Last week, Australian airline Qantas announced^[1] cyber attackers had accessed personal data about some of its customers. The company later confirmed that 5.7 million^[2] customer records were involved.

The attackers targeted an offshore IT call centre^[3], which enabled them to gain access to a third-party system.

The airline contacted affected customers shortly after the announcement, and sent a follow-up email a week later. The email apologised to customers and informed them attackers had accessed information about customers’ names as well as frequent flyer numbers and tier status.

The email may have felt familiar to Australians impacted by the 2022 Optus Breach^[4] or the 2024 Medisecure Hack^[5] — a routine apology, an assurance that immediate steps have been taken, and a statement that the company takes seriously the trust placed in it to safeguard personal information.

It’s an adequate response. But it ignores something that might genuinely make customer data safer in the future: stronger cybersecurity laws to prevent these kinds of breaches from happening in the first place.

How should we respond to data breaches?

If your data were involved in the Qantas breach, you might be wondering what to do about it.

The first sensible step might be to find out what personal information was compromised. Next, you might research the potential harm that could come from your name, Qantas Frequent Flyer number, and tier status being accessed.

You may learn about the risks of identity theft, account hijacking, and scams.

After that, you might want to figure out what actions you could take to protect yourself – that is, how to best secure your data. Plenty of websites offer advice along these lines^[6].

If you are a Qantas customer, and received the follow-up email, you may have noticed a section titled “What steps can I take to protect myself?”. This part encourages users to stay alert, use two-factor authentication, stay informed about the latest threats, visit IDCARE’s Learning Centre, and never share passwords or sensitive information (stating that Qantas will never ask for them).

While these are helpful suggestions, they place a significant burden on the customer. They also imply that if our data becomes compromised, we may be partially to blame for not doing more to protect ourselves.

Is this fair or useful? Rather than just trying to protect ourselves after data breaches, we might be better off focusing our attention on why breaches occur and the legislators who make the rules for the companies that hold our data.

Does the law have an unhealthy obsession with data breaches?

It may seem that, to improve cybersecurity laws, we need to pay more attention to Qantas-like data breaches and impose bigger fines on companies when they occur. However, this is not necessarily the best solution.

As US privacy scholars Daniel Solove and Woodrow Hartzog point out in their 2022 book Breached!^[7]: “Data privacy law has an obsession with data breaches.”

Ironically, the authors claim, “this obsession has […] been the primary reason why the law has failed to stop the deluge of data breaches. The more obsessed with breaches the law has become, the more the law has failed to deal with them.”

Solove and Hartzog argue that focusing solely on the breaches themselves prevents us from concentrating on prevention.

How effective is Australian cyber security law?

In Australia, recent reforms to the Cyber Security Act 2024^[8] introduced the Cyber Incident Review Board^[9], which can:

make recommendations to government and industry about actions that could be taken to prevent, detect, respond to or minimise the impact of, cyber security incidents of a similar nature in the future.

These reforms are an important step in addressing prevention, and the Cyber Incident Review Board will undoubtedly draw many lessons from the Qantas case when it performs its post-incident review – such as identifying potential weaknesses at the offshore IT call centre.

However, we shouldn’t have to wait until an incident occurs to start thinking about how to protect against breaches. There are also concerns about whether the recommendations it offers will be put into law.

Ideally, we need legislation that focuses on prevention, not just post-incident responses. If we had laws that required companies to conduct audits, provide legally binding safety checks applicable to all relevant stakeholders, and impose penalties for non-compliance with these standards, it would genuinely improve prevention.

Revising our flight path

Our response to the Qantas breach will no doubt follow a familiar pattern: first, we panic! Then we get angry at the company. Next, we attempt to follow privacy advice – at least for a short while – changing a password or two before becoming complacent and then lowering our privacy vigilance. And then the cycle repeats the next time a breach occurs.

We don’t need to accept this eternal pattern, however. If we focus our attention on lawmakers, rather than these immediate responses we are all too familiar with, prevention becomes a possibility.

References

1. ^{^} Qantas announced (www.qantasnewsroom.com.au)
2. ^{^} 5.7 million (www.abc.net.au)
3. ^{^} offshore IT call centre (www.theguardian.com)
4. ^{^} Optus Breach (www.theguardian.com)
5. ^{^} Medisecure Hack (www.theguardian.com)
6. ^{^} along these lines (www.abc.net.au)
7. ^{^} Breached! (www.danielsolove.com)
8. ^{^} Cyber Security Act 2024 (www.legislation.gov.au)
9. ^{^} Cyber Incident Review Board (www.homeaffairs.gov.au)