Key Takeaways

- A vishing attack on a Qantas contact center exposed PII for 5.7 million customers in 2025
- Australia's Privacy Commissioner found Qantas complied with all privacy obligations despite the breach
- The attack exploited human factors, not technical vulnerabilities, highlighting limits of access controls
Australia's Privacy Commissioner has cleared Qantas of wrongdoing in its 2025 data breach, even though the incident exposed personally identifiable information for 5.7 million customers. The ruling, published July 16, 2026, found the airline met its privacy obligations under Australian law. The breach stemmed from a tech support scam that tricked a contact center employee into connecting the company's CRM to a data extraction tool.
How did the Qantas data breach happen?
Someone posing as "Qantas IT help" called a contact center agent and instructed them to access the airline's CRM system. The caller claimed certain actions were needed to close a support ticket. Instead, those actions connected the CRM to a data extraction tool controlled by the attackers, who then siphoned off customer records.
This is textbook vishing. The attacker bypassed technical controls entirely by exploiting human trust and organizational procedures. No firewall stops an authorized employee from doing what they believe is their job.
Qantas had previously confirmed the incident resulted from social engineering. The Commissioner's report fills in the details: the airline outsources some contact center operations, and the attack targeted that workforce.
Why the Commissioner ruled Qantas didn't break the law
The ruling hinges on whether Qantas took "reasonable steps" to protect customer data under the Australian Privacy Principles. Commissioner Carly Kind found it did. Qantas had audited the contact center operator and tested employee security awareness in the months before the incident. The airline conducted mandatory, recurring training on handling PII.
The report states: "Our inquiries did not identify any omissions in the steps Qantas took that, if addressed, would have prevented the breach that occurred in this incident."
Kind also found that Qantas used role-based access controls and scheduled annual data removal runs from its CRM. No records that should have been deleted or de-identified were present at the time of the attack.
The Commissioner's conclusion: "It does not appear that Qantas could have reasonably foreseen and prevented the breach in the manner that it occurred. The way in which the threat actor gained access was through a vishing attack which could not have been prevented by a strengthening of Qantas' current role-based access controls."
What this means for enterprise security teams
The ruling sets a precedent. Companies that follow security best practices may escape regulatory penalties even when breaches occur, provided the attack vector was sophisticated enough. That's cold comfort for the 5.7 million customers whose data was stolen, but it defines what Australian regulators expect from large organizations.
The decision also highlights a hard truth: technical controls have limits. Qantas had role-based access, audits, training, and data hygiene practices. None of it stopped an attacker who could convince an employee to follow instructions.
Some security observers have suggested the Scattered Spider gang was behind the attack. The group had been targeting aviation companies in the weeks before the Qantas incident. The Commissioner's report doesn't identify the attackers.
Qantas isn't out of the woods
The Privacy Commissioner reserved the right to revisit the matter. Class-action lawsuits are also in progress. Regulatory clearance doesn't mean litigation clearance.
Australia tightened its privacy penalty regime in late 2022 after the Optus breach (9.8 million records) and the Medibank breach (9.7 million records). Maximum penalties now reach A$50 million or more. The Commissioner's decision not to investigate Qantas further is notable against that backdrop.
Logicity's Take
This ruling effectively says that if you do everything right on paper, regulators won't punish you for getting socially engineered. That's a defensible legal standard, but it offers no protection to customers. For CIOs, the takeaway is twofold: document your security controls thoroughly so you can demonstrate compliance after an incident, and recognize that vishing and pretexting remain nearly impossible to fully prevent. Out-of-band verification for any CRM or sensitive system changes should be standard. And if your contact center runs on Salesforce, Zoho CRM, or another major platform, make sure your third-party operators face the same audits and training your internal staff do.
The bigger picture for aviation cybersecurity
Airlines hold enormous datasets. Frequent flyer programs, booking systems, and loyalty partnerships mean customer PII flows through multiple systems and vendors. The Qantas breach shows that even a well-run security program can't fully protect against attackers who target humans rather than code.
Verizon's Data Breach Investigations Report consistently finds that human factors account for roughly 74% of breaches. Social engineering is the top attack vector against travel and aviation companies. Qantas joins a growing list of airlines that have suffered significant breaches, including British Airways, Cathay Pacific, and Air India.
Frequently Asked Questions
How many Qantas customers were affected by the data breach?
The breach exposed personally identifiable information for 5.7 million Qantas customers.
Did Qantas violate Australian privacy law?
No. Australia's Privacy Commissioner found Qantas complied with the Australian Privacy Principles and declined to open a formal investigation.
What is a vishing attack?
Vishing is voice phishing. Attackers call employees and impersonate IT support or other trusted parties to trick them into granting system access or performing harmful actions.
Who was behind the Qantas data breach?
The attackers haven't been officially identified. Security analysts have suggested the Scattered Spider gang may be responsible, as the group was targeting aviation companies around the same time.
Can Qantas customers take legal action?
Yes. Class-action lawsuits related to the breach are in progress, separate from the Privacy Commissioner's ruling.
Need Help Implementing This?
Logicity helps IT teams assess their security posture against social engineering threats. Contact us for a consultation on vendor risk management and employee security training programs.
Source: www.theregister.com
Huma Shazia
Senior AI & Tech Writer
Produced with AI assistance and reviewed by the Logicity editorial team. Learn more in our Editorial Policy.





