Skip to main content
Privacy
  • On this page

Published:  

Privacy Commissioner’s foreword

Every year, the Office of the Australian Information Commissioner (OAIC) is notified of more than a thousand data breaches that are likely to result in serious harm to individuals. For the past 8 years of OAIC Notifiable Data Breach (NDB) reporting, malicious or criminal attacks have consistently been the primary cause of such breaches, with social engineering or impersonation being a highly prevalent cause. Social engineering refers to situations where a malicious actor impersonates another individual to gain access to an account, system, network or physical location, bypassing technical security measures in the process.

The data breach experienced by Qantas Airways Limited (Qantas) in 2025, which affected approximately 5.12 million Australians, came about as a result of a social engineering attack on an overseas third-party provider contracted by Qantas. The breach left many Australians concerned for their privacy, and frustrated that their personal information had been subjected to unauthorised access by hackers. As is standard procedure in major data breaches, the OAIC made preliminary inquiries to ascertain the causes of the data breach and identify any acts or practices on the part of Qantas that warrant investigation by the OAIC. These extensive preliminary inquiries took place over nearly a year and involved access to information and documents held by Qantas.

As detailed in the report, the information obtained through our preliminary inquiries did not indicate a likelihood that Qantas had failed to take reasonable steps to protect the personal information it held at the time of the incident. Nor did it indicate a likelihood that Qantas failed to take reasonable steps to ensure its overseas third-party provider complied with the Australian Privacy Principles (APPs). These observations are based on preliminary inquiries only. The OAIC has not conducted a Commissioner-initiated investigation (CII) and this report does not make concluded findings on these matters. It is still open to the Commissioner to commence an investigation of Qantas with respect to these or other practices.

The impact of the data breach was reduced by Qantas’ timely implementation of its incident management and reporting framework which sought to contain and remediate the data breach. Furthermore, Qantas’ post-incident remediation steps, which included engaging specialist teams to assist in forensic analysis of the incident and the provision of additional training, are examples of additional risk reduction measures. While they may not prevent all future intrusions, they are indicative of Qantas taking steps to reduce these risks.

For the reasons outlined in this report, I have concluded my preliminary inquiries into the data breach without commencing a CII or taking other regulatory action in response to the incident. I do not consider the evidence supports the likelihood of a breach and do not consider it an appropriate use of resources to commence a CII.

Section 33B of the Privacy Act empowers me to release information where doing so is in the public interest. I have decided to publish this report of the OAIC’s preliminary inquiries into the breach because of the high level of public interest in the incident, and the educative value of disseminating both the findings and information about the OAIC’s decision-making process.

Summary and background

Qantas is Australia’s largest domestic and international airline. Qantas has contact centres located overseas that are operated by a third-party provider.

Qantas advised that on Saturday 28 June 2025, an agent employed at a contact centre (Agent) received a call from a threat actor impersonating ‘Qantas IT help’. The Agent was deceived into believing that the threat actor was a legitimate Qantas employee that was contacting to check an IT issue that the Agent may have been experiencing.

The threat actor directed the Agent to visit a website related to a customer relationship management platform used by Qantas contact centre agents (CRM Platform). The threat actor directed the Agent through a series of actions that the threat actor claimed were required to close an IT support ticket. At the time, the Agent was authorised to access the contact profiles of customers on the CRM Platform as part of performing their daily role.

The actions resulted in the Agent’s instance of the CRM Platform being connected to a data extraction tool operated by the threat actor, which was used to extract data from the contact profiles that the Agent had access to.

This constituted a cyber incident arising from a successful case of phone-based social engineering, also known as ‘vishing’.

In the morning of Monday 30 June 2025, a Qantas staff member with responsibilities in relation to the CRM Platform identified an unusual number of system-generated login attempt alerts from 28 June 2025. Upon seeing them, the staff member alerted the Qantas cybersecurity team. Subsequent internal investigations confirmed that the 2 alerts were generated due to an unusual number of failed login attempts.

