What happened
In June–July 2025 Qantas disclosed that a third-party platform used by one of its contact centres had been accessed by cyber criminals, exposing the data of around 5.7 million customers [qantas]. The entry point was a social-engineering (“vishing”) call rather than a system flaw. No credit-card, financial or passport data was in the affected system [qantas]. Qantas obtained a NSW Supreme Court injunction restraining use of the stolen data [nsw-injunction-qf], and the OAIC later completed preliminary inquiries without opening a formal investigation [oaic-findings-qf].
Timeline
- 2025-06-30 — Qantas discovered unauthorised access to a contact-centre platform [qantas].
- 2025-07 — Public disclosure; NSW Supreme Court injunction obtained [nsw-injunction-qf].
- 2026 — OAIC completed inquiries; no formal investigation pursued [oaic-findings-qf].
Current status
Resolved from a regulatory standpoint — the OAIC declined to pursue a formal investigation. A regulator inquiry with no enforcement is as much public record as a penalty. [oaic-findings-qf]
Why it matters
A “did everything right and still got breached” case: the weak point was a third party and a phone call, not Qantas’s core systems — a lesson in supply-chain and social-engineering risk.