When news broke of a data breach affecting millions of Qantas customers, it raised serious concern across industries that rely on outsourced contact centres.
According to Qantas’s official statement, the incident involved a third-party platform used by one of its providers. Early reports suggest the breach may have started with a phone call, where someone impersonating an IT or internal official obtained login credentials to gain access.
Cybersecurity firm CyberCX, which is supporting Qantas’s response, has stated that the attack bears the hallmarks of Scattered Spider—a cybercriminal group known for targeting large corporations through social engineering. Just days before the breach was detected, the FBI issued a public alert about the group’s activities. The warning specifically called out attacks on airlines and third-party service providers, using tactics like impersonating employees to deceive IT helpdesks and bypass security protocols, including multi-factor authentication.
But this isn’t just about one airline. For those of us in the contact centre industry, it hits close to home. Social engineering specifically targets the human element. And when your people are the frontline, you need to be ready.
How we train for moments like this
Preparation is everything, especially when the risk is subtle and fast-moving.
At TSA Group, our people are trained not just to follow a checklist, but to recognise patterns, pick up on inconsistencies, and act with confidence. That mindset is introduced from Day One. Every new hire completes cybersecurity awareness training and continues to refresh that knowledge annually, gaining a clear understanding of what to look for and how to respond.
We run monthly phishing simulations to keep instincts sharp, backed by regular reminders across email, posters, our intranet, and internal social platforms. Awareness is not left to chance, it’s embedded through coordinated efforts like our Business Continuity Awareness Week, Privacy Awareness Week, and our year-round focus on customer privacy. These initiatives involve everyone, from customer service agents to executive leadership. And if something doesn’t feel right, our teams know exactly how and when to escalate. Because when your frontline is alert, trained, and backed by a clear process, confidence and clarity become your strongest defences.
And this isn’t new thinking. Back in 2022, we shared how our people are the first line of defence, and that principle continues to guide us today.
When preparation pays off
Earlier this year, we began receiving a series of standard-sounding calls. But the volume, the language, and the timing raised suspicions.
Across different shifts, agents started flagging what they were seeing. Patterns were forming, and instead of brushing it off, they escalated their concerns—fast.
That early response triggered a coordinated effort. Leaders moved quickly to tighten safeguards. Quality teams zeroed in. Everyone stayed alert, focused, and connected.
In the end, nothing slipped through. No data was accessed. No transactions processed. What could have been a serious incident was shut down before it could do damage.
It wasn’t luck. It was a trained response, a clear process, and a team culture that encourages people to speak up.
Working in partnership to stay ahead
When businesses choose to outsource, they’re not just handing over tasks. They’re entrusting a partner with their reputation, customer trust, and sensitive data. That responsibility calls for more than operational efficiency. It requires alignment, clarity, and mutual accountability.
In incidents like the Qantas breach, collaboration between businesses and their service providers becomes critical. Timely communication, shared insight, and joint decision-making can mean the difference between containment and escalation.
At TSA Group, we involve our clients as soon as a credible concern arises. We bring evidence, proposed action, and complete transparency. That way, we’re not just raising the alarm, we’re working together on solutions.
When the risk is high, we mobilise quickly. War rooms are activated. Roles are clear, and communication flows. In one recent case, this coordinated approach helped us stop a large-scale scam attempt before any customer data was compromised. The client later described it as one of the best-managed incidents they had seen.
Why the human element still matters
The Qantas breach has reignited debate around outsourcing, offshoring, and automation. Could this have been prevented if the work had stayed in-house? Would a locally based team have caught it sooner?
But this wasn’t a failure of location or logic. It started with a phone call—someone impersonating an employee, gaining trust, and convincing another person to hand over access. It was a social interaction designed to deceive. And it took human instincts to recognise the threat.
That’s exactly what played out in our own experience. The calls passed all the checks. The requests sounded routine. But our agents noticed something wasn’t right. They paid attention to the language, the volume, and the timing. And they escalated before damage could be done.
Technology is critical. Processes are essential. But the last line of defence is always people. It’s the training they receive, the culture they’re part of, and the confidence they’re given to speak up.
That’s the real lesson. People aren’t the weakness—they’re the strength. And at TSA Group, we never forget it.
TSA are Australia’s market leading specialists in CX consultancy and contact centre services. We are passionate about revolutionising the way brands connect with Australians. How? By combining our local expertise with the most sophisticated customer experience technology on earth, and delivering with an expert team of customer service consultants who know exactly how to help brands care for their customers.