Australia’s privacy regulator has decided not to open a formal investigation into Qantas Airways (QF), Australia’s flag carrier, over a 2025 cyber-attack that exposed the personal data of roughly 5.67 million customers. The Office of the Australian Information Commissioner (OAIC) published its findings this week, closing more than a year of preliminary inquiries into the incident. The report concludes that the information gathered did not reveal any failings in the steps Qantas took to protect the personal information it held, or to ensure its third-party contact centre provider complied with the Privacy Act, The Courier mail reported.
The breach happened on 28 June 2025, when a scammer posing as internal IT support tricked an agent at an overseas contact centre into granting access to a customer database. Qantas disclosed the incident days later and has since faced a representative privacy complaint, a class action threat, and the public leak of stolen records on the dark web. The OAIC’s decision means Qantas will not face a commissioner-initiated investigation or fines over the incident, at least for now.

How The Vishing Attack on Qantas Unfolded
The breach traces back to a single phone call. A caller claiming to represent “Qantas IT help” told a contact centre agent to access a customer relationship management (CRM) system and perform steps described as necessary to close a support ticket. Those steps instead linked the agent’s CRM session to a data extraction tool controlled by the attacker.
This method is known as vishing, a form of social engineering carried out over voice calls rather than email. The contact centre involved was operated by a Qantas contractor, and the attacker’s manipulation let them connect the platform to an external extraction tool without raising immediate alarms. A default setting on the CRM software allowed a single end user to authorise the external connection; the software provider has since changed that setting for all its customers, not just Qantas.

Cybersecurity researchers have linked the intrusion to a loose alliance of hacking groups tracked as Scattered Spider, Lapsus, and Shiny Hunters, sometime referred to collectively as Scattered Lapsus, and Shiny Hunters, Hunters.
Qantas said in a statement that it was one of several companies globally hit by data releases from this campaign, alongside other major firms. The airline said it obtained a Supreme Court of New South Wales injunction to try to stop the stolen data from being accessed or shared further.

What Customer Data Was Exposed
Qantas and the OAIC have both detailed the scope of the exposed records. According to the regulator’s report, roughly 5.67 million customer records were affected in total, though not all fields were exposed for every customer.
- About 4 million records contained names, phone numbers, email addresses, and Qantas Frequent Flyer details
- Around 1.7 million records also included home or business addresses
- The same subset included dates of birth, gender, and, for a small number of customers, meal preferences
- No credit card numbers, passport details, or account passwords were stored on the compromised system
The regulator confirmed that passwords, PINs, and account login credentials were not exposed in the breach. This distinction matters because it limits, though does not eliminate, the risk of direct financial fraud from the leaked data. Qantas has repeatedly told customers that no frequent flyer accounts were compromised as a result of the incident.

Why The Privacy Commissioner Chose Not to Investigate Further
Privacy Commissioner Carly Kind explained her reasoning in the published report. She noted that the vishing method used against the contact centre agent could not have been stopped simply by tightening Qantas’s existing role-based access controls, since the failure point was human trust rather than a technical gap in the system.
“I do not consider the evidence supports the likelihood of a breach and do not consider it an appropriate use of resources to commence a CII,” Kind wrote, referring to a commissioner-initiated investigation. The report also credited Qantas’s preparation before the attack, pointing to supplier audits, recurring staff security training, and role-based access controls as reasonable steps taken in advance.

Kind’s report weighed whether Qantas met three separate obligations under the Australian Privacy Principles, covering data management, cross-border disclosure, and general security of personal information. On each count, the commissioner found the airline had acted appropriately both before the breach and in its response afterward, including how quickly it contained the intrusion and alerted affected customers.
The commissioner also flagged a broader concern for the industry, warning that agentic and increasingly capable artificial intelligence tools are raising the bar for cybersecurity risk across businesses, making ongoing review of security posture necessary rather than optional.

How The Qantas Outcome Compares with Other Airline Data Breaches
Regulatory outcomes for airline data breaches vary widely depending on the jurisdiction and the specific failures found. British Airways (BA) offers the clearest contrast. After a 2018 breach that exposed the data of roughly 400,000 customers, including payment card details, the UK’s Information Commissioner’s Office fined the airline £20 million.
That fine followed an initial notice proposing a far larger penalty of £183.39 million, later reduced after BA’s representations and the pandemic’s impact on the airline industry were taken into account.

Unlike Qantas, investigators in the BA case found clear technical failings. Regulators found that customer traffic had been diverted to a fraudulent website over several months in 2018, where attackers harvested payment card and login details directly. That breach exposed financial data that the Qantas incident did not, which contributed to a harsher regulatory response.
The difference highlights a consistent theme in privacy enforcement: regulators tend to focus less on whether a breach happened and more on whether reasonable safeguards were in place beforehand. Qantas avoided a fine because investigators found its pre-incident controls were reasonable and the entry point was a human deception tactic rather than a software flaw. BA was fined because investigators found specific, preventable technical gaps that persisted for months before detection.

Legal Action Against Qantas Continues Separately
The OAIC’s decision does not end all legal exposure for Qantas. Law firm Maurice Blackburn lodged a separate representative complaint with the OAIC on behalf of affected customers, arguing the airline failed to take reasonable steps to protect their data. Maurice Blackburn principal lawyer Elizabeth O’Shea said the firm had filed the complaint and encouraged affected customers to register for updates on potential compensation.
That complaint is a separate process from the regulator’s own preliminary inquiries, and its outcome is not automatically decided by the OAIC’s decision not to launch a formal investigation. Customers pursuing compensation through Maurice Blackburn may still see their case proceed, though the OAIC’s finding that Qantas acted reasonably could weaken the underlying argument that the airline breached its legal obligations.

What Comes Next for Qantas and Affected Customers
Qantas has offered complimentary credit monitoring to customers affected by the breach and continues to advise vigilance against follow-up scams using the leaked contact details. Because names, emails, and phone numbers were exposed for millions of customers, security experts widely expect a rise in targeted phishing and impersonation attempts referencing Qantas Frequent Flyer accounts.
The OAIC’s report remains open to future scrutiny. Because it stems only from preliminary inquiries rather than a full commissioner-initiated investigation, the regulator retains discretion to revisit the matter if new evidence emerges. For now, Qantas exits the process without a fine or formal finding of fault, a rare outcome for a breach of this scale.