Back to Industry

Industry - Data Breach

moderateAnti-PrivacyData Breach

Executive Summary

A social engineering attack on Qantas exposed personally identifiable information for 5.7 million customers after a scammer posing as "Qantas IT help" tricked a contact center agent into connecting the CRM system to a data extraction tool. Despite the massive breach, Australia's Privacy Commissioner found Qantas did not violate privacy rules because the airline had conducted security audits, employee training, and implemented proper access controls before the incident. The stolen data include...

What Happened

In June 2025, a scammer posing as 'Qantas IT help' called a Qantas contact center agent and directed them to perform actions that connected the airline's CRM system to a data extraction tool, resulting in the theft of personal information for approximately 5.7 million customers. The stolen data included names, email addresses, phone numbers, birth dates, and frequent flyer numbers, but did not include credit card details, financial information, or passport data. In July 2026, Australia's Privacy Commissioner concluded that despite the breach, Qantas did not violate privacy laws because the airline had conducted security audits, provided mandatory employee training, and implemented role-based access controls prior to the incident.

Who Is Affected

Approximately 5.7 million Qantas customers had their personal contact information and frequent flyer details exposed in this breach. Given that Qantas dominates Australian commercial aviation and nearly half of Australia's population participates in its frequent flyer program, the incident affects a substantial portion of Australian air travelers. The airline indicated the proportion of data actually stolen was still under investigation at the time of initial disclosure, though it expected the amount to be significant.

Why It Matters

This incident demonstrates that organizations can experience massive data breaches affecting millions of users yet face no regulatory consequences if they have implemented standard security practices beforehand, even when those measures failed to prevent a successful social engineering attack. The Privacy Commissioner's decision not to pursue enforcement action despite 5.7 million exposed records sets a precedent that compliance with process requirements may shield companies from accountability for breach outcomes. The case highlights the ongoing vulnerability of contact centers to social engineering attacks and shows that employee training and security audits do not guarantee protection against determined attackers using deceptive tactics.

What You Should Do

If you are a Qantas frequent flyer or customer, watch for direct communication from the airline confirming whether your specific data was compromised and follow any instructions provided. Be vigilant for phishing emails, text messages, or phone calls that reference your Qantas membership or personal details, as scammers may use the stolen information to impersonate the airline or conduct targeted fraud. Consider changing passwords for your Qantas account and any other accounts that use the same credentials, and enable two-factor authentication where available. Monitor your accounts and credit reports for unusual activity, as the exposed birth dates and contact information could be used for identity verification in other fraud attempts.

Summary generated from verified sources and reviewed before publication. How we summarize.

A social engineering attack on Qantas exposed personally identifiable... - Industry | PrivacyWire