Australian Privacy Regulator Ends Qantas Data Breach Inquiry Without Opening Formal Investigation

Australian Privacy Regulator Ends Qantas Data Breach Inquiry Without Opening Formal Investigation

By
Key Takeaways
  • Inquiry Concluded Without Further Action: The OAIC completed its preliminary inquiries into the 2025 Qantas data breach and determined there is no basis at this stage to open a formal privacy investigation.
  • No Likely Privacy Act Breach Identified: The regulator found no evidence of omissions or failings in Qantas' security measures or its oversight of the overseas third-party contact center provider that would suggest a likely breach of Australia's Privacy Act.
  • Third-Party Social Engineering Attack: The incident affected approximately 5 million Australians after attackers used social engineering to compromise an overseas third-party service provider contracted by Qantas.
  • Pre-Existing Security Controls Recognized: The OAIC found that Qantas had implemented preventive measures before the breach, including vendor audits, cybersecurity and data protection training, and processes for destroying or de-identifying personal information when no longer needed.
  • AI Raises Future Cybersecurity Risks: Privacy Commissioner Carly Kind warned that agentic and advanced AI will increase cybersecurity risks, underscoring the need for organizations to continuously strengthen their security posture.
Deep Dive

When hackers gained access to the personal information of roughly 5 million Australians during the 2025 cyberattack on Qantas, the obvious question was whether the airline had failed in its legal duty to protect that data. After nearly a year of preliminary inquiries, Australia's privacy regulator has answered that question, at least for now.

The Office of the Australian Information Commissioner (OAIC) said Thursday it will not open a formal investigation into the incident, concluding that the information gathered during its inquiries does not support the likelihood that Qantas breached the country's privacy laws.

The decision closes the regulator's preliminary review of one of Australia's most closely watched data breaches. The OAIC also published its findings, saying it wanted to provide transparency about both the incident itself and the regulator's response. The breach stemmed from a social engineering attack targeting an overseas third-party contact center provider contracted by Qantas. The attack exposed the personal information of approximately 5 million Australians and prompted widespread concern among customers whose data had been accessed without authorization.

Over the course of its inquiries, the privacy regulator examined how the breach occurred, the security measures Qantas had in place before the attack, and the airline's response once the incident was discovered. It also reviewed how Qantas oversaw its third-party service provider under Australia's Privacy Act. The report concludes that the evidence collected did not identify omissions or failings in the steps Qantas took to protect the personal information it held or to ensure its overseas contact center provider complied with the Privacy Act.

"While I recognise the serious implications of data breaches such as this one on the lives of the Australian community, in this instance I do not consider that the evidence supports the likelihood that a breach of privacy law occurred," Australian Privacy Commissioner Carly Kind said.

"As a result, it would not be appropriate for the OAIC—a proportionate and risk-based regulator—to commence a full investigation or take further action at this stage."

A Reminder That Breach Does Not Automatically Mean Liability

The report offers an important distinction that often gets lost after a major cyber incident. A successful attack, even one affecting millions of people, is not by itself proof that an organization failed to meet its legal obligations.

According to the OAIC, Qantas had already implemented a series of preventative measures before the attack. Those included auditing its overseas contact center provider, requiring cyber and data protection training for contact center agents, and maintaining processes to destroy or de-identify personal information when it was no longer required.

The regulator also found that Qantas took steps during and after the incident to reduce its impact on affected individuals. None of that prevented the breach. The attack succeeded despite those controls being in place. But after examining the evidence gathered over almost a year, the OAIC determined that the existence of the breach did not, on its own, justify concluding that Qantas had fallen short of its obligations under privacy law.

For organizations watching from the sidelines, that conclusion may prove as significant as the decision not to investigate further. It reinforces that privacy regulators are assessing more than outcomes. They are examining whether reasonable governance, security controls and third-party oversight existed before an incident occurred, and how organizations responded once it did.

The Threat Landscape Continues to Shift

Commissioner Kind stressed that the decision should not be interpreted as evidence that organizations can relax their cybersecurity efforts. If anything, she suggested, the opposite is true.

"Data breaches are a persistent feature of today's digital world, and can occur despite organisations taking steps to protect personal information," she said.

She also warned that the next wave of technological change is likely to make that challenge even more difficult.

"Agentic and advanced AI will only increase the cyber-security risks that businesses face, and it is critical that all organisations continuously review and enhance their security to protect against this growing threat," Kind said.

The OAIC's report closes its preliminary inquiries into the Qantas incident. It also leaves organizations with a clearer picture of how the regulator evaluates major cyber incidents—not by assuming that every breach reflects regulatory failure, but by closely examining the security decisions that existed long before the attackers arrived.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.

Oops! Something went wrong