‘Very serious penalties’ possible over Qantas data leak

Jack Gramenz and Callum Godde | October 13, 2025

Qantas could face very serious penalties after customer data was posted online, as millions of potentially impacted customers are being warned not to go looking for the leaked information and to be alert for scams.

The flying kangaroo was one of six global companies to have its data released at the weekend after hackers from Scattered LAPSUS$ Hunters made good on a ransom threat.

The leak stemmed from up to 5.7 million of Qantas’ customers having their data compromised in one of its offshore call centres that used Salesforce software.

Details included full names, email addresses and Frequent Flyer details, as well as business and home addresses, dates of birth, phone numbers, gender and, in fewer cases, meal preferences.

While Qantas might have outsourced its functions, it certainly did not outsource its responsibility to keep customer data safe, Cyber Security Minister Tony Burke said.

“You can’t simply outsource to other companies and think suddenly you’ve got no obligations on cyber security,” he told the ABC on Monday.

“There are very serious penalties,” he warned.

Mr Burke urged customers not to go looking for data on the dark web, even their own.

The data could potentially be used for identity theft attacks as it gives hackers more points of verification, Have I Been Pwned cybersecurity expert Troy Hunt said.

While not overly concerned about his own personal information being leaked, Mr Hunt said Qantas would be “lawyered up to their eyeballs”.

“Qantas has already spent millions and millions handling this and they will now have to face all the inevitable class actions and things that will follow,” he told AAP.

RMIT cyber security professor Matthew Warren said the data leak would lead to a “second wave of scams”.

“Other criminals are going to use that information pretending to be from Qantas trying to elicit additional personal information or trying to say ‘We are offering compensation please share your credit card details so we can transfer’,” he said.

“Most Qantas customers are Australians. You’re talking about a quarter of the population.”

Qantas has offered a support line and specialist identity protection advice to affected customers.

The airline also obtained an injunction from the NSW Supreme Court to prevent the stolen data from being accessed.

But it did not cover international jurisdictions, with the stolen databases of Qantas, Vietnam Airlines, GAP, Fujifilm and two other companies publicly available online on Sunday.

“The rates of cyber crime conviction are so low,” Prof Warren said.

“Cyber criminals don’t see any laws being a real deterrent against their activities.”

Compensation claims were made against Optus and Medibank following major data breaches in 2022.

A complaint over the Qantas data breach has already been lodged by Maurice Blackburn with the Office of the Australian Information Commissioner.

The law firm has alleged Qantas breached privacy laws by failing to adequately protect customer information.

Prof Warren said any class action would be challenged on the grounds the data wasn’t stolen in Australia.

Qantas would likely argue a third party was responsible for protecting it.

“It just becomes very complex. It isn’t a clear case,” he said.

“Many large corporations are so focused on maximising profit for shareholders that they make decisions that don’t necessarily put security as their first directive.”

The Federal Court on Wednesday ordered Australian Clinical Labs pay $5.8 million for a February 2022 data breach, when more than 223,000 people’s personal information was accessed without authorisation.