News Feed
15 Oct 2025

Cyber Wake-Up Call: Qantas Data Breach Exposes Five Million Records

The recent Qantas data breach has once again thrust data governance and privacy practices into the spotlight, after personal information from over five million customers was leaked on the dark web by international hackers known as Scattered Lapsus$ Hunters.

data breach.png 3

What Happened?

The cyberattack, which targeted a Qantas call centre system in June, allowed hackers to access the airline’s customer service platform and extract personal information including names, email addresses and frequent flyer numbers.

In some cases, additional details such as addresses, phone numbers, dates of birth, gender, and even meal preferences were compromised.

Qantas confirmed that no passwords, PINs, financial information or identity documents were accessed, and Frequent Flyer accounts remain secure.

Governance and Legal Response

The NSW Supreme Court swiftly issued an injunction to prevent the stolen data from being shared or sold. However, cybersecurity experts warn that scam activity is expected to surge, with impersonation emails and fake frequent flyer redemption offers already circulating.
Minister for Cybersecurity Tony Burke reminded Australians that it is illegal to access or view stolen data, even if it includes their own personal information.

Lessons for Information and Records Professionals

This incident reinforces a crucial truth: information security and information governance are inseparable.
For practitioners, it serves as a stark reminder that:

  • Third-party risk management must be embedded into IG frameworks, especially for outsourced services and call centre operations.

  • Data minimisation: retaining only what is necessary, is critical to reducing exposure in a breach.

  • Metadata management and system auditability can assist in rapid incident response and forensic analysis.

  • Staff awareness training remains a frontline defence against social engineering attacks.

The breach also demonstrates the growing intersection between data governance, privacy regulation, and organisational accountability, areas where information managers are uniquely positioned to lead.

Protecting Individuals and Organisations

The Office of the Australian Information Commissioner (OAIC) recommends enabling multi-factor authentication, updating passwords, and reporting suspicious activity.

Qantas has established a 24/7 support line for affected customers and is cooperating with the National Cyber Security Coordinator to strengthen future protections.

The Bigger Picture

As class action discussions begin, the Qantas breach joins a growing list of high-profile Australian data incidents, including Optus and Medibank. For records and information management professionals, these events are not just cautionary tales—they are opportunities to champion robust information governance frameworks, drive cyber resilience, and promote a privacy-by-design culture across all information systems.

Click here to read full article

Return to listing