Qantas Sidesteps Official OAIC Inquiry Following 2025 Vishing Incident


We independently review everything we recommend. When you buy through our links, we may earn a commission which is paid directly to our Australia-based writers, editors, and support staff. Thank you for your support!

Brief Overview

  • Qantas will not undergo a formal inquiry regarding the June 2025 data breach.
  • The breach impacted roughly 5.12 million Australians.
  • The incident involved vishing, a variant of social engineering.
  • Initial investigations by OAIC indicated Qantas acted swiftly to address the breach.
  • Qantas is still under examination as OAIC could initiate a formal inquiry in the future.

Examining Qantas’ 2025 Data Breach

Breach Details

In June 2025, Qantas encountered a major data breach where hackers linked to Scattered Spider, Lapsus$, and ShinyHunters reportedly gained access to millions of customer records. The Office of the Australian Information Commissioner (OAIC) opted not to pursue a formal inquiry after initial probing.

Vishing: The Method Employed

The breach was executed through a social engineering tactic called vishing. An unidentified threat actor masqueraded as “Qantas IT help” and reached out to the airline’s call center. This deception led an agent to connect a customized version of Salesforce’s Data Loader tool to Qantas’s customer management system, facilitating extensive data extraction.

Qantas’ Reaction and OAIC’s Assessments

Privacy Commissioner Carly Kind assessed whether Qantas breached Australian Privacy Principles regarding personal information management, cross-border sharing, and security. The commissioner noted Qantas’s swift actions to manage the risks and notify the public, determining that the airline implemented sufficient measures to lessen the breach’s effects.

Consequences and Future Considerations

The breach influenced about 5.12 million Australians, with the data mainly encompassing personal and frequent flyer information. While Qantas has evaded an immediate formal inquiry, the OAIC retains the power to launch one later if deemed necessary.

Conclusion

Qantas has successfully sidestepped a formal investigation by the OAIC following a significant data breach in June 2025, attributed to its proactive actions and collaboration. Nonetheless, the airline remains under monitoring, and a future investigation is a distinct possibility.

Reader questions

Frequently asked questions

Fast answers to the questions readers ask most about Qantas Sidesteps Official OAIC Inquiry Following 2025 Vishing Incident.

What does vishing mean?

Vishing is a type of social engineering where a perpetrator uses voice communication to trick individuals into disclosing confidential information.

How was the breach executed?

The breach took place when a threat actor impersonated Qantas IT support and deceived a call center agent into connecting a malicious tool to the airline’s system.

Which data was compromised?

The compromised data included personal information and frequent flyer specifics of about 5.12 million Australians.

What are the Australian Privacy Principles?

These principles are guidelines that regulate the management of personal information by Australian entities, focusing on handling, security, and cross-border sharing.

Is it possible for the OAIC to still investigate Qantas?

Yes, the OAIC retains the authority to commence a formal investigation if future findings justify such measures.

What actions did Qantas take following the breach?

Qantas swiftly acted to contain the breach, reduce risks, and notify affected customers and the public concerning the incident.

Who are Scattered Spider, Lapsus$, and ShinyHunters?

These are hacker collectives recognized for cyber-attacks and data breaches, often focusing on large organisations to steal sensitive data.

Posted by Matthew Miller

Matthew Miller is a Brisbane-based Consumer Technology Editor at Techbest covering breaking Australia tech news.

Leave a Reply

Your email address will not be published. Required fields are marked *