🔒breach.co.nz · the NZ & Australia breach register 🛡️ A Govern service
Register › 🇦🇺 AU › Other

Qantas

🇦🇺 Sydney, NSW (AU; NZ regulator also notified) · Qantas Airways Ltd · Record AU-2025-0177
● Confirmed
People affected
5,700,000 (approx)
Breach date
2025-06
Regulator
OAIC
Trust tier
A · Confirmed

Data exposed

Names, email addresses, Qantas Frequent Flyer numbers, addresses, dates of birth, phone numbers Company-confirmed
No credit-card, financial or passport data (not stored in the affected system) Company-confirmed

Confidence: Confirmed = regulator/court · Company-confirmed = the organisation's own disclosure · Media-reported = press. Figures without an official source are labelled, not estimated.

What happened

In June–July 2025 Qantas disclosed that a third-party platform used by one of its contact centres had been accessed by cyber criminals, exposing the data of around 5.7 million customers [qantas]. The entry point was a social-engineering (“vishing”) call rather than a system flaw. No credit-card, financial or passport data was in the affected system [qantas]. Qantas obtained a NSW Supreme Court injunction restraining use of the stolen data [nsw-injunction-qf], and the OAIC later completed preliminary inquiries without opening a formal investigation [oaic-findings-qf].

Timeline

  • 2025-06-30 — Qantas discovered unauthorised access to a contact-centre platform [qantas].
  • 2025-07 — Public disclosure; NSW Supreme Court injunction obtained [nsw-injunction-qf].
  • 2026 — OAIC completed inquiries; no formal investigation pursued [oaic-findings-qf].

Current status

Resolved from a regulatory standpoint — the OAIC declined to pursue a formal investigation. A regulator inquiry with no enforcement is as much public record as a penalty. [oaic-findings-qf]

Why it matters

A “did everything right and still got breached” case: the weak point was a third party and a phone call, not Qantas’s core systems — a lesson in supply-chain and social-engineering risk.