Upon validating the alerts, Qantas took immediate steps to contain and remediate the cyber incident. On the same day of 30 June 2025, Qantas:

  • analysed logs related to the system generated alerts and subsequently identified an unauthorised login that was unusual
  • ‘froze’ and revoked access to the account associated with the unauthorised access, thereby securing the CRM Platform
  • analysed the impact of the perceived unauthorised access, assessed for data exfiltration, and consequently triggered requisite incident response processes.

Qantas disclosed the incident to the public a few days later, on 2 July 2025.

Qantas also engaged specialist legal and forensics experts to conduct a forensic analysis of the customer data in the system that was compromised. On or around 9 July 2025, Qantas notified all impacted customers of the specific types of personal information that had been impacted by the incident.

Throughout our enquiries Qantas continued to actively monitor the CRM Platform and notified us that there is no evidence of any further or ongoing threat actor activity.

Preliminary inquiries

Between 11 July 2025 and 1 June 2026, the OAIC conducted preliminary inquiries with Qantas under s 42(2) of the Privacy Act to assess Qantas’ compliance with the Notifiable Data Breaches Scheme and determine whether to commence a CII under s 40(2) of the Privacy Act. The preliminary inquiries examined the circumstances of the cyber incident and the likelihood that Qantas had contravened APPs 1, 8 and 11.

In undertaking these preliminary inquiries, the OAIC had regard to the APP Guidelines, our regulatory position on the application of APPs 1, 8 and 11 as described in the APP Guidelines, recent privacy determinations, and established international and domestic cyber security frameworks – including ISO/IEC 27001, the Australian Government Information Security Manual (ISM), and the ASD Essential Eight Maturity Model.

Our preliminary inquiries established that:

  • approximately 5.67 million customer records (including overseas customers) were compromised by the cyber incident
  • For approximately 4 million customer records, the compromised information included:
    • names
    • phone numbers
    • email addresses
    • Qantas Frequent Flyer details, including Frequent Flyer numbers, tiers, points balances and status credits
    • For approximately 1.7 million other customer records, the compromised information included a combination of the aforementioned information, and one or more of:
    • residential or business addresses, including hotels for misplaced baggage delivery
    • dates of birth
    • gender
    • meal preferences
  • no credit card details, personal financial information or passport details were stored on the CRM Platform and therefore were not compromised. Qantas also advised that customer passwords, PINs and log in details were not accessed or compromised.

This report details the information obtained during the OAIC’s preliminary inquiries, and reasons why the OAIC determined not to  conduct a CII following those preliminary inquiries. This information may have relevance  to other processes underway at the OAIC related to the data breach, such as individual and representative complaints. However, any decision on those processes will be taken on a case-by-case basis in accordance with the relevant provisions of the Privacy Act.

Management of personal information – APP 1 analysis

APP 1.2 requires an APP entity to take reasonable steps to implement practices, procedures and systems relating to the entity’s functions or activities that will ensure the entity complies with the APPs and any binding registered APP code, and enable the entity to deal with inquiries or complaints from individuals about the entity’s compliance with the APPs and any binding registered APP code.

Steps taken by Qantas

In assessing Qantas’ compliance with APP 1.2, we had regard to the following:

