On 30 June 2025, Qantas confirmed that customer data had been stolen in a cyber attack impacting a call centre, with data including names, email addresses, phone numbers, birth dates, and frequent flyer numbers.
The call centre breached gave the threat actor access to a third-party customer service platform that contained the service records of 6 million customers.
Now, the OAIC has released its findings and determined that there was nothing to suggest Qantas had not done its part to protect its customers.
“As detailed in the report, the information obtained through our preliminary inquiries did not indicate a likelihood that Qantas had failed to take reasonable steps to protect the personal information it held at the time of the incident. Nor did it indicate a likelihood that Qantas failed to take reasonable steps to ensure its overseas third-party provider complied with the Australian Privacy Principles (APPs),” the OAIC said.
The OAIC urged that this was based entirely on preliminary inquiries only and that it had not conducted a commissioner-initiated investigation (CII) , and that the report does not “make concluded findings”, leaving it up to the commissioner to engage in an investigation.
The report also noted that Qantas’ response time and incident management procedures mitigated damage, indicating that the national carrier took steps to reduce risks.
“For the reasons outlined in this report, I have concluded my preliminary inquiries into the data breach without commencing a CII or taking other regulatory action in response to the incident. I do not consider the evidence supports the likelihood of a breach and do not consider it an appropriate use of resources to commence a CII.”
Privacy commissioner’s comments
In response to the OAIC findings, Australian privacy commissioner Carly Kind acknowledged the preliminary findings and added that this indicated that a full investigation would be unnecessary.
“While I recognise the serious implications of data breaches such as this one on the lives of the Australian community, in this instance I do not consider that the evidence supports the likelihood that a breach of privacy law occurred. As a result, it would not be appropriate for the OAIC – a proportionate and risk-based regulator – to commence a full investigation or take further action at this stage,” said Kind.
“Data breaches are a persistent feature of today’s digital world, and can occur despite organisations taking steps to protect personal information.
“Agentic and advanced AI will only increase the cyber security risks that businesses face, and it is critical that all organisations continuously review and enhance their security to protect against this growing threat.”
Want to see more stories from trusted news sources?Make Cyber Daily a preferred news source on Google.