• 2 min read
Qantas dodges privacy probe after 5.7M-record breach
Australia’s Privacy Commissioner says a 2025 vishing scam caused Qantas' 5.7 million-customer breach, but the airline did not violate privacy rules.

Image: The Register
A tech support scam triggered Qantas' massive 2025 data breach, exposing personally identifiable information tied to 5.7 million customers. But Australia’s Privacy Commissioner has concluded the airline did not breach its privacy obligations and has decided against opening a formal investigation.
In a report published today, the regulator said the incident began when a scammer posing as “Qantas IT help” called a contact center agent. The attacker convinced the agent to access a CRM system and carry out steps supposedly needed to close a support ticket. Instead, those actions linked the CRM to a data extraction tool, which was then used to siphon off customer records.
Qantas had already said the breach stemmed from a social engineering attack on a contact center. The new report adds detail on how the compromise unfolded and why the regulator decided the airline had met the requirements of the Australian Privacy Principles (APPs).

Recommended reading
AI won’t replace penetration testers just yet
The Commissioner found that Qantas had:
- audited the contact center operator
- tested employee security awareness
- conducted mandatory, recurring training on handling personal information
- used role-based access controls to protect data
- scheduled annual data removal runs from its CRM
According to the report, those steps were enough to show Qantas had taken reasonable measures to safeguard personal information and to ensure the contact center complied with the APPs. The regulator also found no issue with the airline’s cross-border data-sharing practices.
“Our inquiries did not identify any omissions in the steps Qantas took that, if addressed, would have prevented the breach that occurred in this incident.”
The report also states that no records that should have been deleted or removed were present at the time of the attack. Commissioner Carly Kind said it did not appear Qantas “could have reasonably foreseen and prevented the breach in the manner that it occurred,” adding that the vishing attack would not have been stopped by stronger role-based access controls alone.
That may not end the fallout. The Commissioner could revisit the matter, and class-action lawsuits tied to the breach are already under way. The report also does not identify the attackers, though pundits have suggested Scattered Spider after the group began targeting the aviation industry in the weeks before the Qantas incident.
Security Editor
Sophia unpacks the invisible wars happening on our networks. Covering cybersecurity, privacy legislation, and cryptography, she exposes how our data is weaponized and defended. Before joining for(geeks), she spent years as a penetration tester. She's the reason the rest of the team uses physical security keys.
via The Register


