Australia's flagship carrier Qantas is facing the prospect of severe financial penalties under recently strengthened privacy laws after confirming a major data breach has compromised the personal information of up to six million customers.

The airline disclosed on Wednesday that cybercriminals targeted a call centre and gained unauthorised access to a third-party customer servicing platform on Monday, June 30. While Qantas systems remain secure and operations continue unaffected, the company expects a "significant" proportion of the six million customer records in the breached system, reportedly held at a Manilla-based call centre, to have been stolen.

The timing of the breach is particularly costly for Qantas, as it occurred after Australia's sweeping privacy law reforms came into effect. Under the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022, which commenced in December 2022, the maximum penalty for serious or repeated privacy breaches increased dramatically from $AUD2.22 million to the greater of AUD$50 million, three times the value of any benefit obtained through the misuse of information, or 30% of the entity's annual Australian turnover, which for QANTAS was approximately $AUD22.1 billion in 2024.

Qantas could face substantial penalties if the Office of the Australian Information Commissioner (OAIC) determines the breach constitutes a "serious interference with privacy" under section 13G of the Privacy Act.

The OAIC has already demonstrated its willingness to pursue civil penalty proceedings, having filed a case against Medibank Private Limited in June 2024 over its October 2022 data breach that affected 9.7 million Australians. The case is still ongoing, however, Medibank faces the lower penalty regime that applied at the time of its breach.

The Qantas incident has raised fresh concerns about sophisticated cyber threats targeting Australia's aviation sector. Cybersecurity experts suggest the breach shows "many hallmarks of the Scattered Spider ransomware group," which has recently been targeting airlines, according to Tony Jarvis, field chief information security officer at Darktrace.

The assessment aligns with recent FBI warnings about Scattered Spider threat actors targeting companies in the airline sector, with Hawaiian Airlines and Canada's WestJet already reporting breaches last week.

Data Compromised and Customer Impact

The breach affects personal information including customers' names, email addresses, phone numbers, birth dates and frequent flyer numbers. QANTAS has stated that credit card details, personal financial information, passport details, frequent flyer accounts, passwords and PIN numbers were not compromised as they are not stored in the affected system.

Qantas has established a dedicated customer support line and specialist identity protection advice for affected customers. CEO Vanessa Hudson issued a public apology, stating: "Our customers trust us with their personal information and we take that responsibility seriously."

The OAIC now has significantly enhanced powers to investigate data breaches under the reformed Privacy Act. The regulator can now issue notices requesting information and documents about actual or suspected eligible data breaches, conduct assessments of compliance with the notifiable data breaches scheme, and share information with other enforcement agencies.

Qantas has notified the Australian Cyber Security Centre, the OAIC and the Australian Federal Police. The company said it is implementing additional security measures and working with independent cybersecurity experts on the investigation.

Industry Impact and Broader Implications

The breach represents Australia's most significant data incident since the 2022 attacks on Optus and Medibank that prompted the government to strengthen privacy penalties.

The breach also comes at a challenging time for Qantas, which has been working to rebuild its reputation following controversies during the COVID-19 pandemic, including selling tickets for cancelled flights and illegal dismissal of ground workers.

Beyond potential OAIC penalties, Qantas faces the prospect of civil litigation under new statutory tort provisions for serious invasions of privacy, which commenced on 10 June 2025. These allow individuals to sue for damages where there has been a “reckless” breach of privacy that was serious, with damages capped at $AUD478,550 for non-economic loss.

The OAIC has not yet indicated whether it will commence civil penalty proceedings against Qantas, but the regulator's recent enforcement actions signal a more aggressive approach to privacy compliance in Australia.