The Australian Privacy Commissioner has published a report of the OAIC’s preliminary inquiries into the 2025 Qantas Airways Limited (Qantas) data breach incident. The report concludes the OAIC’s preliminary inquiries, and has been published to provide transparency about the incident and the OAIC’s response to it.
The Qantas data breach affected approximately 5 million Australians following a social engineering attack on an overseas third-party provider contracted by Qantas. The breach left many Australians concerned for their privacy, and frustrated that their personal information had been subjected to unauthorised access by hackers.
The OAIC’s report, based on almost a year of extensive inquiries in response to which Qantas provided information and documents to the privacy regulator, clarifies the causes of the data breach, examines the security measures implemented by Qantas prior to the data breach, and scrutinises its response to the data breach.
The report concludes that the information obtained during the preliminary inquiries did not reveal any omissions or failings in the steps taken by Qantas to protect the personal information it held or to ensure the third-party contact centre provider it uses complied with the Privacy Act.
“While I recognise the serious implications of data breaches such as this one on the lives of the Australian community, in this instance I do not consider that the evidence supports the likelihood that a breach of privacy law occurred. As a result, it would not be appropriate for the OAIC- a proportionate and risk-based regulator – to commence a full investigation or take further action at this stage,” Australian Privacy Commissioner Carly Kind said.
The preliminary inquiries established that, prior to the incident, Qantas undertook preventative measures such as auditing its overseas third-party contract centre provider, ensuring cyber and data protection training for contact centre agents and establishing processes for the destruction and de-identification of personal information once no longer required.
During and following the incident, Qantas took steps to reduce the impact of the breach. The data breach occurred despite a range of security measures Qantas had in place to reduce the risk of a cyber attack.
“Data breaches are a persistent feature of today’s digital world, and can occur despite organisations taking steps to protect personal information,” Commissioner Kind said.
“Agentic and advanced AI will only increase the cyber-security risks that businesses face, and it is critical that all organisations continuously review and enhance their security to protect against this growing threat.”
Read the Report into preliminary inquiries of Qantas for more information.
Background
- Statement on Qantas cyber incident (7 July 2025)