CANBERRA- Qantas (QF) will not face a formal privacy investigation after Australia’s privacy regulator concluded that the airline had taken appropriate steps to protect customer information before and after a cyberattack that affected approximately 5.67 million customer records.
The decision marks an important development in one of Australia’s largest aviation-related cybersecurity incidents.
The Office of the Australian Information Commissioner (OAIC) determined that the cyberattack targeted a third-party call centre platform rather than Qantas’ core systems.
The compromised database supported the airline’s Manila-based customer service operations, while flights from Sydney Airport (SYD) and the carrier’s operational systems remained unaffected during the incident.

Qantas Cleared of Privacy Probe
The OAIC announced that its preliminary inquiries found no evidence that Qantas had breached its obligations under Australia’s Privacy Act, meaning a formal regulatory investigation was not warranted at this stage.
However, the regulator retained the authority to reopen the matter if new evidence emerges.
According to the regulator’s findings, attackers gained access after impersonating members of the airline’s IT support team.
A call centre employee was persuaded to authorize access to a customer service platform on June 28, 2025, allowing the threat actors to reach customer records stored within the system.
The breach came to light two days later when a Qantas employee responsible for the platform noticed an unusually high number of automated login alerts.
The airline’s cybersecurity team immediately responded by containing the intrusion, securing affected systems, and beginning forensic investigations before publicly disclosing the incident on July 2.
The compromised information included customer names, residential addresses, phone numbers, email addresses, and dates of birth. The database also contained frequent flyer membership numbers, loyalty status, and customer preferences such as seat selections and meal requests.
Importantly, investigators confirmed that no passport details, payment card information, banking records, or other financial data were stored within the affected platform.

Enhanced Security Response Measures
Australian Privacy Commissioner Carly Kind acknowledged the significant consequences that data breaches can have for individuals but said the available evidence did not indicate that Qantas had failed to take reasonable security measures.
The regulator noted that Qantas had already implemented cybersecurity awareness training for call centre staff before the attack.
It also praised the airline’s rapid incident response procedures, which helped contain the breach and reduce further exposure of customer information.
Following the incident, Qantas strengthened its cybersecurity framework by expanding system monitoring capabilities, increasing employee security training, and bringing in specialist forensic teams to analyze the attack.
The airline also introduced additional safeguards designed to better protect customer information against future threats.
The regulator emphasized that sophisticated cyberattacks continue to affect organizations despite preventive measures and warned that increasingly capable artificial intelligence technologies are creating new cybersecurity challenges for businesses worldwide.

Legal Cases Continue Against Qantas
Although the privacy regulator has closed its preliminary inquiry, other investigations remain active. The Australian Federal Police continues to examine the cyberattack, which authorities have linked to the cybercriminal group Scattered Spider.
Investigators allege the group later worked alongside ShinyHunters and Lapsus$ to publish stolen Qantas customer data on the dark web after ransom demands were reportedly rejected.
Qantas subsequently secured a Supreme Court injunction to prevent wider distribution of the compromised information.
Meanwhile, law firm Maurice Blackburn is pursuing a proposed class action on behalf of affected customers whose personal information was allegedly stolen and later published online.
The legal application remains under consideration as related proceedings continue, The Courier Mail reported
Qantas said protecting customer information remains a top priority and confirmed it has introduced further security enhancements since the cyber incident to strengthen its overall cyber resilience.
Stay tuned with us. Further, follow us on social media for the latest updates.
Join us on Telegram Group for the Latest Aviation Updates. Subsequently, follow us on Google News
