Qantas is embedding secure-by-design practices across the group

Qantas is tackling a broad range of cyber security activities this financial year, including embedding secure-by-design practices across the group and automating “key cyber capability”.

The aviation group outlined a significantly expanded body of cyber security work in its 2024 sustainability report [pdf] compared to previous years.

In the previous two years, cyber safety culture, awareness and training-related activity dominated its disclosures, with only scant mention of process and technology-related investments.

Its latest sustainability report continues with that theme, pointing to phishing simulations and bespoke training programs being offered to the airline’s staff.

However, it also points to a number of “continuing” activities from FY24 - which ended June 30 - into FY25 that provide a more expansive view of its cyber security-related activity and investments.

These activities include an “uplift” of third and fourth-party cyber risk governance processes.

“Third- and fourth-party cyber risk involves managing cyber risks from our direct suppliers (third parties) and their suppliers (fourth parties), who can affect our supply chain directly or indirectly through cyber incidents,” it said in footnotes.

Like other major enterprises such as NAB, Qantas is also backing secure-by-design methodologies, with it earmarking FY25 for the continuation of development work around “secure-by-design practices and guidance”, and work to “embed this across the group”.

In addition, Qantas said it would use the next financial year to “enhance internal and external security testing capability”; to “partner closely with aviation industry peers along with the federal government to enhance cyber resilience for the sector”; and to support “continuous improvement through greater automation of key cyber capability along with leveraging new technologies including generative AI.”

App error

Qantas also said it had learned from a privacy incident back in May when its app malfunctioned and displayed other people’s data.

The airline said that its app “experienced two short periods of anomalous behaviour” on May 1, “due to a change to the technology environment.”

“Qantas voluntarily disclosed this event to the Australian privacy regulator and contacted impacted customers,” it said.

“Learnings from this event have been used to improve our technology and privacy posture.”

The airline added that, more broadly, it is analysing and applying lessons from other “high-profile breaches and cyber incidents that impact[ed] Australian and global companies” in a bid “to improve [its] resilience capabilities.”

Qantas is embedding secure-by-design practices across the group

Qantas is embedding secure-by-design practices across the group

Qantas is embedding secure-by-design practices across the group

Qantas is embedding secure-by-design practices across the group

Qantas is embedding secure-by-design practices across the group