  • regarding the overseas contact centre at which the Agent was employed, Qantas undertook cyclical audits of the contracted third-party service provider of the contact centre. This included supplier security assessments auditing the security awareness of the contact centre’s employees, technical controls and operational controls. Controls that were audited included those relating to information security, data governance, network security and privacy. Assessments were also conducted prior to the onboarding of the supplier. The most recent onsite supplier security assessment was conducted in 2025 which assessed technical security awareness and operational controls
  • Qantas had mandatory training programs for staff at the overseas contact centre. Staff were required to undertake a mandatory, recurring cyber awareness online training course which included raising awareness on potential cyber risks, threats and consequences. Staff who handled personal information had a further mandatory, recurring privacy awareness online training course focusing on how to recognise and handle personal and confidential information safely. Compliance with training programs was tracked and reported on by Qantas
  • the third-party service provider operating the contact centre also provides its own cyber and data protection training to its call centre agents annually
  • in the agreement between Qantas and the third-party service provider operating the contact centre, Qantas included clauses that enshrined contractual obligations for the third-party service provider to handle personal information in accordance with the APPs, in addition to other applicable local privacy laws and international standards. This is further expanded on in the APP 8 analysis below
  • Qantas implemented other controls, practices, procedures and systems as described in the analysis of the other APPs below.

In relation to the assessment of whether Qantas had taken reasonable steps to ensure it could deal with inquiries or complaints from individuals about APP compliance, we observed:

  • after the data breach was identified, Qantas notified all individuals that were impacted by the incident
  • Qantas opened a dedicated support phone line that operated continuously, 24 hours a day, 7 days a week. Impacted customers could contact the line for information and support, including referral to third-party identity protection services.

Were these steps reasonable in the circumstances?

The information obtained via preliminary inquiries did not suggest that Qantas failed to take reasonable steps to ensure compliance with the APPs and to enable Qantas to deal with inquiries or complaints from individuals about Qantas’ compliance with the APPs.

We consider that the information available suggests that the steps taken by Qantas were adequate in the circumstances to comply with the APPs, including having adequate measures in place with respect to the management and ongoing compliance of their third-party service providers, and with respect to dealing with inquiries or complaints from individuals about APP compliance.

Cross-border disclosure of personal information – APP 8 analysis

APP 8.1 provides that before an APP entity discloses personal information about an individual to an overseas recipient, the entity must take such steps as are reasonable in the circumstances to ensure that the recipient does not breach the APPs (other than APP1) in relation to the information. Where an APP entity discloses personal information to an overseas recipient, it is accountable for an act or practice of the overseas recipient that would breach the APPs per s16C of the Privacy Act.

In assessing Qantas’ compliance with APP 8, we had regard to the relevant service level and contractual agreements between Qantas and the contact centre provider. Our inquiries identified that Qantas had a service level agreement with the contact centre provider which required it to maintain compliance with ISO 27001:2013 (or equivalent), provide Qantas with audit rights, and comply with the Privacy Act and the General Data Protection Regulation (GDPR).

ISO 27001 compliance is particularly relevant in assessing whether Qantas took reasonable steps to prevent a breach of the APPs in this context. Compliance with the standard requires adherence to several controls directly connected to the circumstances of this incident, including:

  • information security awareness, education and training: requiring staff to receive appropriate awareness training, including on phishing and social engineering
  • acceptable use of information and associated assets: establishing clear rules for managing access credentials and information assets
  • data leakage prevention: including monitoring mechanisms to detect data exfiltration.

On balance, our inquiries did not identify any omissions in the steps Qantas took that, if addressed, would have prevented the breach that occurred in this incident. Additionally, the information available suggests that the contact centre provider’s compliance with the relevant standards, particularly in the areas of access control, agent training, and monitoring were reasonable in the circumstances, and it is our view that Qantas took steps to ensure that this was the case.

Security of personal information – APP 11.1 analysis

APP 11.1 requires organisations to take such steps as are reasonable in the circumstances to protect personal information from unauthorised access. Reasonable steps include technical and organisational measures. Technical measures include protecting personal information by implementing technological controls and physical measures relating to software and hardware. Organisational measures involve implementing policies, processes and procedures to protect the security of information.

The fact that a breach occurred does not, on its own, mean that an organisation failed to take steps as are reasonable in the circumstances.

