What Every Aussie SMB Can Learn From the Qantas Data Breach

In October 2025, Australia’s flagship airline fell victim to a cyberattack that exposed personal details of over 5 million frequent flyers. Hackers stole customer records (names, emails, frequent flyer numbers, and more) from a third-party platform Qantas was using. After Qantas refused to pay a ransom, the attackers dumped this trove on the dark web, making Qantas one of 40 companies worldwide caught in the same megabreach. It’s a headline-grabbing incident in a year that’s already seen its share of Australian cyber attacks, from health insurers to telcos. But if you’re running a small or mid-size business, don’t tune out thinking “that’s a big company problem.” This high-flying fiasco holds critical lessons for every business, including yours.

Even iconic brands like Qantas can have their wings clipped by a major data breach. In 2025, hackers leaked millions of Qantas frequent flyer records on the dark web after an extortion demand went unmet.

The Reality Check: Big Breaches Warn SMBs, Not Comfort Them

High-profile breaches at giants like Qantas are not reassurance that you’re too small to target, they’re warnings. In fact, 94% of SMBs experienced at least one cyberattack in the past year. Hackers don’t only chase big fish; they cast wide nets. Many attacks are indiscriminate, hitting businesses of all sizes. Often, criminals use the same playbook on smaller organisations, knowing SMBs typically have far weaker defenses and scarce IT resources to resist.

Crucially, big breaches also expose the supply chain risks that entangle everyone. Qantas didn’t get hacked in isolation; the breach stemmed from a compromised vendor platform (Salesforce) that impacted dozens of companies at once. This is a textbook supply chain attack. If a cloud service or software that your business relies on is breached, you could be swept up in the fallout. Gartner analysts predict that by 2025, nearly half of all organizations worldwide will have experienced a software supply chain attack. In short, the systems and tools you share with bigger players can become pipelines for threats to reach you. Supply chain compromises are among the fastest-growing threats for SMBs, meaning that even if attackers aren’t targeting you directly, you can still be a casualty.

Then there’s the myth of obscurity: “Why would hackers bother with my little business? I have nothing worth millions to steal.” The reality is attackers often seek easy wins. Smaller companies have valuable data too (personal info, payment details, intellectual property), and they usually lack enterprise-grade security. Plus, SMBs can be stepping stones to larger targets. A savvy criminal might breach a small supplier to reach a big client. Or they might just want a volume of smaller ransoms that add up.

Importantly, the tactics used to breach Qantas were shockingly low-tech, and could just as easily fool an SMB. According to reports, the hacker collective “Scattered Lapsus$ Hunters” didn’t crack supercomputer codes; they vished their way in. In plain English: they called up a support center worker, pretended to be an insider, and smooth-talked their way to access. As one cybersecurity expert put it, this “was not a high-tech hack at all”. Social engineering scams like phishing emails and phone cons are the great equalizer in cybercrime, they work on multinationals and mum-and-dad businesses alike. If anything, smaller businesses are more likely to fall for these ploys due to less training and awareness. Remember, human error causes around 82% of breaches. So the Qantas incident should jolt you into asking: Are my employees prepared to spot a con? Do we have eyes on our systems to catch an intruder fast? Because attackers will use the same tricks on you , and they know smaller firms often won’t see it coming.

It’s Not Just About Data, It’s About Trust

When a breach happens, it’s not only data that gets spilled. Trust leaks away too, and that can hurt even more. Just look at Qantas: an airline built on customer loyalty now facing headlines about leaked frequent flyer info. The immediate fallout isn’t measured only in records stolen, but in customer confidence. How eager will people be to hand over their personal details (or loyalty points) next time they fly?

For a small or medium business, the trust of your customers and partners is your lifeblood. Breaches put that trust on the line. Studies show that 65% of customers lose trust in a company after a data breach, and over a quarter will outright stop doing business with it. Think about that, you could lose one in four customers overnight because their email or phone number got exposed. The scale might differ (Qantas has millions of customers; you might have thousands or hundreds), but the proportionate impact can be just as devastating for an SMB. A big corporation might weather a PR storm with a huge PR budget and years of brand capital. An SMB, however, could see loyal clients walk away and prospective ones hesitate for good.

