Jul 18, 2026
Policy

Qantas avoids privacy probe after 5.7 million-customer breach

Australia’s privacy regulator said a vishing attack on a Qantas contact center led to the 2025 breach, but found the airline met its obligations.

Renata Fuchs

By Renata Fuchs · Policy Reporter

· 3 min read

Qantas avoids privacy probe after 5.7 million-customer breach
Photo: The Register

Australia’s Privacy Commissioner has declined to open a formal investigation into Qantas over a 2025 data breach that exposed personally identifiable information for 5.7 million customers. In a report published today, the regulator said the incident was caused by a tech support scam against a contact center worker and found that Qantas had not breached its duties under Australia’s privacy rules.

Qantas had already said the breach followed a social engineering attack involving a contact center. The Commissioner’s report adds operational detail: a caller claiming to be from “Qantas IT help” persuaded an agent to open a CRM system and take steps that were presented as necessary to close a support ticket. Those steps instead linked the CRM to a data extraction tool, which the attackers then used to pull customer records.

The decision is a notable outcome for enterprise security teams because it treats the breach as a successful vishing attack despite controls and training, rather than as proof that the company’s privacy program was deficient. It also sets out how the regulator assessed outsourced contact center risk, role-based access, data retention and cross-border data practices under the Australian Privacy Principles, known as the APPs.

Regulator says controls were adequate

The Commissioner examined whether Qantas took reasonable steps to protect personal information from unauthorized access, as required by the APPs. The report found that Qantas used role-based access controls and other measures to limit access to data. It also said the airline audited the operator of the contact center, tested staff security awareness in the months before the breach, and required repeated training on handling personal information.

On that basis, the Commissioner found that Qantas had taken adequate steps to make sure the contact center followed the APPs. The regulator reached a similar conclusion on Qantas’ cross-border data-sharing arrangements. The report states: “Our inquiries did not identify any omissions in the steps Qantas took that, if addressed, would have prevented the breach that occurred in this incident.”

The Commissioner also reviewed whether Qantas had kept personal data longer than necessary. Qantas told the regulator it ran annual deletion processes for its CRM and that, when the attack occurred, the system did not contain records that should already have been removed or de-identified. That finding supported the decision not to escalate the matter into a fuller probe.

Class actions remain possible

Privacy Commissioner Carly Kind said she has discretion to investigate where there may have been a breach of the APPs and where doing so is desirable. In this case, she found that Qantas could not reasonably have predicted and stopped the attack in the form it took. She also said tightening the airline’s existing role-based access controls would not have prevented the vishing attack used to gain access.

The report leaves some issues unresolved. It does not identify the attackers. Security commentators have suggested the Scattered Spider group may have been involved, after the gang began targeting aviation companies in the weeks before the Qantas incident, but the Commissioner did not make that attribution.

The regulator could revisit the matter later, and class-action lawsuits related to the incident are already underway. Qantas has avoided a formal privacy investigation for now, but the legal and reputational costs of the 5.7 million-customer exposure are still playing out.

This story draws on original reporting from The Register.

More from Policy

All Policy →