Qantas Data Breach Hits Millions as OAIC Confirms Notification Requirement

Key Takeaways

• Data breach at third-party contact centre: A cybercriminal accessed a customer service platform used by Qantas, exposing customer data.
• Up to 6 million records affected: The compromised data includes names, emails, phone numbers, birth dates, and frequent flyer numbers.
• No sensitive financial data exposed: Credit cards, passports, login credentials, and frequent flyer accounts remain secure.
• Qantas systems not breached: The airline’s core systems are unaffected and flight operations continue as normal.
• Regulators and law enforcement notified: OAIC, the Australian Cyber Security Centre, and the AFP are all involved in the response.

Deep Dive

Qantas is investigating a cyber incident that exposed the personal information of customers stored on a third-party platform used by one of its contact centres. The breach, first detected earlier this week, has affected records tied to up to 6 million customers.

The airline moved quickly to contain the threat and says all Qantas-operated systems remain secure. But while there’s no impact on flight operations or safety, the incident has understandably raised concerns among customers.

“We sincerely apologise to our customers and we recognise the uncertainty this will cause,” said Qantas Group CEO Vanessa Hudson. “Our customers trust us with their personal information and we take that responsibility seriously.”

The breach occurred when a cybercriminal accessed a third-party customer servicing system linked to a Qantas call centre. The system was not operated by Qantas itself but held customer data including names, email addresses, phone numbers, dates of birth, and frequent flyer numbers.

Qantas confirmed that the platform did not store financial details, credit card information, passports, or login credentials, and that no frequent flyer accounts were compromised. However, the company acknowledged that a “significant” portion of the data may have been accessed and said it is still working to determine the full extent.

Regulatory and Law Enforcement Response

The Office of the Australian Information Commissioner (OAIC) has been informed, as required under Australia’s data breach laws. Entities have 30 days to formally notify the OAIC if a breach is deemed likely to result in serious harm. Qantas has also notified the Australian Cyber Security Centre and the Australian Federal Police, given the criminal nature of the intrusion.

In a public statement, the OAIC reminded organizations of their obligations to act swiftly, assess the impact, and notify regulators and affected individuals when necessary.

The airline has launched a dedicated support page and customer service line to assist those who may be affected. Customers are being contacted directly with updates and information on support options.

Additional security measures have been rolled out to further restrict access and improve monitoring across Qantas’ systems, while the company works with government agencies, cybersecurity experts, and its third-party providers to investigate the breach and strengthen its defenses.

“We are contacting our customers today and our focus is on providing them with the necessary support,” Hudson added. “We are working closely with the Federal Government’s National Cyber Security Coordinator and independent cyber security specialists.”

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.