Qantas hides stolen data in a cloak of secrecy with permanent injunction

Published: 3 October 2025
qantas-data-injunction
Image by Cybernews.

The Supreme Court of New South Wales (NSW) has granted Australian airline Qantas a permanent injunction to prevent the use of data stolen in a June ransomware attack. Is such a legal option worth the trouble or a waste of time?

When it emerged in early July that almost six million customer details were stolen from Qantas in a security breach, it seemed a bit bizarre that the airline kept saying that its operations weren’t actually impacted.

At the time, the company explained that its system doesn’t store credit card details, personal financial information, or passport details. Customer names, email addresses, phone numbers, dates of birth, and frequent flyer numbers were nabbed.

ADVERTISEMENT

Secrecy successfully obtained

While this might not seem like the most sensitive data, threat actors could still use the information to craft sophisticated phishing scams that urge flyers to hand over their credentials.

However, there’s another reason why Qantas remained remarkably calm over the seemingly major cyber incident. Soon after the attack, the company was granted an interim injunction in the NSW Supreme Court, aimed at stopping the data from being accessed or released.

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Follow us

The court has now made the injunction permanent. Essentially, the order prevents third parties from publishing, viewing, or accessing the data if it is released by the attackers.

As per news.com.au, Qantas has also successfully obtained permission not to publicly disclose the identities of lawyers acting for the company, saying that the hackers could target them.

Justice Francois Kunc said that “the perpetrators have some temporary ire against the legal advisors,” and that “it is depressing as it is obvious to observe that their attention will move on.”

Qantas claims there’s no evidence that the stolen data has been released, but the hackers allegedly contacted the airline via a series of emails. Rather than giving in to a ransom demand, the company responded by filing a lawsuit against “persons unknown.”

ADVERTISEMENT
qantas-data-breach
Image by Cybernews

They were defined as anyone or any entity that carried out, participated in, or assisted in stealing the data, communicated payment demands to Qantas, or posted the stolen data online.

A bold and principled strategy?

Crucially, Justice Kunc – who described hacking and data leaks as a “serious societal problem” – said that even though the perpetrators appeared to be “beyond our reach,” it was important for the courts not to “turn its face” on the situation.

Indeed, experts say that even where cybercriminals cannot be identified, legal options such as permanent injunctions, which can help to limit the spread of the hacked information, are available and should be used.

And while obtaining an order against unknown hackers can be challenging, injunctions can also be directed at other third parties, such as websites or banks, to prevent further dissemination or use of the stolen data.

Even where cybercriminals cannot be identified, legal options such as permanent injunctions, which can help to limit the spread of the hacked information, are available and should be used.

“While cybercriminals based overseas might not take much notice of such an injunction, orders can be framed to capture others who come into possession of the hacked information with knowledge of the orders,” wrote James Neil, Emina Besirevic, and Tom Flower, all lawyers at Australian law firm Clayton Utz.

“This, in turn, can at least help to prevent the further dissemination of hacked data or information in places where it is more likely to be seen by ordinary people, and not just those lurking in the dark web with nefarious intent.”

This avenue of action should also be favored by targeted companies because injunctions “reduce the risk of securities class actions (lawsuits filed by investors who lost money on a publicly traded security) being brought.”

ADVERTISEMENT
Has my data been leaked?
Check Now

However, the Clayton Utz lawyers are also very clear that litigation and injunctions shouldn’t be relied upon as a security blanket. Organizations should rather prevent themselves from being hacked in the first place.

“Once the horse has bolted, litigation can be one tool to minimise the extent of damage, but it should be only one element of a business's overall cyber risk strategy,” said the lawyers.

Unlock more exclusive Cybernews content on YouTube.

Share
Post
Share
Share
Share
More from Cybernews
By participating in this viral trend, you help train AI where it struggles the most
Windows hibernation may contribute to SSD wear as storage costs rise
UFO skeptic Michael Shermer apologizes to David Grusch
Man tries to make a sale on Facebook Marketplace, gets scammed out of $300 via Zelle
Critical FFmpeg flaw discovered: just watching a video can fully compromise your system
The world's top intelligence alliance: AI could supercharge cyberattacks within months
ADVERTISEMENT