Lavan is proud to be shortlisted for the Chambers Asia-Pacific and Greater China Region Honours 2026 'Pro Bono Outstanding Firm' Award. Learn more
Get in touch
Lavan Homepage

Qantas Airways is now among Australia’s latest high-profile corporate victims of cyber-attacks.

Qantas’ example is notable from a legal perspective since Qantas has (in the case of Qantas Airways Ltd v Persons Unknown [2025] NSWSC 776) successfully applied to the NSW Supreme Court for an urgent interlocutory injunction against ‘persons unknown’ – the anonymous hackers responsible for the attack – intending to prevent them from publishing or disseminating the accessed files.

Background

Though perhaps novel among major Australian corporations, Qantas’ legal efforts are not entirely without precedent. Most notable is the well-publicised case of HWL Ebsworth Lawyers v Persons Unknown [2024] NSWSC 71 in 2024. Like the HWL Ebsworth case, the Qantas breach is of a significant scale. Qantas has disclosed that the cyber-attack, which successfully targeted one of its contact centres, obtained data pertaining to approximately 5.7 million customers.

Unlike the case of HWL Ebsworth, which concerned over a million files with a high degree of legal sensitivity, Qantas and its customers have been fortunate in the type of data that was compromised. Qantas has assured customers that no credit card details, personal financial information or passport details were stored in the compromised systems (though names, addresses and dates of birth featured in some records stolen). Qantas has said that it has contacted the affected customers, outlining the specific types of personal data that were compromised.

Judgement

As previously noted, Qantas filed its interlocutory injunction against ‘persons unknown’.  In Qantas Airways Ltd v Persons Unknown, Kunc J said:

In the age of hackers and challenges to cybersecurity, the Court has become well familiar with this type of matter. There is no doubt that since the decision of Slattery J in HWL Ebsworth Lawyers v Persons Unknown [2024] NSWSC 71 proceedings can be brought in this form.1

An interesting quirk of Qantas’ application concerns the method by which Qantas decided to maintain contact with the defendants. For the purpose of negotiating a ransom, the defendants had established a dedicated message box and specially set up email addresses. This was fortunate for Qantas, as it has allowed them to effect proper service for the purpose of the Court’s rules.

In order to preserve Qantas’ ability to effect service, the Court ordered that the hearing take place in closed court with the transcript suppressed until service was effected, as otherwise the defendants could foreseeably have disconnected themselves from the relevant email addresses in order to frustrate service.2

Value Of Injunctions Against Persons Unkown

Some commentators have questioned the worth of an injunction against anonymous hacker groups. There would often be little reason for such groups to comply with an order made by a court, since their layers of anonymising security measures would allow them to disseminate stolen information without being compromised. However, there are arguably still merits to such an injunction:

Firstly, the Qantas injunction prevents the stolen data being accessed, viewed, used, transmitted or published by anyone, including third parties. The affected persons can therefore prevent news organisations and online platforms (for example) from broadcasting the material further.

Secondly, the injunction arguably sends a signal that Qantas is taking proactive measures to limit the damage. This may have public perception benefits and could reduce the risk of securities class actions (though, we note that Maurice Blackburn has already lodged a representative complaint with the Office of the Australian Information Commissioner).

Lavan Comment

While by no means is an interlocutory injunction a bullet-proof remedy for corporations who experience anonymous cyber-attacks that compromise customer data, in the appropriate case it seems like a useful legal avenue. Regardless of the remedy’s practical impact, we expect to see its further use by corporations who inevitably suffer from cyber-attacks in the future.

If this article has raised any concerns for you or your company / business, please do not hesitate to contact Iain Freeman.

Thank you to Michael Pendlebury, Solicitor, for their valuable research and assistance with this article.


Disclaimer

The information contained in this publication does not constitute legal advice and should not be relied upon as such. You should seek legal advice in relation to any particular matter you may have before relying or acting on this information. The Lavan team are here to assist.

Footnotes

  1. At [1].
  2. At [10].
Authors
Iain Freeman
Partner

Related Publications

10 Mar 2026 Cyber, Privacy & Data Protection

The cost of failure to discharge privacy and cyber governance is real

Iain Freeman
Iain Freeman Partner
The cost of failure to discharge privacy and cyber governance is real
4 Dec 2025 Cyber, Privacy & Data Protection

Australia’s cyber security strategy 2023 to 2030 – progress to date and the shift to Horizon 2

Iain Freeman
Iain Freeman Partner
Australia’s cyber security strategy 2023 to 2030 – progress to date and the shift to Horizon 2
21 Oct 2025 Cyber, Privacy & Data Protection

Australian Information Commissioner v Australian Clinical Labs (No 2) [2025] FCA 1224 – First civil penalty ordered in the history of the Privacy Act 1988 (Cth)

Iain Freeman
Iain Freeman Partner
Australian Information Commissioner v Australian Clinical Labs (No 2) [2025] FCA 1224 – First civil penalty ordered in the history of the Privacy Act 1988 (Cth)

Stay up to date with Lavan

Subscribe to Publications or News

"*" indicates required fields

Publications of Interest*
Select publications of interest
Fields marked with * are required.
Back to top