TheCyberExpress

Qantas Did Everything “Right” — And Got Breached Anyway


A vishing call to an overseas contact center agent. A fake IT ticket. A default setting nobody thought to lock down. That’s all it took to expose the personal data of roughly 5 million Australians — and now the country’s privacy regulator has decided Qantas isn’t to blame for it.

The Office of the Australian Information Commissioner (OAIC) closed the book this week on its year-long preliminary inquiry into the June 2025 Qantas data breach, and the conclusion cuts against the instinct to punish the victim of a cyberattack.

Also read: Australia’s Qantas Confirms Cyberattack: 6 Million Service Records Compromised

According to the OAIC’s report, the evidence gathered did not indicate a likelihood that Qantas had “failed” to take reasonable steps to protect the personal information it held, nor that it failed to ensure its overseas third-party provider complied with Australia’s privacy principles. No investigation. No enforcement action.

“After more than a year of making inquiries and obtaining information on the data breach, we’re satisfied that the evidence does not support the likelihood that a breach of privacy law occurred. As a result, we’ve decided not to commence a full investigation of Qantas at this stage.” – Carly Kind, Australian Privacy Commissioner.

How It Happened

The breach traces back to a single phone call. A threat actor posing as “Qantas IT help” convinced a contact center agent to visit a website tied to the customer relationship management platform used by Qantas agents, walking them through steps framed as necessary to close an IT support ticket. That interaction connected the agent’s CRM session to a data extraction tool controlled by the attacker, who then pulled data from every contact profile the agent could access. It was pure social engineering — no malware, no exploited vulnerability, just a convincing lie.

Qantas caught it fast. A staff member spotted an unusual spike in login-attempt alerts on the morning of June 30, two days after the call, and escalated it to the cybersecurity team. Within hours, the company had frozen the compromised account, assessed for data exfiltration, and triggered its incident response process. Public disclosure followed on July 2.

What Was Exposed — And What Wasn’t

The regulator’s numbers are more precise than what circulated publicly last year. Roughly 5.67 million customer records were compromised, with about 4 million exposing names, phone numbers, email addresses and Frequent Flyer details, and a further 1.7 million records including combinations of home or business addresses, dates of birth, gender and meal preferences. Critically, no credit card numbers, financial information or passport details lived on the compromised platform, and customer passwords and login credentials were never touched.

Also read: Qantas Airways Cyberattack Update: Customer Data Released, Security Measures Enhanced

Why The Regulator Let It Go

The OAIC’s reasoning is a rare, explicit acknowledgment that good controls don’t guarantee immunity. Investigators found that social engineering training generally targets credential theft, not the rarer tactic of talking an employee into authorizing a legitimate-looking system connection — meaning the attack likely would have succeeded even with standard training in place. They also noted the flaw was structural: a default configuration let the agent authorize a third-party app connection, a setting the CRM vendor has since changed for all its customers.

Commissioner Carly Kind put the broader stakes plainly in the OAIC’s statement announcing the report, warning that AI-driven threats are only raising the bar. As she framed it, agentic and advanced AI will keep escalating the cybersecurity risks businesses face, making continuous review of security posture non-negotiable — not optional.

“Data breaches are a persistent feature of today’s digital world, and can occur despite organisations taking steps to protect personal information,” Commissioner Carly said.

“Agentic and advanced AI will only increase the cybersecurity risks that businesses face, and it is critical that all organisations continuously review and enhance their security to protect against this growing threat.”

The takeaway here isn’t that Qantas got a pass. It’s that a regulator has now drawn, in writing, the line between negligence and the limits of what training and access controls can realistically stop.



Source link