Australian Privacy Commissioner Finds Qantas Not Liable for 2025 Data Breach
A tech support scam targeting a contact center agent led to a massive data breach at Qantas, but the Australian Privacy Commissioner has ruled the airline did not breach its obligations.

Australia's Privacy Commissioner has concluded that Qantas is not liable for the massive 2025 data breach that exposed the personal information of 5.7 million customers. The Commissioner's report, released today, found that the airline took reasonable steps to protect customer data and did not breach its obligations under the Australian Privacy Principles (APPs).
The incident, which Qantas had previously attributed to a social engineering attack on a contact center, was detailed further in the Commissioner's report. A scammer, posing as "Qantas IT help," contacted a contact center agent and instructed them to access the Customer Relationship Management (CRM) system to close a support ticket. Instead of resolving an issue, these actions inadvertently connected the CRM to a data extraction tool, which the attackers then used to exfiltrate customer records.
In assessing Qantas's compliance with the APPs, the Commissioner reviewed the airline's security measures. This included audits of the contact center operator and security awareness training for employees, which had been conducted in the months leading up to the breach. Qantas also implemented mandatory and recurring training on the handling of personally identifiable information (PII).
The Commissioner was satisfied that Qantas had implemented adequate safeguards, including role-based access controls, to protect personal information from unauthorized access. The report explicitly stated that "Our inquiries did not identify any omissions in the steps Qantas took that, if addressed, would have prevented the breach that occurred in this incident."
Furthermore, the regulator examined Qantas's practices regarding the destruction or de-identification of unnecessary personal information. The airline confirmed that it conducted annual data removal processes from its CRM and that no records due for deletion were present at the time of the attack. This adherence to data retention policies contributed to the Commissioner's decision not to launch a formal investigation.
Commissioner Carly Kind noted in the report that "it does not appear that Qantas could have reasonably foreseen and prevented the breach in the manner that it occurred." The method of entry, a vishing attack, was deemed by the Commissioner to be something that could not have been prevented by strengthening existing access controls.
While the Commissioner's report absolves Qantas of direct liability for this specific incident, the airline may still face legal challenges. The report acknowledges that class-action lawsuits are in progress, indicating that the matter may not be fully resolved for Qantas.
The identity of the attackers remains unknown, although speculation from security experts points towards the Scattered Spider gang, which had been reportedly targeting the aviation industry in the weeks preceding the Qantas breach.