• 2 min read
Qantas avoids privacy probe after 5.7 million-record breach
Australia’s Privacy Commissioner says a vishing scam caused Qantas' 2025 breach, but the airline did not violate privacy rules despite exposing 5.7 million records.

Image: The Register
Australia’s Privacy Commissioner says a tech support scam triggered the 2025 Qantas data breach, yet the airline did not breach its privacy obligations even though personally identifiable information for 5.7 million customers was exposed.
In a report published today, the Commissioner said the incident began when an attacker posing as “Qantas IT help” called a contact center agent. The caller instructed the agent to access a CRM system and carry out steps supposedly needed to close a support ticket. Instead, those actions linked the CRM to a data extraction tool, which the attackers then used to siphon customer records.
Qantas had already said the breach stemmed from a social engineering attack on a contact center. The new report adds that the regulator reviewed whether the airline complied with the Australian Privacy Principles (APPs), which govern how businesses protect personal information, and concluded that it did.
According to the report, Qantas had:
- audited the operator of the contact center
- tested employee security awareness in the months before the incident
- run mandatory, recurring training on handling personal information
- used role-based access controls to protect data
The Commissioner also found no issue with Qantas' cross-border data-sharing practices. On data retention, Qantas said it ran annual data removal processes in its CRM and that no records requiring deletion were present when the attack happened.

Recommended reading
Law firm gave staff one master password for every account
“Our inquiries did not identify any omissions in the steps Qantas took that, if addressed, would have prevented the breach that occurred in this incident.”
That finding led the regulator to decline a formal privacy investigation. Commissioner Carly Kind said “it does not appear that Qantas could have reasonably foreseen and prevented the breach in the manner that it occurred,” adding that the vishing attack could not have been stopped by strengthening Qantas' existing role-based access controls.
The case may not be over. The Commissioner could revisit the matter, and class-action lawsuits are already underway. The report also does not identify the attackers, though pundits have linked the incident to Scattered Spider after the group began targeting the aviation industry in the weeks before the Qantas breach.
Security Editor
Sophia unpacks the invisible wars happening on our networks. Covering cybersecurity, privacy legislation, and cryptography, she exposes how our data is weaponized and defended. Before joining for(geeks), she spent years as a penetration tester. She's the reason the rest of the team uses physical security keys.
via The Register


