The Australian Privacy Commissioner has published a report of the OAIC’s preliminary inquiries into the 2025 Qantas data breach incident, finding that there weren't any omissions or failings in the steps taken by the airline to protect the personal information it held or to ensure the third-party contact centre provider it uses complied with the Privacy Act.
In July of last year, a cyber hacker broke into a database containing the personal information of millions of customers, gaining access to a third-party customer service platform containing close to six million names, email addresses, phone numbers, birth dates and frequent flyer numbers.
The preliminary inquiries of the report established that, prior to the incident, Qantas undertook preventative measures such as auditing its overseas third-party contract centre provider, ensuring cyber and data protection training for contact centre agents and establishing processes for the destruction and de-identification of personal information once no longer required.
During and following the incident, Qantas took steps to reduce the impact of the breach, the OAIC claimed, stating that the data breach occurred despite a range of security measures Qantas had in place to reduce the risk of a cyber-attack.
The OAIC’s report was based on almost a year of extensive inquiries in response to which Qantas provided information and documents to the privacy regulator.
“While I recognise the serious implications of data breaches such as this one on the lives of the Australian community, in this instance I do not consider that the evidence supports the likelihood that a breach of privacy law occurred,” Australian Privacy Commissioner Carly Kind said.
“As a result, it would not be appropriate for the OAIC - a proportionate and risk-based regulator - to commence a full investigation or take further action at this stage.”
The Commissioner added that data breaches are a persistent feature of today’s digital world and can occur despite organisations taking steps to protect personal information.
“Agentic and advanced AI will only increase the cyber-security risks that businesses face, and it is critical that all organisations continuously review and enhance their security to protect against this growing threat," she said.
Last week, the OAIC revealed that 2025 saw the highest number of data breach notifications being reported since the mandatory data breach reporting scheme commenced in 2018.