Breaches also attract media attention and public scrutiny, the kind that no business, large or small, wants. Qantas’ breach made national news, prompting government commentary and even legal action. Your local business might not make the 6 o’clock news,

but word travels fast in the community (especially if you operate in a niche industry or tight-knit region). A single Facebook post or news blurb about “XYZ Pty Ltd exposing customer data” can tarnish your reputation far and wide. The narrative quickly becomes “untrustworthy”, and that’s a hard label to peel off.

Beyond customers, consider the wider circle of trust: suppliers, investors, and employees. A breach can strain your partnerships, suppliers might question if you’ll indirectly compromise them, and investors may see you as a liability. Even your own team’s morale can drop; nobody wants to feel like they’re working for the next headline-making victim. In short, losing data means losing face. It’s a blow to the credibility you’ve worked hard to establish. And in business, credibility once lost is painfully difficult to regain. As we’ve seen time and again (Optus, Medibank, and now Qantas), recovering trust is a long, expensive journey. SMBs would be wise to avoid that journey by protecting trust in the first place.

‍

‍What SMBs Should Learn From Qantas

So, what can a smaller enterprise take away from this airline’s nightmare? Plenty. Here are five key lessons for every Aussie SMB to implement now rather than later:

• Don’t rely on vendors blindly, assess third-party risk. Your security is only as strong as the weakest link in your supply chain. Qantas learned this the hard way when a vendor’s cloud database was breached. Take the time to vet the security of any third-party providers who handle your data or services. Ask tough questions, seek audits or certifications, and limit the data you share with partners to only what’s necessary. Have contingency plans if a critical vendor is hit by an attack. In short, trust but verify your suppliers – and keep an eye on their security like your business depends on it (because it does).
• Know what’s being stored and who has access to it. Do you really know where all your sensitive data lives? Every SMB should maintain an up-to-date inventory of what data you hold (customer info, financial records, IP, etc.), where it’s stored, and who can access it. You can’t protect what you don’t know you have. Minimize data collection to what you truly need, and purge what you no longer use. Implement strict access controls: employees should only access information essential for their role (the principle of least privilege). In Qantas’s case, millions of records spanning years were sitting in one database. For you, maybe it’s a decade worth of client emails on a drive or a stash of old customer invoices in a cloud app. Audit it. Clean it. Protect it. By knowing your data inside-out, you’ll also be quicker to pinpoint what’s affected if an incident ever occurs.
• Invest in real-time monitoring and alerts. Speed matters when cyber incidents strike. Early detection can mean the difference between a contained scare and a full-blown disaster. Unfortunately, the average breach isn’t caught for over 200 days – that’s more than six months of attackers prowling your network undetected. Don’t let that be you. Ensure you have systems (or services) that continuously monitor for suspicious activity. This could be as simple as alerts for unusual login locations/times, or as advanced as AI-powered threat detection that flags odd behaviour in your network traffic. Even a modest SMB can deploy basic intrusion detection or utilise a managed security service for 24/7 watch. The moment something seems off, a spike in database queries, an admin login at 3AM, files suddenly being encrypted, you want alarms going off and someone ready to respond immediately. Time is money, and in cybersecurity time is also data. The faster you know, the faster you can hit the brakes on an attack.
• Run regular breach simulations and incident drills. When was the last time you practiced your response to a cyberattack? (If your answer is “umm… never,” it’s time to change that.) Major companies routinely conduct fire-drill scenarios, SMBs should too. Test your incident response plan with realistic simulations: for example, pretend your customer database was just stolen – what do you do first? Who calls whom? Can you quickly pull up exactly what data was in there? Practice the workflow of isolating affected systems, communicating to stakeholders, and contacting any external advisors or authorities. Running tabletop exercises or even surprise drills will reveal gaps in your preparedness. Maybe you discover nobody knows who’s in charge of public statements, or that backups weren’t as current as assumed. Better to learn that in a practice run than in the heat of a real crisis. Drilling also trains your team to stay calm and follow procedure under pressure. It builds “muscle memory” for worst-case scenarios, so if the day ever comes, you’re not scrambling, you’re executing a plan.
• Backup and test your recovery processes, often. Some cyberattacks not only steal data but also wipe or encrypt it (ransomware, anyone?). Backup and Disaster Recovery (BDR) is your parachute. Regularly back up critical data offline or to secure cloud vaults that attackers can’t reach. But more importantly, test those backups. A backup that silently failed or can’t be restored properly is no backup at all. Practicing restorations ensures you know how long it takes and that everything comes back intact. Qantas didn’t lose their operational data in this breach, but many businesses hit by ransomware have been completely paralyzed, some never reopen. A solid backup, tested and up to date, means that even if hackers knock you down, you can get back up with minimal downtime. It’s the difference between paying a ransom (or shutting doors) and simply rolling up your sleeves to rebuild from yesterday’s clean copy. Test your recovery plan at least a few times a year: simulate a server crash or data corruption and make sure you can restore fully and quickly. Your future self will thank you.

