5.7 million customer records were taken in the 2025 Qantas breach, and Australia’s Privacy Commissioner has concluded a tech‑support social engineering call — not systemic privacy failures at the airline — was the proximate cause.
The vishing call that opened the breach
The Commissioner’s report, published today, reconstructs a short, targeted social‑engineering exchange in which an individual claiming to represent “Qantas IT help” phoned a contact‑centre agent and instructed the agent to access a customer‑relationship management (CRM) system and perform specified actions to close a support ticket. Those actions instead connected the CRM to a data‑extraction tool which the crooks used to siphon off customer records, the report says.
Australia’s Privacy Commissioner: findings and reasoning
The regulator examined whether Qantas had breached the binding Australian Privacy Principles (APPs). The Commissioner concluded the airline did not contravene its obligations despite the leak of personally identifiable information for 5.7 million customers. The report states: “Our inquiries did not identify any omissions in the steps Qantas took that, if addressed, would have prevented the breach that occurred in this incident.”
On the question of foreseeability and preventability, the report — attributed in the text to Commissioner Carly Kind — observed that “it does not appear that Qantas could have reasonably foreseen and prevented the breach in the manner that it occurred. The way in which the threat actor gained access was through a vishing attack which could not have been prevented by a strengthening of Qantas’ current role‑based access controls.”
The Commissioner exercised discretion not to open a formal privacy probe, noting: “I have a broad discretion to commence an investigation of an act or practice where it may be a contravention of the APPs and where it is desirable to do so.” The report also leaves open the possibility the regulator could revisit the matter at another time.
Qantas’ documented security practices the regulator reviewed
The report summarizes the steps Qantas took with respect to the contact‑centre operator and the handling of personal information. Key items the Commissioner relied on in finding no breach of the APPs include:
- Qantas audited the operator of the contact centre and conducted security‑awareness testing of its employees in the months before the incident.
- The carrier provided mandatory and recurring training on how to handle personally identifiable information.
- Qantas used role‑based access controls, among other techniques, to protect data.
- Qantas scheduled annual data‑removal runs from its CRM and reported that no records meriting deletion or removal were present at the time of the attack.
On cross‑border data sharing, the Commissioner made a similar finding and determined Qantas complied with the APPs in that area.
Legal fallout and the question of attacker identity
Although the regulator declined a formal probe, the report notes that class‑action lawsuits are in train, meaning Qantas may yet face litigation related to the incident. The report does not identify the attackers. The article observes that pundits have suggested the Scattered Spider gang did the deed after it reportedly began targeting the aviation sector in the weeks before the Qantas incident, but that attribution is presented as commentary rather than a finding in the Commissioner’s report.
How technologists, regulators, and customers are implicated
- Technologists and security teams: The Commissioner’s finding underscores that role‑based access controls and routine audits were in place but that human‑targeted vishing can bypass technical controls. Teams responsible for contact‑centre security will likely weigh social‑engineering-resistant procedures and verification steps for remote ticket work.
- Regulators and compliance officers: The Commissioner exercised discretion not to open an investigation after reviewing Qantas’ audits, testing, training, and data‑removal practices. Regulators will watch how discretionary decisions are justified when breaches stem from social‑engineering attacks rather than technical control failures.
- Customers and litigants: With 5.7 million customer records extracted and class actions underway, affected customers will be focused on legal remedies and what data types were involved; the report’s decision not to probe further does not prevent private litigation from proceeding.
The Commissioner’s report frames this breach as the product of a convincing phone‑based deception rather than a systemic failure to comply with the APPs. That judgment leaves unresolved questions about how organizations should balance technical controls, human processes, and verification practices at contact centres — and it guarantees that litigation and public scrutiny will continue long after the regulator closed the file for now.
Source: The Register — Tech support scam caused massive data breach at Australian airline Qantas




