer records are not static evidence. They are raw material. Once a name, phone number, email address and membership number leave the place they were meant to live, they become components in somebody else’s script. A caller does not need the full account. They need enough truth to make the next lie easy to accept.

That is how impersonation works when it works well. It is rarely invented from nothing at the moment of the call. It is assembled from leaked facts, old invoices, public roles, reused passwords, breached emails, scraped social profiles and the ordinary language of customer support. The pretext is the assembly.

Australia has had enough reminders this month. Operation FRONTIER+ has just rolled up arrests across multiple jurisdictions. MailGuard has been warning about multi-stage myGov phishing. The market for personal detail, account context and believable customer language is not theoretical. The records exposed today will not sit politely in a breach notification. They will be tested, enriched, traded and used.

The supply-chain part matters because this is where the breach surface is moving. Banks have hardened. Major airlines have hardened. Regulated institutions have spent years building larger security teams, better monitoring and tighter identity checks around their own systems. The layer underneath is messier. Contact-centre platforms, support desks, recovery flows, identity vendors and outsourced customer operations all hold the small facts that make a caller sound real.

That does not make Qantas uniquely careless. It makes Qantas a useful marker. Large organisations can do many things right and still have sensitive customer context sitting in operational systems that were never built to become the front line of impersonation risk.

The industry can see it. FrankieOne launched its identity and fraud orchestration platform last week with the language of reform readiness around it. That is the right direction. The question stops being whether a customer can be verified once, and starts being whether the information they are presenting should be trusted in the first place. Verification is shifting from a form at the front door to a continuous question about where claims came from.

Inbound calls expose the gap.

A bank-side scam control can see transfers, device signals and account behaviour. It cannot see that the caller used a real Qantas frequent-flyer number to sound credible during a support call at another business. An airline can reset passwords and notify customers. It cannot police every future conversation where leaked travel data becomes the opening move. The contact centre can train staff to be alert, but alertness is a thin shield when the caller has true facts.

This is the information-leakage problem in its plainest form. The damage is not limited to the organisation that lost the data. The fraud does not stay in the industry where the breach happened. A travel record can become a banking pretext. A membership number can become a confidence trick. A phone number and a name can become a reason for a staff member to keep talking.

That is why the Qantas story should not be filed as another large-brand cyber incident and left there. It is a preview of the next wave of believable calls. The breach has lowered the cost of making those calls sound normal.

The data does not stay where it lands. The fraud does not stay in the industry that lost it.