Inlight’s Cyber Resilience Approach for SMBs

Building cyber resilience might sound daunting, but you’re not alone in this. Inlight IT specializes in helping Australian SMBs strengthen their defenses and bounce back fast when trouble strikes. Here’s how we put the above lessons into action for you:

• Backup & Disaster Recovery: Faster bounce-back, lower risk. We implement robust backup solutions (both on-premises and cloud) with automated backups, secure off-site storage, and routine recovery drills. If the worst happens, our BDR strategy ensures your business keeps running or gets back on its feet in hours, not weeks.
• Cybersecurity Training: Stop breaches before they start (yes, Dave still clicks fake invoices). Human error is the weakest link, so we turn your team into your first line of defense. Inlight provides engaging security awareness training and phishing simulations (no boring lectures!) so that your staff can spot scams like the one that tripped up Qantas. We’ll even happily remind Dave again not to open attachments from “Boss.pdf.exe”.
• Managed Detection & Response (MDR): Real-time threat detection and expert intervention. Our Australian-based SOC (Security Operations Center) monitors your network 24/7, hunting down suspicious activity in real time. We use advanced tools (and actual humans who know what to look for) to catch intrusions early and kick out threats decisively. It’s like an alarm system and a dedicated security team rolled into one, always on guard so you can sleep at night.
• Vendor Risk Management Tools: Don’t let your weakest link take you down. Inlight helps you assess and monitor the security of your third-party vendors and software. We’ll map out who has access to your data and put controls in place to manage that risk. From vetting new cloud services to continuously watching for supply-chain vulnerabilities, we make sure a partner’s lapse doesn’t become your crisis.

By focusing on these core areas, Inlight’s approach boosts your cyber resilience, not just preventing attacks, but ensuring that even if something slips through, it doesn’t cripple your business. It’s about being proactive and prepared.

‍‍
Final Thoughts

If Qantas can be breached, so can anyone. The difference is whether you’ve got a plan, or a press crisis. Cyberattacks aren’t a question of if but when, and the silver lining of big incidents is that they remind us to get our act together. For SMBs, this is your moment to be proactive: tighten up your security, educate your people, and have a solid recovery plan. You may not be able to stop every attack, but you can control how resilient you’ll be in the face of one. In the end, cybersecurity is really about business survival and reputation. Take a page from the Qantas saga and shore up your defenses now, before you’re stuck writing apology emails to your customers.

‍
Want to fly above the threat? Inlight can Help

Explore Inlight’s Cybersecurity and Backup & DR solutions to safeguard your business before the next headline hits. Book a Security Review and let’s fortify your future.

Submit a form below or feel free to read more on our Cybersecurity page.