Powered by MOMENTUMMEDIA
For breaking news and daily updates, subscribe to our newsletter

OAIC releases findings from Qantas hack investigation, Privacy watchdog urges no further investigation

The Office of the Australian Information Commissioner (OAIC) has released its findings after investigating last year’s Qantas cyber attack.

Thu, 16 Jul 2026
OAIC releases findings from Qantas hack investigation, privacy watchdog urges no further investigation

On 30 June 2025, Qantas confirmed that customer data had been stolen in a cyber attack impacting a call centre, with data including names, email addresses, phone numbers, birth dates, and frequent flyer numbers.

The call centre breached gave the threat actor access to a third-party customer service platform that contained the service records of 6 million customers.

Now, the OAIC has released its findings and determined that there was nothing to suggest Qantas had not done its part to protect its customers.

 
 

“As detailed in the report, the information obtained through our preliminary inquiries did not indicate a likelihood that Qantas had failed to take reasonable steps to protect the personal information it held at the time of the incident. Nor did it indicate a likelihood that Qantas failed to take reasonable steps to ensure its overseas third-party provider complied with the Australian Privacy Principles (APPs),” the OAIC said.

The OAIC urged that this was based entirely on preliminary inquiries only and that it had not conducted a commissioner-initiated investigation (CII) , and that the report does not “make concluded findings”, leaving it up to the commissioner to engage in an investigation.

The report also noted that Qantas’ response time and incident management procedures mitigated damage, indicating that the national carrier took steps to reduce risks.

“For the reasons outlined in this report, I have concluded my preliminary inquiries into the data breach without commencing a CII or taking other regulatory action in response to the incident. I do not consider the evidence supports the likelihood of a breach and do not consider it an appropriate use of resources to commence a CII.”

Privacy commissioner’s comments

In response to the OAIC findings, Australian privacy commissioner Carly Kind acknowledged the preliminary findings and added that this indicated that a full investigation would be unnecessary.

“While I recognise the serious implications of data breaches such as this one on the lives of the Australian community, in this instance I do not consider that the evidence supports the likelihood that a breach of privacy law occurred. As a result, it would not be appropriate for the OAIC – a proportionate and risk-based regulator – to commence a full investigation or take further action at this stage,” said Kind.

“Data breaches are a persistent feature of today’s digital world, and can occur despite organisations taking steps to protect personal information.

“Agentic and advanced AI will only increase the cyber security risks that businesses face, and it is critical that all organisations continuously review and enhance their security to protect against this growing threat.”

Cyber DailyWant to see more stories from trusted news sources?
Make Cyber Daily a preferred news source on Google.
Tags:

Daniel Croft

Born in the heart of Western Sydney, Daniel Croft is a passionate journalist with an understanding for and experience writing in the technology space. Having studied at Macquarie University, he joined Momentum Media in 2022, writing across a number of publications including Australian Aviation, Cyber Security Connect and Defence Connect. Outside of writing, Daniel has a keen interest in music, and spends his time playing in bands around Sydney.