Peter A Clarke

Cyber attacks on third party providers are common. Companies regard third party providers in some countries as being an effective and, most importantly, cost effective option. Australian Privacy Principle 8 and section 16C of the Privacy Act 1988 specifically deal with data sent to third countries. Under APP 8.1, before a company discloses personal information to an overseas recipient, it must take reasonable steps to ensure that the overseas recipient does not breach the APPs in relation to the information. Where it engages a contractor located overseas to perform services on its behalf, in most circumstances, the provision of personal information to that contractor is a disclosure. What is reasonable depends on the circumstances. It is an objective test.  How companies assess what is reasonable is another matter.  In my experience “reasonable” ranges from comprehensive rules about data handling and cyber security, reviews and inspections to a more general light touch, or no touch, oversight. Clearly the former approach is more in keeping with the text of APP 8.1.  If there is a data breach at a third party provider in another country demonstrating to the regulator that there was a more comprehensive system is more defensible if the regulator comes knocking.

What systems were involved at the at the Manila call centre where Qantas stored personal information of 6 million customers will be the subject of close inspection given Qantas has been hit by a cyber attack which resulted in the personal information of 6 million customers being affected. Qantas believes a “significant” amount of the data has been stolen. In its statement it confirms that the attack on its call centre was detected on 30 June 2025. It does not say when the data breach started and how the hackers gained access though subsequent reporting suggesting the vishing was involved.  The data stolen involved names, email addresses, phone numbers, dates of birth and Frequent Flyer numbers. As usual Qantas tried to make it a good news story by saying that credit card and other financial information and passport details were not affected. But the information stolen is a start in identity theft and opportunities for phishing.

Some of the commentary has been quite confused.  And wrong.  The Australian’s Albanese must step up to protect Aussies after Qantas hack seems to argue that as the Government has a major role in dealing with this breach its  “laissez – faire attitude” emboldens criminals.  It goes so far as to say “A test of his leadership will be how his government responds to the Qantas hack.”  As much as government after government deserves censure for neglecting this area of law that contention is just not correct.  That analysis is a symptom of the incoherence in the regulation of privacy laws and a general lack of understanding of where the respective responsibities lie. 

The prime responsibility falls on the companies holding data, in this case, Qantas.  They have the same responsibility as if the data was held in their offices in paper form.  This responsibility pre dates the internet.  Making it partly the Government’s responsibility, even obliquely, muddies the waters.  If Qantas left the doors to its offices open and thieves stole box loads of documents the Government would not be held to account for this reckless behaviour.  

The second level of responsibility lies with the regulator, the Privacy Commissioner (though the ACCC and ASIC sometimes seek to take action).  If a company fails to properly protect personal information then the Privacy Commissioner should take strong action, especially civil penalty proceedings. Individuals affected by the breach should also be able to bring action.  That action should be very public so that the market will know what to expect if it ignores its obligations.  If no, or inadequate, action is taken the market will notice and act accordingly. For many years the regulator has not been armed with sufficient powers to take strong action.  But even when those powers were provided, especially since March 2014 when the Commissioner could bring civil penalty actions, the regulator was timid at best.  Sometimes the Commissioner has been inadequately resourced but even when properly funded has opted for education over enforcement and resolving matters quietly.  That has resulted in in a mindset in the market that the risk of enforcement action is small and the consequences minimal.  That is a very different mindset existing in Europe, the UK and even the United States where the prospect of significant action is real and the consequences severe.  In Australia many companies, sotto voce, suggest that being attacked is inevitable and therefore, by inference, they are somehow not responsible for any failings which led to a data breach. It was always going to happen, or so the argument goes.  That is complete nonsense. Most data breaches are entirely preventable. It is the poor state of cyber security, training and document handling procedures that result in the weaknesses that hackers exploit. 

The current, newish, Privacy Commissioner has been more assertive and prominent.  And productive.  That is a good thing.  With the amendments to the Privacy Act in December the Privacy Commissioner has more powers and individuals bring an action in their own right by means of the statutory tort of serious invasion of privacy.  It will take some time and more than a few high profile court proceedings to change attitudes on cyber security.  

The Qantas statement provides:

Qantas can confirm that a cyber incident has occurred in one of its contact centres, impacting customer data. The system is now contained.

We are currently contacting customers to make them aware of the incident, apologise and provide details on the support available.

We want to reassure all of our customers that there is no impact to Qantas’ operations or the safety of our airline.

We sincerely apologise for this incident and recognise the uncertainty it may cause. Our customers trust us with their personal information, and we take that responsibility seriously.

What we know

On Monday 30 June 2025, we detected unusual activity on a third-party platform used by a Qantas airline contact centre. We then took immediate steps and contained the incident. We can confirm all Qantas systems remain secure.

The incident occurred when a cyber criminal targeted a call centre and gained access to a third-party customer servicing platform.

