The Office of the Australian Information Commissioner (OAIC) has determined that there was nothing to suggest Qantas had not done its part to protect its customers in last year’s cyber attack.
In its report, the OAIC found that the Flying Kangaroo had not failed to take reasonable steps to protect its customers’ data, and that its response afterwards had reduced the impact.
This content is available exclusively to Australian Aviation members.
A monthly membership is only $5.99 or save with our annual plans.
- Australian Aviation quarterly print & digital magazines
- Access to In Focus reports every month on our website
- Unlimited access to all Australian Aviation digital content
- Access to the Australian Aviation app
- Australian Aviation quarterly print & digital magazines
- Access to In Focus reports every month on our website
- Access to our Behind the Lens photo galleries and other exclusive content
- Daily news updates via our email bulletin
- Unlimited access to all Australian Aviation digital content
- Access to the Australian Aviation app
- Australian Aviation quarterly print & digital magazines
- Access to In Focus reports every month on our website
- Access to our Behind the Lens photo galleries and other exclusive content
- Daily news updates via our email bulletin
On 30 June 2025, Qantas confirmed that customer data had been stolen in a cyber attack impacting a call centre, with data including names, email addresses, phone numbers, birth dates, and frequent flyer numbers. The call centre breached gave the threat actor access to a third-party customer service platform that contained the service records of 6 million customers.
“As detailed in the report, the information obtained through our preliminary inquiries did not indicate a likelihood that Qantas had failed to take reasonable steps to protect the personal information it held at the time of the incident. Nor did it indicate a likelihood that Qantas failed to take reasonable steps to ensure its overseas third-party provider complied with the Australian Privacy Principles (APPs),” the OAIC said.
The OAIC urged that this was based entirely on preliminary inquiries only and that it had not conducted a commissioner-initiated investigation (CII) , and that the report does not “make concluded findings”, leaving it up to the commissioner to engage in an investigation.
The report also noted that Qantas’ response time and incident management procedures mitigated damage, indicating that the national carrier took steps to reduce risks.
“For the reasons outlined in this report, I have concluded my preliminary inquiries into the data breach without commencing a CII or taking other regulatory action in response to the incident. I do not consider the evidence supports the likelihood of a breach and do not consider it an appropriate use of resources to commence a CII.”
In response to the OAIC findings, Australian privacy commissioner Carly Kind acknowledged the preliminary findings and added that this indicated that a full investigation would be unnecessary.
“While I recognise the serious implications of data breaches such as this one on the lives of the Australian community, in this instance I do not consider that the evidence supports the likelihood that a breach of privacy law occurred. As a result, it would not be appropriate for the OAIC – a proportionate and risk-based regulator – to commence a full investigation or take further action at this stage,” said Kind.
“Data breaches are a persistent feature of today’s digital world, and can occur despite organisations taking steps to protect personal information.
“Agentic and advanced AI will only increase the cyber security risks that businesses face, and it is critical that all organisations continuously review and enhance their security to protect against this growing threat.”
Qantas has been contacted for comment.
Want to see more stories from trusted news sources?
Make Australian Aviation a preferred news source on Google.
Click here to add Australian Aviation as a preferred news source.