Powered by
MOMENTUM
MEDIA
A national law firm has lodged a representative complaint against Qantas, seeking compensation on behalf of millions of customers whose personal data was compromised in the airline’s recent cyber attack.
Maurice Blackburn has filed a representative complaint with the Office of the Australian Information Commissioner (OAIC) after a major Qantas data breach exposed the personal information of 5.7 million customers.
The breach, which occurred on 30 June 2025, was the result of a cyber criminal attack on a Qantas call centre, granting unauthorised access to a third-party platform used for customer service.
It’s reported that the incident involved cyber criminals using AI to impersonate a Qantas employee, successfully tricking a customer service operator in Manila into disclosing sensitive information.
Among the data exposed were names, addresses, email addresses, phone numbers, dates of birth, Qantas Frequent Flyer numbers, and even details about their meal preferences.
While no group has claimed responsibility, reports suggest that a hacking collective known as Scattered Spider may be behind the attack.
When Qantas confirmed the theft of customer data in the cyber attack, the airline stated that the breach had been contained and assured there was “no impact” on its operations or safety.
The complaint lodged by the national law firm accuses Qantas of failing to take adequate measures to protect the personal information held in the customer database managed by its Manila call centre.
The OAIC has confirmed receipt of Qantas’s notification under the Notifiable Data Breaches scheme and is actively monitoring the airline’s compliance with its privacy obligations.
Maurice Blackburn principal lawyer Elizabeth O’Shea is urging Qantas customers affected by the data breach to register with the firm’s representative complaint, as they await a response from the OAIC.
“While we await a response and potential action from the OAIC in relation to Qantas failing to adequately protect the personal information of its customers, we would encourage Qantas customers who were impacted by the breach to register with us to receive updates about the representative complaint and compensation which may be sought on your behalf. Registration is free and non-binding,” O’Shea said.
“It is early days in what we are learning about the mass data breach, but if you’re one of the millions of people that have had your personal information compromised, you’re eligible to register with us, and we will keep you informed as the matter progresses”.
The move comes on the same day Qantas secured an interim injunction to prevent any individual or organisation from publishing the personal information of 5.7 million customers stolen in the recent cyber attack.
The airline described the NSW Supreme Court’s ruling as an “important next course of action”, while also reiterating that there is currently “no evidence” the stolen data has been released into the public domain.
The injunction ensures that if cyber criminals do publish the stolen data, such as on the dark web, others, including media outlets, will be legally prohibited from republishing or distributing that information.
“Since the incident, we have put in place a number of additional cyber security measures to further protect our customers’ data, and are continuing to review what happened,” CEO Vanessa Hudson said in an update.
“We remain in constant contact with the National Cyber Security Coordinator, Australian Cyber Security Centre, and the Australian Federal Police. I would like to thank the various agencies and the federal government for their continued support.”
