30 July 2025

What the Qantas data breach teaches us about privacy culture

In summary

• Most businesses think data privacy is a compliance problem. But that’s only part of it. Your company culture needs to revolve around this.
• And if Qantas can get breached, with best-in-class tech and monitoring, the rest of us need to rethink how we protect customer data.
• Here’s what that means for your team, your processes, and your performance.

The breach that should change how you think

Qantas is one of the most trusted brands in Australia. It also has some of the most sophisticated cybersecurity systems in the country, from real-time threat monitoring to dedicated incident response teams.

And yet, in July 2025, the airline confirmed a data breach that exposed customers’ full names, dates of birth and frequent flyer information. It happened despite having the right infrastructure in place.

By adopting a culture of privacy reliance on technology becomes an integral inclusion to the team that is operating around it. Legal and compliance become a security gate protected by a well armed team of keepers that are aligned in the same language and goals.

Culture is your last line of defence

We’re in a new era of accountability. The OAIC and Attorney-General’s office have made it clear: privacy compliance is no longer enough.

Regulators are no longer satisfied with checklists or policies filed away in a drawer. They want to see privacy in action, how your teams actually behave, make decisions, and manage risk in the real world.

That means organisations need more than just technical expertise. You need culture, process, and education woven into every layer of your business.

Do your teams understand the difference between de-identified and anonymous data? Do they know what personal information is being collected, where it’s going, and who has access?

According to the International Association of Privacy Professionals (IAPP), a privacy-respecting organisation isn’t one that simply meets obligations, it’s one where people, across every function, know how to make privacy-first decisions every day.

Why people matter more than policies

As Stephen Scheeler (ex-CEO of Facebook ANZ) said during Twilio’s Decoding Trust event earlier this year, “Human expectation changes way faster than government regulation.” That’s the challenge modern brands face, not just keeping up with new laws, but with rising consumer expectations around transparency and trust.

A robust privacy culture doesn’t stop at legal tick-boxes. It empowers employees to spot risks, ask better questions, and champion the balance between personalisation and protection. Because if your teams don’t understand how data is collected, used, or safeguarded, how can your customers?

Scheeler also highlighted the growing demand for permission-based marketing and AI-free experiences, user-defined boundaries that only work if teams are aligned internally. That means marketing, data, and CX teams need to be fluent in privacy principles, not just defer to legal.

Privacy is now no longer a siloed concern. It’s a people issue. And getting it right means rethinking how you train, reward, and align your teams around trust, not just compliance.

Marketing, data and CX teams… this starts with you

Marketing and customer experience teams are often the first to collect, tag or activate customer data, sometimes without fully realising the risk.

That’s why embedding a privacy culture, beyond the legal and IT departments, is so important.

It’s not just about avoiding headlines. It’s not just about protecting the signals your strategy depends on, especially as signal loss becomes the new norm.

Louder’s recommendations

Creating a “privacy culture” can feel like a vague goal. But it becomes practical when you build a playbook, a shared internal reference that codifies how your business approaches data collection, governance and risk.

This doesn’t need to be a 50-page document. Start with the essentials:

Key principles:

• Data minimisation: Only collect what you need. Default to no until there’s a reason to say yes.
• Data Standardisation - naming, understanding, common language
• Consent-first design: Make opt-ins meaningful. Treat every data interaction as a moment to earn trust.
• Platform accountability: Know what each platform collects, where it sends data, and who can access it.

Not every team will need the same level of detail. But every team needs to know how to think about personal information, and what to do when something feels off.

These operational details aren’t just compliance hygiene, they influence trust at every level of the customer journey. If your teams don’t know what’s firing on your site, or why a script is there, it opens the door to accidental overcollection, data leakage, and audit failure.

Get in touch

Get in touch with Louder to discuss how we can assist you or your business and sign up to our newsletter to receive the latest industry updates straight in your inbox.