THE Office of the Australian Information Commissioner (OAIC) concluded that despite the Qantas data breach in 2025, which compromised 5.67 million customer records, Qantas is unlikely to have breached Australian privacy laws. The breach occurred when an attacker socially engineered a contractor employee to access a customer relationship management platform, allowing data exfiltration. The suspicious activity was detected two days later.
The OAIC's investigation highlighted Qantas' adherence to supplier audits, security training, role-based access controls, and incident responses. However, further action against Qantas remains a possibility, and despite an injunction preventing the distribution of stolen data, the injunction does not affect all parties. Qantas confirmed that criminals had released stolen customer data, and additional resources referred for more information are included.