Qantas data breach started with a fake IT support call

Vlad CONSTANTINESCU

July 16, 2026

Qantas data breach started with a fake IT support call

A vishing attack on an overseas contact center exposed 5.67 million Qantas customer records in 2025, Australia’s privacy regulator says.

Key takeaways

  • An attacker posing as “Qantas IT help” manipulated a contact center agent into authorizing a malicious data connection.
  • Approximately 5.67 million customer records were compromised, including contact and frequent-flyer information.
  • Credit card details, passport data, passwords, PINs and account login credentials were not exposed.
  • The OAIC closed its preliminary inquiries without opening a formal investigation or taking regulatory action.

A fake support call opened access to customer data

On June 28, 2025, an attacker called an employee at an overseas contact center operated by a Qantas contractor. Posing as part of the airline’s IT support team, the caller directed the agent to a customer relationship management platform and described several actions as necessary to close a support ticket.

Those legitimate-looking steps connected the agent’s CRM session to a data extraction tool controlled by the attacker. Qantas identified unusual login-attempt alerts two days later. It then revoked access to the affected account, began assessing the data theft and it publicly disclosed the incident on July 2.

OAIC finds no basis for a formal investigation

The Office of the Australian Information Commissioner said roughly 5.67 million records were compromised. Around 4 million contained names, phone numbers, email addresses and Qantas Frequent Flyer details. Another 1.7 million also included information such as addresses, birth dates, gender or meal preferences.

The OAIC’s preliminary inquiries did not indicate that Qantas was likely to have breached its obligations under Australia’s privacy rules. The regulator cited supplier audits, recurring security training, role-based access controls and Qantas’ incident response. It also noted that a default CRM setting allowed an end user to authorize the third-party connection; the software provider has since changed that setting for all customers.

What affected Qantas customers should do

The regulator’s decision is not a definitive finding that all Qantas practices complied with privacy law, and further action remains possible. Qantas confirmed in October 2025 that criminals had released stolen customer data, although a New South Wales Supreme Court injunction prohibits others from accessing, using or distributing it.

Customers should independently verify unexpected Qantas communications, enable two-factor authentication and never disclose passwords, booking references or financial information to an unsolicited caller. Bitdefender Scamio can analyze suspicious messages, links or screenshots, while Bitdefender Digital Identity Protection can monitor exposed personal information and provide guidance when breach-related risks appear.

tags


Author


Vlad CONSTANTINESCU

Vlad's love for technology and writing created rich soil for his interest in cybersecurity to sprout into a full-on passion. Before becoming a Security Analyst, he covered tech and security topics.

View all posts

You might also like

Bookmarks


loader