Qantas Data Breach

In May 2025, Qantas disclosed that a third-party customer service platform it used had been compromised, exposing the personal information of approximately 5.7 million current and former Qantas customers. The exposed data may include names, email addresses, phone numbers, dates of birth, and frequent flyer numbers. Qantas has stated that passwords and payment details were not accessed.

The Qantas data breach action concerns a cyber incident in which customer personal information was accessed through a third-party customer servicing platform used by a Qantas airline contact centre. Maurice Blackburn has lodged an OAIC representative complaint seeking compensation for affected customers.

Maurice Blackburn has lodged the representative complaint with the Office of the Australian Information Commissioner on behalf of affected Qantas customers.

Approximately 5.7 million current and former Qantas customers are believed to have been affected. If you were a Qantas customer and received a notification from Qantas about your data being exposed, your information is likely among those compromised. Frequent flyer members are also understood to be among the affected group.

An OAIC representative complaint is a privacy complaint made on behalf of a group of people with similar claims. It can seek findings, remedial action and compensation through the privacy regulator process.

Maurice Blackburn Lawyers has made a representative complaint to the Office of the Australian Information Commissioner (OAIC) alleging that Qantas breached the Privacy Act 1988 (Cth) by failing to adequately protect customer personal information. The complaint is a formal step that may result in an OAIC investigation and determination against Qantas for its handling of customer data.

If you were a Qantas customer whose personal information was exposed in this breach, you may be eligible to be included in the representative complaint to the OAIC. This includes customers who received a notification from Qantas or who were Qantas Frequent Flyer members at the time of the breach. Following this matter is the first step to being kept informed of developments.

Qantas confirmed that a cyber criminal accessed a third-party customer servicing platform used by a Qantas airline contact centre. Qantas said the incident was detected on 30 June 2025 and contained shortly after.

The Office of the Australian Information Commissioner (OAIC) is the federal regulator responsible for enforcing the Privacy Act 1988 (Cth). A representative complaint allows a law firm to bring a complaint on behalf of a group of affected individuals. If the OAIC finds that Qantas breached the Privacy Act, it can issue a determination requiring Qantas to take corrective action, which may include compensation for affected individuals.

Qantas and Maurice Blackburn have referred to approximately 5.7 million Qantas customers being affected by the cyber incident.

The affected information included names, email addresses, phone numbers, dates of birth and frequent flyer numbers. For some customers, other profile information such as addresses may also have been involved.

The complaint seeks remedies for affected customers whose personal information was exposed due to Qantas's alleged failure to meet its obligations under the Privacy Act. Potential remedies may include compensation for loss, distress, or damage suffered as a result of the breach. The exact outcome will depend on the OAIC's investigation and any determination it makes. No promises as to specific amounts can be made at this stage.

No. Following this matter is completely free. You will not be asked for payment details and you are under no obligation of any kind by following or registering your interest in this matter.

Qantas has stated that credit card details and personal financial information were not compromised in the breach.

No. Following this matter creates no legal obligation, no solicitor-client relationship, and no commitment of any kind. It simply means you will receive public updates about the OAIC complaint and any developments as they occur, including key dates and published outcomes.

Qantas has stated that passport details were not compromised in the breach.

Qantas has stated that passwords, frequent flyer login credentials and frequent flyer accounts were not compromised.

Yes. Qantas confirmed in October 2025 that customer data stolen in the cyber incident had been released by cyber criminals. Maurice Blackburn has stated that the personal data of 5.7 million customers was released on the dark web.

Qantas has described the incident as involving a third-party platform used by a Qantas airline contact centre. Qantas has stated that its broader systems remained secure and that the incident did not affect airline safety or operations.

Yes. The Office of the Australian Information Commissioner confirmed that Qantas notified it of an eligible data breach under the Notifiable Data Breaches scheme and that the OAIC was engaging with Qantas about compliance with its obligations.

The current public legal pathway is an OAIC representative complaint lodged by Maurice Blackburn. Some reports may describe it as a class action or compensation case, but it should be described carefully as an OAIC representative complaint unless a separate Federal Court class action is confirmed.

