Tech support scam caused massive Qantas data breach affecting 5.7 million customers

Australia’s privacy regulator has ruled that Qantas did not breach privacy laws when a voice-phishing attack tricked a call center worker into exposing 5.7 million customers’ personal information, in a decision that underscores how effective social engineering attacks can be even against trained employees.

The 2025 data breach began when a caller identifying themselves as “Qantas IT support” tricked a contact center employee into connecting the airline’s customer relationship management system to an external data extraction tool. The attackers then stole millions of customers’ personally identifiable information.

Australian Privacy Commissioner Carly Kind concluded that Qantas had taken reasonable steps to prevent such an incident and therefore did not breach Australian privacy principles. The airline had audited its contact center operator, tested employees with security awareness exercises months before the attack, mandated regular privacy training, and implemented role-based access controls.

“Qantas could not reasonably have foreseen and prevented the data breach in the manner that it occurred,” the commissioner’s report said. “The threat actor gained access via a voice-phishing attack, and strengthening Qantas’s current role-based access controls would not have prevented such an attack.”

The commissioner declined to open a formal investigation, but the matter could be revisited. A class-action lawsuit against the airline is already underway.

While the report did not identify the attackers, industry speculation points to the Scattered Spider criminal group, which shifted focus to the aviation sector weeks before the Qantas incident.

The ruling sets an important precedent for how regulators view advanced social engineering attacks against organizations with mature security practices and underscores that even well-defended systems remain vulnerable to the oldest vulnerability: human trust.

Scroll to Top