Qantas Data Breach Puts Six Million Customer Profiles at Risk
In early July 2025, Qantas confirmed a major data breach that exposed the personal details of up to six million customers. The information accessed included names, phone numbers, email addresses, dates of birth, and frequent flyer numbers, though crucially, no financial or passport data was stored on the compromised system.
What makes this breach especially notable is not just its scale, but where it happened: within a third-party customer service platform used by the airline’s contact centre. This isn’t an isolated incident, it’s part of a much wider pattern, one that shows just how vulnerable even the most established, well-resourced companies can be when it comes to modern cyber threats.
The Qantas breach is only the latest in what is becoming an increasingly alarming trend. Earlier in 2025, both AustralianSuper and Nine Media suffered significant data breaches. And according to the Office of the Australian Information Commissioner (OAIC), 2024 marked the worst year for data breaches in Australia since records began in 2018.
The OAIC has warned that these threats are intensifying, driven not just by rogue hackers but by increasingly sophisticated, well-funded cybercriminal networks operating across borders. One such group, Scattered Spider, has been linked to recent attacks on major airlines and retailers across the globe, including in North America and the UK.
What Business Leaders Must Learn from the Qantas Breach
What we’re witnessing is not just a series of unfortunate incidents. It’s a systemic issue and one that’s now embedded in the way the digital economy operates. Here’s what businesses can learn from the data breach.
1. Third-Party Risk Is Business Risk
Qantas’ internal systems were not breached directly. Instead, the vulnerability lay in a third-party platform handling customer service operations.
Too often, businesses focus their cybersecurity investments inward, securing their own infrastructure while assuming external vendors and platforms meet similar standards. But in practice, supply chain security is often the weakest link.
Start treating third-party platforms and service providers as extensions of your business. Conduct regular due diligence, demand transparency, and build contractual requirements around cybersecurity and breach response. Your risk doesn’t end where your servers do. Some companies go as far as building their own software or platforms to ensure full compliance with internal policies and maintain tighter control over security. However, this approach depends heavily on budget and access to skilled developers.
2. “Non-Financial” Data Still Has High Value
Although no credit card numbers or passport details were exposed, the data that was accessed included email addresses, phone numbers, and birth dates, which can still be used for targeted scams, phishing campaigns, or social engineering.
In today’s cybercrime economy, even seemingly low-sensitivity information can be weaponised to impersonate individuals, access other accounts, or build more elaborate attacks.
Reframe how you view personal data. All customer data should be treated as sensitive. Businesses should limit what they collect, encrypt what they store, and routinely assess what data can be safely deleted.
3. Cybersecurity Is Now a Business Continuity Issue
Qantas has confirmed there was no disruption to flights or airline operations, and that frequent flyer accounts remain secure. But had the compromised system been more deeply integrated with critical infrastructure, the story might have been very different.
The implications go beyond customer inconvenience or PR fallout. A major breach can impact your ability to operate, bring regulatory scrutiny, trigger insurance claims, and expose directors to liability under Australian privacy law.
Treat cybersecurity as a business-critical function. Incident response plans should be embedded across departments, not just left to IT teams. Regular tabletop exercises and executive drills can prepare your team for high-pressure scenarios.
4. Transparency and Response Speed Are Crucial
Qantas acted quickly to contain the breach, notified the relevant authorities, and offered a dedicated support line for customers. That responsiveness is now not only expected, it’s legally required.
Under the Notifiable Data Breaches (NDB) scheme, Australian companies must inform the OAIC and affected individuals when a breach is likely to result in serious harm. A slow or evasive response can damage trust far more than the breach itself.
Build your breach notification playbook before you need it. Who makes the call? How do you verify facts before going public? Who speaks on behalf of the business? These are questions to answer long before a breach hits the headlines.
5. Cybersecurity Is Now Reputational Currency
Airlines are among the most trusted brands in the world, not just for the services they offer, but for the immense volumes of personal data they hold. Qantas, a national icon, now finds itself among the growing list of major companies having to reassure the public that their data is safe.
The reputational fallout from a breach can linger long after the technical issue is resolved. In sectors like aviation, finance, and healthcare, that erosion of trust can take years to rebuild.
Being seen as a company that takes data security seriously is now a competitive advantage, especially when trust is the foundation of customer loyalty.
The Qantas breach highlights a wider shift in how Australian businesses must think about cybersecurity. This isn’t just about patching systems or training staff. It’s about building cyber resilience into the DNA of your organisation from vendor management to boardroom strategy.
Regulators, too, are watching closely. With privacy reform still on the national agenda and public awareness of data rights growing, companies will be expected to raise their standards or face the consequences.
How Can Gerrish Legal Help?
Gerrish Legal is a dynamic digital law firm. We pride ourselves on giving high-quality and expert legal advice to our valued clients. We specialise in many aspects of digital law such as GDPR, data privacy, digital and technology law, commercial law, and intellectual property.
We give companies the support they need to successfully and confidently run their businesses whilst complying with legal regulations without the burdens of keeping up with ever-changing digital requirements.
We are here to help you, get in contact with us today for more information.