The complaint alleges that Qantas breached privacy laws by failing to adequately protect customers' personal information. Any allegations should be described as allegations unless and until determined by the OAIC or a court.

Affected Qantas customers whose personal information was compromised in the 2025 cyber incident may potentially be covered. Eligibility will depend on the scope of the representative complaint and any directions or outcomes from the OAIC.

Potential compensation would depend on the OAIC process, any findings made, and evidence of harm or loss. Relevant impacts may include distress, time spent dealing with the breach, scam attempts, identity misuse, financial loss or loss of control over personal information.

Affected customers should keep Qantas breach notices, avoid clicking suspicious links, monitor accounts, use strong unique passwords, enable multi-factor authentication where available and report scams to Scamwatch.

Yes. Names, email addresses, phone numbers, dates of birth and frequent flyer numbers can be used for phishing, impersonation, fake travel refund messages, fake loyalty point messages, fake booking alerts or other social engineering scams.

Customers should watch for fake Qantas refund messages, fake flight credit notices, fake loyalty point messages, account verification scams, travel booking scams, baggage delivery scams and calls asking for passwords, one-time codes or payment details.

Not always. Privacy complaints may involve non-financial harm such as distress, anxiety, embarrassment, inconvenience or loss of control over personal information. However, customers should keep evidence of any financial and non-financial impacts.

Qantas has said passwords and frequent flyer login credentials were not compromised. However, customers should still use a strong unique password and update it if they reused it on other services or have any concerns about account security.

Qantas has said passport details, credit card details and personal financial information were not compromised. Customers usually would not need to replace a passport or card solely because of this breach, but should contact their bank or passport authority if they receive direct evidence of misuse or separate exposure.

Customers should keep Qantas emails or letters, screenshots of scam texts or emails, call logs, Scamwatch reports, IDCARE references, bank or card correspondence, records of time spent dealing with the breach and any evidence of distress, identity misuse, fraud or financial loss.

A cautious description is: 'Maurice Blackburn has lodged an OAIC representative complaint seeking compensation for Qantas customers affected by the 2025 data breach. The matter should not be described as a filed Federal Court class action unless court proceedings are separately confirmed.'

The Qantas data breach action concerns a 2025 cyber incident in which customer personal information was accessed through a third-party customer servicing platform used by a Qantas airline contact centre. Maurice Blackburn has lodged an OAIC representative complaint seeking compensation for affected customers.

No. The Qantas data breach action is about personal information exposed in a cyber incident. The Qantas Flight Credits Class Action concerns COVID-era flight credits and refunds. They are separate matters.

The current public legal pathway is an OAIC representative complaint lodged by Maurice Blackburn. It should be described as an OAIC representative complaint or compensation investigation unless separate Federal Court class action proceedings are confirmed.

Maurice Blackburn has lodged the representative complaint with the Office of the Australian Information Commissioner on behalf of affected Qantas customers.

Maurice Blackburn says the complaint alleges that Qantas breached privacy laws by failing to adequately protect customers' personal information. These should be described as allegations unless and until determined by the OAIC or a court.

The affected information included names, email addresses, phone numbers, dates of birth and frequent flyer numbers. For some customers, other profile information such as addresses may also have been involved.

Qantas has stated that the incident did not affect airline safety or operations.

Qantas has described the incident as involving a third-party customer servicing platform used by a contact centre. Qantas has stated that its broader systems remained secure.

An OAIC representative complaint is a privacy complaint made on behalf of a group of people with similar claims. It can seek findings, remedial action and compensation through the privacy regulator process.

Not always. Privacy complaints may involve non-financial harm such as distress, anxiety, embarrassment, inconvenience or loss of control over personal information. However, customers should keep evidence of both financial and non-financial impacts.

Affected customers should keep Qantas breach notices, avoid clicking suspicious links, monitor accounts, use strong unique passwords, enable multi-factor authentication where available and report scams to Scamwatch.

Customers should keep Qantas emails or letters, screenshots of scam texts or emails, call logs, Scamwatch reports, IDCARE references, bank or card correspondence, records of time spent dealing with the breach and any evidence of distress, identity misuse, fraud or financial loss.