Qantas is facing a significant class action lawsuit after a devastating cyber attack on 30 June 2025 compromised the personal information of 5.7 million customers—nearly a quarter of Australia's population.
Maurice Blackburn Lawyers filed the complaint with the Office of the Australian Information Commissioner (OAIC) on 17 July, marking one of the most significant data breaches in Australian corporate history.
The breach occurred at a Qantas call centre in Manila, Philippines, where a cybercriminal potentially orchestrated by the notorious Scattered Spider cybercriminal group saw hackers use artificial intelligence to impersonate a Qantas employee at the airline's Manila call centre. This AI-powered deception granted the criminals access to a third-party customer service platform, exposing a treasure trove of sensitive customer data.
The compromised data, affecting 5.7 million customers, included names, email addresses, and frequent flyer numbers for 4 million, with 1.7 million also having addresses, dates of birth, phone numbers, gender, and 10,000 with meal preferences exposed.
No credit card details, passports, or financial information were stored on the platform, as confirmed by Qantas CEO Vanessa Hudson on 9 July 2025: 'credit card information, passport information, key identity information, whether it be password or PIN numbers, we know they weren't a part of this breach.'
X posts from @TEISS on 11 July 2025 state, 'Qantas Data Breach Hits 5.7 Million Passengers. Names, Frequent Flyer numbers, contact info, and even meal preferences, were exposed in a third-party breach.'
✈️ Qantas Data Breach Hits 5.7 Million Passengers
— teiss (@TEISS) July 11, 2025
Names, Frequent Flyer numbers, contact info—and even meal preferences—were exposed in a third-party breach. Is your data among the millions? https://t.co/snbDmLFvuw #Qantas #DataBreach #CyberSecurity #Infosec #PrivacyAlert pic.twitter.com/itDVFO8938
The system was contained, and no frequent flyer accounts were directly accessed.
Class Action Seeks Compensation
Maurice Blackburn Lawyers filed a representative complaint with the OAIC, alleging that Qantas had failed to protect customer data adequately.
Principal lawyer Elizabeth O'Shea stated on 17 July, 'We encourage Qantas customers impacted by the breach to register with us to receive updates about the representative complaint.'
The firm, which secured £89 million ($119 million) for Qantas workers in a 2024 outsourcing case, is inviting the 5.7 million affected customers to participate in a non-binding registration.
X posts from @australian on 18 July said, 'Qantas is facing legal action by Maurice Blackburn for compensation for millions of customers caught in a major cyber attack.'
Qantas is facing legal action by Maurice Blackburn for compensation for millions of customers caught in a major cyber attack. Latest: https://t.co/TcQlBAUWLF pic.twitter.com/TI4YUHOJ80
— The Australian (@australian) July 18, 2025
The OAIC is reviewing the complaint, with potential fines up to £1.6 million ($2.1 million) per Privacy Act violation, though compensation amounts remain unspecified pending investigation.
Qantas' Response and Customer Support
Qantas has notified affected customers, starting 9 July, detailing compromised data and offering support via a dedicated line (1800 971 541 or +61 2 8028 0534).
Hudson stated on 8 July, 'We are focused on providing the answers and transparency our customers deserve.'
The airline has implemented enhanced security measures and is collaborating with the Australian Federal Police, the Australian Cyber Security Centre, and CyberCX.
No ransom demands have been confirmed, although a potential cybercriminal contacted Qantas, as reported by ABC News on 8 July.
Customers are urged to stay vigilant for scams, with Hudson noting, 'We will never request passwords or sensitive login information.'
The airline secured an injunction to limit the spread of stolen data on the dark web; however, no data has been detected there as of 18 July.
What This Means for Affected Customers
Security experts are urging all Qantas customers to take immediate protective measures:
- Change passwords on all accounts, especially those using similar credentials to their Qantas account
- Monitor bank statements and credit reports for unusual activity
- Be wary of phishing attempts via email, SMS, or phone calls claiming to be from Qantas
- Enable two-factor authentication on all sensitive accounts
- Consider credit monitoring services, particularly for the 1.7 million customers whose detailed information was exposed
The Broader Context
This attack on Qantas represents more than just another data breach—it's a watershed moment in Australian cybersecurity. With 5.7 million people affected, virtually every Australian family is likely to know someone whose data has been compromised.
The breach also highlights the double-edged sword of artificial intelligence in cybersecurity. While AI can enhance security measures, it's equally powerful in the hands of cybercriminals, creating an arms race between defenders and attackers.
As the OAIC investigation unfolds and the class action progresses, this incident may well reshape how Australian companies approach data security, particularly in relation to offshore operations and AI-related threats. For now, millions of Australians face the unsettling reality that their personal information is in criminal hands, a reminder of our vulnerability in an increasingly connected world.
Affected customers can register for the class action through Maurice Blackburn Lawyers' website or contact the firm directly for more information about their rights and potential compensation.
