The use of the data “may not meet the standards of what most people expect for the way the data is collected and how it’s used,” O’Shea says.
There is no “social license for companies to collect huge amounts of data”, especially as polls show the public continues to show a preference for stronger data protections, she says.
Optus was the target of a class action after a customer data breach.Credit: Eddie Jim
“For that reason, these kinds of data breaches are hugely illuminating for the public. They act as a lightning rod for consumer frustrations, which are usually accompanied by a call for governments to enact stronger privacy laws.”
It’s understood that following the high-profile and damaging hacks of Medibank Private and Optus in 2022, Qantas purged old customer data.
Monash Business School Department of business law academic Dr Aashish Srivastava said: “Under the Privacy Act, if there is a data breach and the customer complains to the Office of the Australian Information Commissioner, and after an investigation the OAIC finds there were privacy breaches by Qantas, as part of that, the OAIC can give the consumer some kind of remedy for any loss or damage suffered as a result of the privacy breach.”
Loading
Under the Privacy Act, the watchdog can impose a range of civil penalties, from a maximum of $2.5 million for an individual and up to $50 million for a company. Optus and Medibank were the target of class actions following their damaging losses of customer data during separate hacks. The privacy watchdog also took civil action against Medibank.
The watchdog conducted a routine review of Qantas’ frequent flyer data management in 2017, finding that while all “personal information is stored in Australia, Qantas frequent flyer use several offshore customer service centres”.
At the time, Qantas conducted “overseas contract staff background checks” and put provisions in employee contracts “related to the handling of personal information”, the OAIC said.
The watchdog in 2019 recommended in the assessment that the Qantas frequent flyer program “develops and implements a privacy management plan that sets out specific goals and objectives for its privacy management with consideration of the specific issues that apply to its operations”.
The Notifiable Data Breaches scheme requires companies to notify the Office of the Australian Information Commissioner and customers “at risk of serious harm from … a data breach”.
Cybersecurity expert Lani Refiti, from national security firm Azcende, said that if a ransom were sought at this point, Qantas’ corporate and government-led cyber response team would have to be in discussions with the attackers.
“No breach of this size is just for giggles,” said Refiti, whose company also provides cybersecurity compliance advisory services.
“The attackers would have to be looking to monetise it in some manner.”
Loading
Scattered Spider has already hit Hawaiian Airlines and Canada’s WestJet this year.
Despite mandatory ransomware and cyber extortion rules coming into effect in May 2025, it’s not clear a ransom attempt has followed Qantas’ data loss.
Cybersecurity company Darktrace’s vice president Tony Jarvis said: “It is notoriously difficult to confirm if and where information ends up on the dark web.
“The group that steals the data is often not the group that directly monetises it – and dark web monitoring only catches things that are sold on open market, essentially marketed for anyone with access to the forum to buy.
“That means if there is already an approved buyer, or a closed network, it will not appear on the dark web,” he said.
The Business Briefing newsletter delivers major stories, exclusive coverage and expert opinion. Sign up to get it every weekday morning.
