BlueVoyant's warning after Qantas and Mango cyber attacks

Two major supplier breaches in one week have sent a clear warning to Australian businesses.

Cybersecurity firm BlueVoyant says the recent Qantas and Mango incidents prove that even the strongest companies are only as safe as their weakest partners.

"With Qantas customer data now appearing on the dark web and Mango confirming a third-party breach through a marketing vendor, Australian businesses seeing two major third-party breaches in the same week should take notice: your security posture is only as strong as your weakest link," said Kash Sharma, Managing Director for Australia and New Zealand at BlueVoyant.

The stark message follows the release of data belonging to 5.7 million Qantas customers after hackers published stolen records online. The criminals, calling themselves Scattered Lapsus$ Hunters, reportedly accessed the information in July by tricking a Qantas call centre worker in the Philippines into sharing credentials for a third-party platform, Salesforce.

At the same time, fashion retailer Mango confirmed it had also suffered a breach through one of its marketing vendors. The two incidents, occurring within days of each other, highlight the growing threat posed by compromised partners across corporate supply chains.

Sharma said that even when a company's core systems remain intact, exposure through external suppliers can be devastating. "As seen in these cases, even when core infrastructure remains untouched, exposure through a vendor or partner can have significant consequences for customer trust and brand reputation," he explained.

Third-party suppliers often manage sensitive customer data or have privileged access to internal systems - yet organisations rarely have full visibility into their partners' cyber practices. "Third-party suppliers often handle sensitive data or have access to key systems, but organisations can't always see or control the cyber standards of every partner in their ecosystem," Sharma said. "This is why continuous third-party risk monitoring has become essential."

According to BlueVoyant, attackers increasingly exploit gaps outside a company's direct control. These weaknesses, Sharma said, are being actively targeted by criminal groups seeking the "easiest way in". "Attackers are looking for the easiest way in, often by exploiting gaps in trusted partners that sit outside an organisation's perimeter," he added.

In Qantas's case, those gaps proved costly. After the ransom deadline passed, the hackers followed through on their threat, publishing customer records on the dark web. The exposure sparked anger among passengers who discovered their personal information - including names and addresses - available to download.

The breach has also renewed speculation over whether Qantas could face a financial penalty under the Australian Privacy Act. The Office of the Australian Information Commissioner has so far declined to comment, but privacy experts argue that any sanction should reflect the airline's scale and recent $1.6 billion full-year profit.

BlueVoyant's warning comes amid growing evidence that supply-chain attacks are on the rise. Research from the company shows that organisations relying on large vendor networks are increasingly being caught out by breaches that originate from smaller, less-protected partners.

Sharma said visibility and real-time monitoring are now essential for any company working with third-party providers. "This is a reminder that visibility across your entire supply chain is now a fundamental component of cyber resilience," he said. "Whether you're a global fashion retailer or major airline, the lesson is the same - you're only as secure as the partners you keep."

The company's research also suggests that many firms underestimate how frequently vendor-linked vulnerabilities emerge - and how long they take to be detected. In most cases, BlueVoyant found, businesses only discover the breach after data has already been exposed online.

For customers affected by such incidents, the aftermath can be equally damaging. Cyber experts warn that those whose data has been leaked should expect a second wave of phishing scams and identity-theft attempts. Once personal details appear on the dark web, they can circulate indefinitely, traded and reused by different criminal groups.

BlueVoyant argues that prevention depends on greater collaboration between companies and their suppliers - not just during onboarding but throughout the entire relationship. Sharma explained that the traditional model of one-off audits is no longer sufficient in an era of constant cyber threats. "Continuous monitoring, not annual assessments, is what allows organisations to catch issues before they escalate," he said.

The events of the past week have also underscored the reputational damage that can follow a third-party incident. Even though the root cause may lie outside a company's direct control, customers tend to hold the brand they trust responsible.

"Customers don't differentiate between a vendor breach and a corporate breach," Sharma said. "If your supplier fails, your name is the one in the headlines."

As investigations into both breaches continue, BlueVoyant's message to Australian business leaders is unequivocal: cyber resilience now depends on complete transparency across every partner and provider in the chain.

"The lesson is simple," Sharma concluded. "You're only as secure as the partners you keep."