As per the APP Guidelines,[1] the steps that an APP entity must take to ensure the security of personal information will depend on the circumstances. This includes:

  • the nature of the APP entity: we considered Qantas’ size and market presence as Australia’s flag carrier
  • the amount and sensitivity of the personal information Qantas held: we considered the amount and sensitivity of the information held in the CRM Platform
  • the possible adverse consequences for an individual in the case of a breach: we considered whether the steps Qantas took were commensurate with the potential risks and adverse consequences
  • the practical implications of implementing the security measure, including time and cost involved: we considered whether it would be considered excessively burdensome to take particular steps in all the circumstances.

Steps taken by Qantas

Based on the information provided by Qantas in response to our preliminary inquiries, it appears that at the time of the incident:

  • the contact centre provider had documented training requirements which Qantas ensured were met through audit. Both cyber‑awareness and privacy‑awareness training were provided, alongside data‑protection training for contact centre agents
  • Qantas implemented role-based access controls that restricted contact centre agents to the personal information necessary to perform their duties. In this case this was for the purposes of providing customer service
  • Qantas had an incident management and reporting framework and took appropriate steps to contain and remediate the incident once detected. The incident response steps Qantas took appeared consistent with the relevant standards.

Were these steps reasonable in the circumstances?

On balance, the evidence obtained did not point towards significant omissions or failures in the steps taken by Qantas to address the security risks. This is on the basis that:

  • there did not appear to be a systemic deficiency in contact centre training − most social engineering training focusses on credential theft and does not usually address the less common tactic of inducing an employee to authorise access through legitimate system interactions. It is therefore likely that the attack would have succeeded even if standard training had been in place
  • the vulnerability arose from a default configuration that allowed an end user (in this case, the Agent) to authorise a connection of a third-party application, which indicates Qantas’ implementation of role-based access controls would not have prevented it. This default setting has since been changed by the CRM software provider for all its customers
  • Qantas identified and escalated the incident promptly and contained the threat, consistent with the steps Qantas had taken to integrate recovery processes into its cyber security risk management system to reduce the extent of any privacy interference post incident and protect personal information.

In addition to the steps in place at the time of the incident, Qantas advised that it:

  • activated its crisis management response post incident, including engaging legal and forensics experts to support a forensic analysis of the customer data in the system that was compromised
  • on 2 July 2025, disclosed the incident to the public and commenced notifying customers they believed to be impacted
  • from 9 July 2025, notified all impacted customers of the specific types of personal information that had been impacted by the incident and arranged specialist support to address customer concerns
  • developed an additional, dedicated online social engineering course to be rolled out to contact centre agents, and provided contact centre agents additional face-to-face training to reinforce learnings from the online module.

De-identification and destruction of personal information – APP 11.2 analysis

APP 11.2 requires an APP entity to take such steps as are reasonable in the circumstances to destroy or de-identify the personal information it holds once the personal information is no longer needed for any purpose for which the personal information may be used or disclosed under the APPs.

Steps taken by Qantas

Based on the information provided by Qantas in response to our preliminary inquiries, it appears that:

  • Qantas’ information retention policy is to hold the personal information of customers in the CRM Platform up to seven years from the most recent customer interaction. For information that is older than 7 years, Qantas has processes to remove the data from the CRM Platform if there is no legal or business need to retain it for longer
  • aligning with Qantas’ information retention policy, customer information that was held in the CRM Platform for longer than 7 years had a documented business need arising from the relationship of the customer with Qantas, such as a corporate account or membership with Qantas’ loyalty programs
  • Qantas conducts scheduled data removal on the CRM Platform at least annually. This schedule was in place prior to the data breach incident. Qantas has confirmed that customer records that were identified as no longer being needed for a legal or business purpose have been removed from the CRM Platform both before and after the data breach incident
  • Qantas has additional processes to consider and facilitate the deletion of data from the CRM Platform on an ad hoc basis upon request. This includes requests from customers. Any such requests are assessed by Qantas’ Group Privacy Office team.

Were these steps reasonable in the circumstances?

