Hong Kong privacy watchdog opens probe into Qantas data breach

The Hong Kong privacy watchdog has launched an investigation into a data breach at Qantas Airways that affected some 20,000 customers across the city.

The Office of the Privacy Commissioner for Personal Data received a data breach notification from Qantas on 9 July. The airline confirmed on Sunday (12 October) that the personal information of 5.7 million customers has been leaked online.

The incident resulted from a breach of a third-party service provider's system and is linked to the hacking group “Scattered Lapsus$ Hunters”, which is also suspected of attacking multinational companies such as Disney and Google.

According to PCPD's investigation, preliminary information from Qantas indicates that around 20,000 Hong Kong customers were affected, with personal data including names, gender, date of birth, home address, email, phone numbers and health information were breached. Even details like meal preferences and requests for special assistance were leaked. Affected individuals have been notified, and further information will be submitted to the PCPD this month.

Qantas said hackers leaked the personal information of 5.7 million customers to the dark web, the PCPD will further follow up with the airline to determine whether the personal data of affected Hong Kong customers has indeed been compromised, as well as the number of customers involved and the types of affected personal data.

The PCPD has urged individuals who suspect their personal data has been leaked to inquire or file complaints with the relevant organisations or the PCPD.

It has also advised individuals who might be affected to stay alert to the potential misuse of their personal data and to take steps to safeguard their privacy. This includes changing online account passwords, enabling multi-factor authentication, monitoring personal emails or accounts for any unusual login activity, and being cautious of phishing and other scams.

Don't miss: Qantas comes out of its shell with sky-high 3D stunt

PCPD said in a statement it has contacted the online platform Discord after the recent leak of identification photos belonging to around 70,000 global users. Along with the leaked photos, some users' names, emails, and other information have been stolen, with hackers using this data to extort a ransom.

On 3 October, Discord announced that a hack of its third-party customer service provider 5CA resulted in the leak of personal information for users who had contacted support. This included names, email addresses, payment details, the last four digits of credit cards, transaction history, IP addresses, chat logs, and age verification ID photos for about 70,000 users worldwide.

The PCPD has received two related inquiries but has not received any complaints. It has not received a notification regarding the data leak incident from Discord. Meanwhile, the office has contacted the company to conduct a compliance review in order to understand the number of Hong Kong users involved and the details of the affected personal information.

Take your brand to new heights with cutting-edge AI strategies, innovative technology, and data-powered experiences. Don’t miss Digital Marketing Asia 2025 in Hong Kong on 20-21 October, where 200+ marketing leaders will explore game-changing trends, proven successes, and bold ideas shaping the future.

Related articles:

Qantas comes out of its shell with sky-high 3D stunt
Qantas takes flight with uniform redesign
Qantas CEO to step down earlier than expected amidst legal proceedings