In July 2025, Qantas Airways confirmed a significant data breach involving the exposure of sensitive customer information. This incident has raised urgent questions for both businesses and consumers regarding data security, legal responsibilities, and rights under Australian privacy law.
We can help organisations navigate legal risks associated with cybersecurity incidents and assist individuals affected by data breaches in understanding their rights. This article, written by our data and privacy law team, explores the key legal issues raised by the Qantas data breach and provides actionable guidance.
Key takeaways
Australian businesses are legally required to take reasonable steps to protect personal information under the Privacy Act 1988 (Cth).
Consumers have rights under the Australian Privacy Principles (APPs), including the right to know when their data has been compromised.
Failure to notify affected individuals of a breach can lead to regulatory penalties and reputational harm.
Businesses should have a data breach response plan and update it regularly.
Legal advice is critical after a breach – for both compliance and risk management.
What happened in the Qantas Data Breach?
In early July 2025, Qantas publicly confirmed that a cyberattack had resulted in unauthorised access to customer records, including names, contact information, and frequent flyer numbers. While no financial data was reportedly exposed, the breach highlights the increasing sophistication of cyber threats targeting major corporations.
The Office of the Australian Information Commissioner (OAIC) has been notified, and investigations are ongoing.
Legal Obligations for Australian Businesses
1. Compliance with the Privacy Act 1988
Businesses with an annual turnover of $3 million or more (and some smaller entities) must comply with the Privacy Act 1988 (Cth). This includes obligations to:
Secure personal data against loss, misuse, and unauthorised access (APP 11).
Notify affected individuals and the OAIC when a notifiable data breach occurs (Notifiable Data Breaches scheme).
To ensure you’re fully prepared for a cyber incident, follow our data breach response plan checklist to minimise legal and reputational risks.
2. Mandatory Data Breach Notification
Under the Notifiable Data Breaches (NDB) scheme, businesses must:
Notify individuals whose personal information is involved in a data breach likely to result in serious harm.
Include recommendations on steps the affected individuals should take.
Report the breach to the OAIC.
3. Consequences of Non-Compliance
Failure to meet privacy obligations can result in:
Regulatory fines from the OAIC.
Civil penalties up to $50 million (post-Privacy Legislation Amendment).
Class action litigation and brand damage.
Is your business prepared for a data breach? The legal and reputational risks are too high to ignore. Contact Prosper Law today for key advice on privacy compliance, breach response plans, and legal representation.
Practical Steps for Businesses
To protect customer data and limit liability, businesses should:
Conduct regular risk assessments of data systems and third-party providers.
Implement robust cybersecurity measures, including encryption and multi-factor authentication.
Develop and test a data breach response plan.
Provide staff training on identifying and reporting cyber threats.
Review privacy policies and contracts with service providers.
Learn more about how businesses can improve their information security posture in our article on data breaches and information security.
Consumer Rights After a Data Breach
If your personal information has been compromised:
You have the right to be notified if the breach is likely to cause serious harm.
You may be entitled to compensation under certain circumstances.
You can lodge a complaint with the OAIC if the business fails to act appropriately.
Affected individuals should monitor their accounts, change passwords, and consider placing a credit alert or freeze on their credit file.
Frequently Asked Questions
What qualifies as a notifiable data breach?
A notifiable breach occurs when there is unauthorised access to or disclosure of personal information, and it is likely to result in serious harm to the affected individuals.
What should I do if my business suffers a data breach?
You must contain the breach, assess the risk of harm, notify affected individuals and the OAIC if required, and take steps to prevent future incidents.
Understand how recent reforms impact your obligations under the Privacy Act in our summary of the new privacy laws in Australia for 2025.
Can consumers claim damages for a data breach?
While there is currently no direct right to damages under the Privacy Act, affected consumers may seek compensation through complaints to the OAIC or class actions in more serious cases.
How long do I have to notify the OAIC of a data breach?
Businesses must notify the OAIC and affected individuals as soon as practicable, and generally within 30 days of becoming aware of the breach.
Was my personal information exposed if I was a Qantas customer?
If you’re a Qantas customer, check for direct communication from the airline. Under the Privacy Act, Qantas must notify you if your data was part of a breach likely to cause serious harm. Qantas is publishing updates regularly on their website. You can also monitor the OAIC’s public breach notifications for confirmation.
Can my business be held liable for a third-party data breach?
Yes. If your business shares customer data with third parties (e.g. service providers or cloud platforms), you can still be held legally accountable for ensuring those parties comply with the Privacy Act. It’s critical to have strong data protection clauses in vendor contracts.
