Qantas hack victims 'unlikely to win in court,' cybersecurity expert says

Qantas has confirmed that the July 2025 cyberattack, which resulted in 5.7 million customers’ data being stolen and eventually released, happened via a third-party platform, with the airline attempting to prevent the stolen data from being released to the public.

In an update on October 12, 2025, Qantas said that its cyber incident in early July resulted in 5.7 million customers having their data stolen via a third-party platform, and that the company is working together with cybersecurity experts to establish the nature of the data that was released.

“Through the NSW Supreme Court, we have an ongoing injunction in place to prevent the stolen data being accessed, viewed, released, used, transmitted, or published by anyone, including third parties.”

The Australian airline added that it has placed additional security measures, increased training across its teams, and strengthened its systems’ monitoring and detection since the incident. In July, it had already reached out to its customers about their compromised data, which has not changed since.

Passengers’ data was split into two groups: the majority had their name, email address, and Frequent Flyer details stolen, and a smaller portion of customers’ addresses, date of birth, phone number, gender, and meal preferences were compromised.

Qantas reiterated that credit card details, personal financial information, passport details, passwords, PINs, or logins were accessed by the hackers.

When Qantas disclosed the breach in July, it said that it happened "when a cyber criminal targeted a call centre and gained access to a third-party customer servicing platform."

According to Dr. Ilia Kolochenko, the Chief Executive Officer (CEO) at ImmuniWeb, with previous experiences at INTERPOL, Europol, and being a Cybersecurity Practice & Cyber Law professor at Capitol Technology University, the fact that only 5.7 million customers’ data was leaked could affirm the conclusion that “the data breach has likely occurred because of a compromised third party or an isolated system operated by Qantas, its vendors or subsidiaries.”

“While there is no reason to panic, victims of the data breach may suffer fairly serious and long-lasting consequences. Augmented with freely available GenAI tools, social engineering and phishing attacks become quite sophisticated and smartly organized.”

Kolochenko pointed out that his company has investigated cases when hackers “impersonated a national data protection agency and special law enforcement unit to contact victims just after their data was leaked on the Dark Web, promising 'fair compensation' and asking just to verify and complete their personal data to proceed.”

Thus, victims of such cyberattacks should stay vigilant, Kolochenko said.

“As to the eventual liability of Qantas, it will largely depend on the underlying facts of the data breach and jurisdictions where legal proceedings may take place.”

According to the Office of the Australian Information Commissioner (OAIC), the national data protection authority of Australia, for companies, “a serious or repeated interference with privacy” carries a fine that is not greater than AU$50 million ($32.6 million), “three times the value of the benefit obtained directly or indirectly by the body corporate and any related bodies corporate, that is reasonably attributable to the conduct constituting the contravention,” or 30% of the company’s adjusted turnover during the breach turnover period, if the court fails to determine the value of the benefit.

In Europe, violations of the General Data Protection Regulation (GDPR), “severe violations” could result in fines up to €20 million ($23.1 million) or up to 4% of a company’s global turnover during the previous fiscal year, whichever is higher. Less serious violations carry a fine up to €10 million ($11.5 million) or 2% of a company’s annual revenue, whichever is higher.

Kolochenko noted that “those countries that have extraterritorial data protection legislation and whose residents are impacted by the data breach, may start their own inquiry and eventually impose statutory fines on Qantas,” yet warned that victims of the attack are unlikely to win in court “unless they manage to prove non-mitigatable damages directly caused by the breach.”

While the case happened in a different jurisdiction than Australia, the United Kingdom Information Commissioner’s Office (ICO) imposed a £20 million ($26.6 million) penalty when British Airways leaked 400,000 customers’ data in 2018, for example.