On balance, the evidence obtained did not point towards significant omissions or failures in the steps Qantas took to de-identify or destroy personal information that was no longer needed was reasonable in the circumstances. This was on the basis that:

  • Qantas’ policy of retaining personal information for seven years aligns with standard information retention practices followed by corporations[2]
  • Qantas has implemented policies and procedures around identifying customer information that is no longer needed and ensuring it is deleted. This includes having a specialist team, the Group Privacy Office, to abide by information retention and destruction obligations. The practice of data removal of customer records on the CRM Platform was a regular and implemented practice. The deletion of data upon request was also facilitated, including requests from customers.

Commencing an investigation

I have a broad discretion to commence an investigation of an act or practice where it may be a contravention of the APPs and where it is desirable to do so (s 40(2)). Decisions to exercise that discretion are guided by the OAIC’s Statement of Regulatory Approach, Privacy Regulatory Action Policy and alignment with our Regulatory Priorities.

The information obtained during the preliminary inquiries into the data breach did not point towards a contravention of the APPs that would justify the exercise of the discretion to investigate this matter further. The preliminary inquiries did not reveal any omissions or failings in the steps taken by Qantas to protect the personal information it held or to ensure the contact centre provider complied with the APPs. Based on the information provided, it does not appear that Qantas could have reasonably foreseen and prevented the breach in the manner that it occurred. The way in which the threat actor gained access was through a vishing attack which could not have been prevented by a strengthening of Qantas’ current role-based access controls. Additionally, the preliminary inquiries indicated that the incident was not indicative of a systemic deficiency in staff training. Qantas was quick to activate its crisis management response post incident and undertake a forensic analysis of the incident.

I am therefore closing the preliminary inquiries into the data breach without commencing a CII or taking other regulatory action in response to the incident at this time. It is still open to me to commence an investigation with respect to these or other practices at a later time, and this report should not be taken as an endorsement of Qantas’ acts or practices or an assurance of their broader compliance with the APPs.

As the OAIC has received a Representative Complaint, and individual complaints, about this data breach, I confirm that those parties are being engaged with directly in relation to their individual complaints and the contents of this report.

Publication of report

Having regard to the matters listed in s 33B(2) of the Privacy Act, I am of the view that publishing this report would be in the public interest. I confirm that this report reflects the outcomes of preliminary inquiries. Accordingly individual complaints and any future commissioner-initiated investigation would be considered on the basis of information relevant to those processes. In my view publication of this report reflecting the outcome of preliminary inquiries would not prejudice the rights of individuals or the processes available under the Privacy Act.

I have also considered whether the publication of this report would likely disclose any confidential information. The report details steps taken by Qantas in relation to this significant event. However, in my view, that content reflects established standards and procedures generally known or in place to prevent and/or manage cyber risks.  Accordingly, when balanced against the public interest to be served I am satisfied that publication of this report will serve the public interest for reasons including that greater awareness of the need for cyber security and associated vigilance offers an additional layer of community protection.

I am satisfied, on balance, that it is in the public interest to disclose this report publicly.  This is because of the high level of public interest in the incident and the benefits in promoting public awareness and understanding of this significant event, the causative factors and the extant privacy protections implemented by Qantas. Given the increasing sophistication of cyber attacks, I consider that publishing details of this preliminary inquiry can highlight to APP entities of the need to take reasonable steps to protect personal information from unauthorised access. It is also important to note that while no security control is completely effective, appropriate risk reductions measures such as the measures taken by Qantas can reduce the impact of privacy interference of individuals. Individuals and the community will also benefit from a heightened awareness of the risks of cyber-attack particularly those that deploy social engineering.


[1] www.oaic.gov.au/privacy/australian-privacy-principles/australian-privacy-principles-guidelines/chapter-11-app-11-security-of-personal-information, 11.8.

[2] See, for instance: Overview of record-keeping rules for business | Australian Taxation Office.