Six million Qantas customers’ data affected by a cyber attack on its Manila based call centre
July 2, 2025
Cyber attacks on third party providers are common. Companies regard third party providers in some countries as being an effective and, most importantly, cost effective option. Australian Privacy Principle 8 and section 16C of the Privacy Act 1988 specifically deal with data sent to third countries. Under APP 8.1, before a company discloses personal information to an overseas recipient, it must take reasonable steps to ensure that the overseas recipient does not breach the APPs in relation to the information. Where it engages a contractor located overseas to perform services on its behalf, in most circumstances, the provision of personal information to that contractor is a disclosure. What is reasonable depends on the circumstances. It is an objective test. How companies assess what is reasonable is another matter. In my experience “reasonable” ranges from comprehensive rules about data handling and cyber security, reviews and inspections to a more general light touch, or no touch, oversight. Clearly the former approach is more in keeping with the text of APP 8.1. If there is a data breach at a third party provider in another country demonstrating to the regulator that there was a more comprehensive system is more defensible if the regulator comes knocking.
What systems were involved at the at the Manila call centre where Qantas stored personal information of 6 million customers will be the subject of close inspection given Qantas has been hit by a cyber attack which resulted in the personal information of 6 million customers being affected. Qantas believes a “significant” amount of the data has been stolen. In its statement it confirms that the attack on its call centre was detected on 30 June 2025. It does not say when the data breach started and how the hackers gained access though subsequent reporting suggesting the vishing was involved. The data stolen involved names, email addresses, phone numbers, dates of birth and Frequent Flyer numbers. As usual Qantas tried to make it a good news story by saying that credit card and other financial information and passport details were not affected. But the information stolen is a start in identity theft and opportunities for phishing.
Some of the commentary has been quite confused. And wrong. The Australian’s Albanese must step up to protect Aussies after Qantas hack seems to argue that as the Government has a major role in dealing with this breach its “laissez – faire attitude” emboldens criminals. It goes so far as to say “A test of his leadership will be how his government responds to the Qantas hack.” As much as government after government deserves censure for neglecting this area of law that contention is just not correct. That analysis is a symptom of the incoherence in the regulation of privacy laws and a general lack of understanding of where the respective responsibities lie.
The prime responsibility falls on the companies holding data, in this case, Qantas. They have the same responsibility as if the data was held in their offices in paper form. This responsibility pre dates the internet. Making it partly the Government’s responsibility, even obliquely, muddies the waters. If Qantas left the doors to its offices open and thieves stole box loads of documents the Government would not be held to account for this reckless behaviour.
The second level of responsibility lies with the regulator, the Privacy Commissioner (though the ACCC and ASIC sometimes seek to take action). If a company fails to properly protect personal information then the Privacy Commissioner should take strong action, especially civil penalty proceedings. Individuals affected by the breach should also be able to bring action. That action should be very public so that the market will know what to expect if it ignores its obligations. If no, or inadequate, action is taken the market will notice and act accordingly. For many years the regulator has not been armed with sufficient powers to take strong action. But even when those powers were provided, especially since March 2014 when the Commissioner could bring civil penalty actions, the regulator was timid at best. Sometimes the Commissioner has Read the rest of this entry »