Qantas data breach update

We now have a better understanding of the Qantas data breach update. It was at its Manila call centre. Qantas says 5.7 million records were compromised.

If you missed the original article Qantas Frequent Flyer data breach: The first of many more transport-specific attacks it is a good idea to read this first.

Qantas engages third parties that operate call centres in Manila, Auckland, New Zealand, Johannesburg, South Africa and Hobart. Therefore, this breach is due to Qantas’s lack of security, regardless of how or by whom it was accessed.

The airline later admitted that a potential cybercriminal had made contact, but it would not disclose if or how much of a ransom was being sought. It simply said it was now a matter for the Australian Federal Police.

The 5.7 million customer records contained information on frequent flyer accounts (name, address, phone number, date of birth, gender), their lounge membership tier, including those in the exclusive member-only Chairman’s Lounge, and the food preferences of thousands of travellers.

The membership tier is the gold at the end of the rainbow, as the Qantas Chairman’s Lounge includes the Prime Minister, government ministers, senior bureaucrats, sports and other celebrities, and large corporations.

Qantas has stated

• About 4 million of the 5.7 million records were limited to name, email address and Qantas frequent flyer details only
• An unspecified subset had points balance and status credits.

Within the 4 million figure,

• 1.2 million customer records contained only name and email address.
• 1.7 million Qantas travellers contained a combination of their address (1.3 million), date of birth (1.1 million), phone number (900,000) and gender (400,000), and some – about 10,000 – even had their meal preferences hacked.

Baying for blood – or should be

Consumer law experts state that Qantas customers affected by the data hack could be entitled to compensation if the airline breached passenger privacy.

Maurice Blackburn class action lawyer Lizzie O’Shea, who specialises in privacy issues, said:

“Qantas is a holder of a very significant amount of consumer information, involving huge amounts of data that are used for all sorts of purposes, including profiling consumer behaviour. Australian privacy law requires an entity to take reasonable steps to protect customers’ information from misuse and unauthorised access. The use of the data may not meet the standards of what most people expect for the way the data is collected and how it’s used,”

CyberShack’s take: The Qantas data breach update reveals that we are disclosing too much information that can be used against us.

Let’s be clear. Qantas Frequent Flyer is a loyalty program. Qantas wants to know as much about you as possible, scraping that from disparate sources, not just your application form.

Don’t be surprised that it has built a profile well beyond what you expect. It uses that data to ensure you remain rusted on.

The problem is that when you joined, you gave it a license to do this in its 7695-word fine print terms and conditions (updated 27 June 2025)  and 2244-word privacy statement (updated 19 December 2024).

Qantas claims its security is sufficient, but the reality is that if the database is compromised, a vast amount of sensitive data could be exposed, potentially harming us all.

Qantas data breach update, Qantas data breach update, Qantas data breach update, Qantas data breach update