What information was affected

We are continuing to investigate the proportion of the data that has been stolen, though we expect it will be significant. An initial review has confirmed the data includes some customers’:

• • Names
  • Email addresses
  • Phone numbers
  • Dates of birth
  • Frequent Flyer numbers

Important

Credit card details, personal financial information and passport details are not held in this system. No Frequent Flyer accounts were compromised, nor have passwords, PIN numbers, or log in details been accessed.

Your travel plans

If you have upcoming travel, there is nothing you need to do. You can check your flight details at any time via the Qantas App or our website.

Actions we are taking

Qantas is taking this incident extremely seriously and is working with government agencies and independent specialised cyber security experts. We will continue to support these agencies as the investigation continues.

We’re also putting additional security measures in place to further restrict access and strengthen system monitoring and detection. 

Support for customers

Customers can contact our dedicated support line:

• • Dedicated Support Line: 1800 971 541 or +61 2 8028 0534
  • Available: 24/7

All customers have access to specialist identity protection advice and resources through this team.

For general enquiries, you can also contact Qantas Customer Care through our usual channels.

As statements follows the typical line of giving out as little information as possible and adding in as much boilerplate about how serious it is being taken and that Qantas is working with government agencies.  The Office of the Australian Information Commissioner announced that it has been notified of the breach. That is not surprising given the data breach would fall into the category of an eligible data breach under the Notifiable Data Breach Scheme.  On that latter point, there is a real danger that a company listing off the various government agencies, such as the Australian Federal Police etc… it has notified and “is working with” distracts from the key questions; how did it happen, when did it happen, what went wrong?  Having agencies coming in to investigate and assist fixing the problem after the data breach is all well and good but it doesn’t deal with the key issue; companies have to be responsible for the problem and have to be held to account.  

The Australian article on this breach,Six million Qantas customers hit in cyber attack on database storing personal information, provides:

In a statement to the ASX, Qantas said personal information such as names, birthdates, phone numbers, frequent flyer numbers and email addresses was stored on the database but importantly no credit card information, passport details or other financial information.

The statement said Qantas understood the incident was “concerning for customers” and it was in the process of contacting those affected to apologise and provide details on the support available.

It said “unusual activity” was detected on a third party platform used by a Qantas airline contact centre on Monday, with Qantas taking immediate steps to contain the system.

“We can confirm all Qantas systems remain secure,” said the statement.

“There are 6 million customers that have service records in this platform. We are continuing to investigate the proportion of the data that has been stolen, though we expect it will be significant,” said the statement.

Qantas chief executive Vanessa Hudson offered her “sincere apologies” saying she recognised the uncertainty this incident would cause.

“Our customers trust us with their personal information, and we take that responsibility seriously,” Ms Hudson said.

“We are contacting our customers today and our focus is on providing them with the necessary support.

“We are working closely with the Federal Government’s National Cyber Security Coordinator, the Australian Cyber Security Centre and independent specialised cyber security experts.”

The Australian Federal Police had also been notified, given the “criminal nature of the incident”.

A dedicated customer support line has been set up, along with a page on the qantas.com website to provide the latest information to customers.

The support line number is 1800 971 541 or 02 8028 0534.

Executive director of the Cyber Security Hub at Macquarie University, Dali Kaafar, said the sort of information accessed was of concern to those caught up in the attack.

“This type of data literally can enable a wide variety of possible major threats from a phishing attack to identity theft, and of course things like social engineering,” said Professor Kaafar.

“This is data that allows malicious actors to build more complete profiles of individuals, and that makes potentially 6 million customers susceptible to other forms of cyber crime further down the line. I think that’s the main worry here.”

He said it was fortunate that Qantas had segmented its database, so more sensitive information such as passport and credit card details were not all in the one place.

However, more “rigorous vendor risk management” was needed to strengthen cyber security within the supply chain, he added.

“The case here is really highlighting the need for stronger security assessment of third party vendors and clear contractual obligations around what we call ‘cyber hygiene’,” Prof Kaafar said.

As yet, the attack has not been confirmed as the work of a group known as “Scattered Spider” known for conducting disruptive intrusion operations on companies across Europe and the US.

Chief analyst of the Google Threat Intelligence Group John Hultquist said the group was “somewhat amorphous, with actors passing in and out and associations that were not firm.

“That can make it hard to do attribution, and it can make it hard to completely put a stop to their activity,” said Mr Hultquist.

Mandiant Consulting chief technology officer Charles Carmakal said there had been a notable decrease in activity by the group also known as UNC3944, after the arrests of alleged associates.

“But it’s critical for organisations to understand that UNC3944 is active again and demands serious attention,” said Mr Carmakal.

Like most large scale breaches this data breach has attracted large scale coverage including from 9News, SMH, SBS, AFR and Reuters.