Sydney, Australia: Qantas has confirmed that a cyber incident occurred in early July 2025, compromising up to 5.7 million Qantas customers data through a third-party platform used by one of its airline contact centres. The airline detected unusual activity and took immediate steps to secure the system. While investigations are ongoing, Qantas is working with cybersecurity specialists to determine which data was included in the breach.
Specific data fields vary from customer to customer. Analysis made by Qantas has found that the majority of customer records that were compromised are limited to: Name and Email address, additionally, it confirms that no identity documents, credit card numbers, or personal financial details were accessed or compromised as a result of the incident.
In response to the breach, Qantas has implemented additional security measures, increased training across teams, and strengthened system monitoring and detection. To further protect customer data, the airline obtained an interim injunction from the NSW Supreme Court, preventing the stolen data from being accessed, viewed, released, used, transmitted, or published by anyone, including third parties.
According to the Australian Associated Press the breach could potentially cost Qantas over $7 billion if courts classify it as a serious or repeated violation of privacy laws. In addition, class-action lawsuits from affected customers are expected. The incident already led to financial repercussions for Qantas executives: CEO Vanessa Hudson faced a $250,000 reduction, and other senior executives had their short-term bonuses cut by 15% in September.
Cybersecurity Minister Tony Burke warned that companies cannot outsource cybersecurity obligations, emphasizing that Qantas could face “very serious penalties.” He also cautioned customers against searching for the stolen data on the dark web.
A 153GB Qantas dataset reportedly surfaced on the file-sharing platform LimeWire, raising concerns that hackers could use it for identity theft. Cybersecurity expert Troy Hunt noted that while he wasn’t personally worried about his own data, Qantas will have to confront significant legal actions. RMIT cybersecurity professor Matthew Warren warned the leak could trigger a “second wave of scams,” with criminals impersonating Qantas.
Qantas formally notified the Australian Information Commissioner in July, as required for breaches likely to cause serious harm. Under current rules, penalties for such breaches have increased significantly: maximum fines can reach $50 million or three times the company’s benefit from the breach. If the benefit cannot be quantified, fines can be up to 30% of the company’s adjusted turnover over 12 months covering the breach period. For Qantas, this could exceed $7 billion, based on its reported $23.8 billion revenue in the financial year before the breach.
Qantas has established a dedicated support line available 24/7 at 1800 971 541 or +61 2 8028 0534. Affected customers can access specialist identity protection advice and resources through this team. Additionally, customers can submit general enquiries or complaints via the Customer Care feedback form.
Qantas has advised customers to remain vigilant against potential scams, especially those purporting to be from the airline. Customers are encouraged to independently verify the identity of callers and to report any suspicious communications to Scamwatch. The airline’s cyber teams continue to monitor 24/7 to prevent phishing attempts and block fraudulent websites and other communications.
Frequent Flyer accounts were not compromised in the incident. However, Qantas recommends that customers continue to engage in the program and with partners as normal. Customers can update their profile online by logging into their Qantas Frequent Flyer account and navigating to ‘Profile’ > ‘My Profile’ > ‘Personal Information.’ They can change their information, including contact details, PIN, and security questions, as well as set up a digital authentication app.
