On October 10, 2025, Qantas Airways Limited suffered a massive data breach linked to a **Salesforce vulnerability**, where hackers from the group *Scattered Lapsus$ Hunters* leaked **153 GB of customer and internal business data** (5M+ records). The exposed dataset includes **highly sensitive PII**—full names, dates of birth, passport numbers, phone numbers, email addresses, mailing addresses, geolocation data, and **loyalty program details** (frequent flyer numbers, tier status, points balance, and internal CRM metadata like *OwnerId*, *RecordTypeId*, and *Sensitive_Contact* flags). Additionally, **internal business reports** (e.g., *QCC Frequent Flyer Report*, *QCC Lounges Report*) and **customer notes** (e.g., opt-out preferences, account activity timestamps) were compromised. The breach follows a **July 2025 incident** involving a third-party vendor, suggesting systemic vulnerabilities. The leak poses severe risks of **identity theft, financial fraud, and reputational harm**, as threat actors could exploit the data for targeted phishing, account takeovers, or blackmail. The inclusion of **internal Salesforce IDs and CRM fields** further exposes Qantas to operational disruptions and regulatory scrutiny under global data protection laws (e.g., GDPR, Australia’s *Privacy Act*). The hackers’ **ransomware-like ultimatum** (demanding negotiations by October 10) and subsequent public dump escalate the incident’s gravity, signaling potential **long-term trust erosion** among customers and partners.
Source: https://hackread.com/shinyhunters-leak-data-qantas-vietnam-airlines-others/
TPRM report: https://www.rankiteo.com/company/qantas
"id": "qan0192201101325",
"linkid": "qantas",
"type": "Cyber Attack",
"date": "7/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 5000000,
'data_leaked': {'fields': ['Gender',
'Country',
'Full Name',
'Date of Birth',
'Points Balance',
'Currency (AUD)',
'Frequent Flyer Number',
'Tier/Status Credits',
'Phone Numbers (multiple)',
'Email Addresses (multiple)',
'Mailing Address (with '
'geolocation)',
'Internal Salesforce/Qantas '
'IDs',
'Profile Preferences',
'Membership/Loyalty Details',
'Internal CRM Fields '
'(OwnerId, RecordTypeId)',
'Links to Internal Reports',
'Customer Notes',
'Activity Metadata (last '
'modified, flags like '
'HasOptedOutOfEmail)'],
'format': 'JSON',
'size': '153 GB'},
'industry': 'Aviation/Transportation',
'location': 'Australia',
'name': 'Qantas Airways Limited',
'size': 'Large (10,000+ employees)',
'type': 'Airline'},
{'customers_affected': 23000000,
'data_leaked': {'fields': ['Age',
'Gender',
'Full Name',
'Phone Number',
'Email Address',
'Frequent Flyer Number',
'Date of Birth',
'Owner/System Metadata',
'Internal Account/Contact '
'IDs',
'Business/Cargo Fields',
'Corporate Role/Tax Info',
'Travel Tracking',
'Residential Address '
'(partial)'],
'format': 'JSON',
'size': '63.62 GB'},
'industry': 'Aviation/Transportation',
'location': 'Vietnam',
'name': 'Vietnam Airlines',
'size': 'Large (10,000+ employees)',
'type': 'Airline'},
{'customers_affected': 672000,
'data_leaked': {'fields': ['Unspecified (likely PII '
'and loyalty data)'],
'format': 'JSON',
'size': '2 GB'},
'industry': 'Grocery/Retail',
'location': 'USA',
'name': 'Albertsons Companies, Inc.',
'size': 'Large (250,000+ employees)',
'type': 'Retailer'},
{'customers_affected': 224000,
'data_leaked': {'fields': ['Unspecified (likely PII '
'and purchase history)'],
'format': 'JSON',
'size': '1 GB'},
'industry': 'Fashion/Retail',
'location': 'USA',
'name': 'GAP, INC.',
'size': 'Large (100,000+ employees)',
'type': 'Retailer'},
{'customers_affected': 224000,
'data_leaked': {'fields': ['Unspecified (likely '
'corporate and customer '
'data)'],
'format': 'CSV',
'size': '155 MB'},
'industry': 'Technology/Imaging',
'location': 'Japan',
'name': 'Fujifilm',
'size': 'Large (80,000+ employees)',
'type': 'Manufacturer'},
{'customers_affected': 537000,
'data_leaked': {'fields': ['Unspecified (likely '
'corporate and customer '
'data)'],
'format': 'JSON',
'size': '3 GB'},
'industry': 'Utilities/Energy',
'location': 'USA/France',
'name': 'Engie Resources',
'size': 'Large (100,000+ employees)',
'type': 'Energy Provider'},
{'industry': 'Technology/CRM',
'location': 'USA',
'name': 'Salesforce',
'role': 'Third-party platform with exploited '
'vulnerability',
'size': 'Large (70,000+ employees)',
'type': 'Cloud Provider'},
{'data_leaked': {'size': '1.3 GB'},
'industry': 'Food/Beverage',
'location': 'Global',
'name': 'KFC',
'size': 'Large',
'type': 'Retailer'},
{'data_leaked': {'size': '9 GB'},
'industry': 'Sportswear',
'location': 'Japan',
'name': 'ASICS',
'size': 'Large',
'type': 'Retailer'},
{'data_leaked': {'size': '91.34 GB'},
'industry': 'Transportation',
'location': 'USA',
'name': 'UPS',
'size': 'Large',
'type': 'Logistics'},
{'data_leaked': {'size': '13 GB'},
'industry': 'Furniture',
'location': 'Sweden',
'name': 'IKEA',
'size': 'Large',
'type': 'Retailer'},
{'data_leaked': {'size': '9.9 GB'},
'industry': 'Pet Supplies',
'location': 'USA',
'name': 'Petco',
'size': 'Large',
'type': 'Retailer'},
{'data_leaked': {'size': '5.6 GB'},
'industry': 'Networking',
'location': 'USA',
'name': 'Cisco',
'size': 'Large',
'type': 'Technology'},
{'data_leaked': {'size': '28 GB'},
'industry': 'Food/Beverage',
'location': 'USA',
'name': 'McDonald’s',
'size': 'Large',
'type': 'Retailer'},
{'data_leaked': {'size': '1.4 GB'},
'industry': 'Luxury Goods',
'location': 'France',
'name': 'Cartier',
'size': 'Large',
'type': 'Retailer'},
{'data_leaked': {'size': '37 GB'},
'industry': 'Sportswear',
'location': 'Germany',
'name': 'Adidas',
'size': 'Large',
'type': 'Retailer'},
{'data_leaked': {'size': '32 GB'},
'industry': 'E-Commerce',
'location': 'USA',
'name': 'Instacart',
'size': 'Large',
'type': 'Technology'},
{'data_leaked': {'size': '7 GB'},
'industry': 'Hotels',
'location': 'USA',
'name': 'Marriott',
'size': 'Large',
'type': 'Hospitality'},
{'data_leaked': {'size': '11 GB'},
'industry': 'Pharmacy',
'location': 'USA',
'name': 'Walgreens',
'size': 'Large',
'type': 'Retailer'},
{'data_leaked': {'size': '8.3 GB'},
'industry': 'Jewelry',
'location': 'Denmark',
'name': 'Pandora',
'size': 'Large',
'type': 'Retailer'},
{'data_leaked': {'size': '2 GB'},
'industry': 'Luxury Goods',
'location': 'France',
'name': 'Chanel',
'size': 'Large',
'type': 'Retailer'},
{'data_leaked': {'size': '1.7 GB'},
'industry': 'Automotive',
'location': 'USA',
'name': 'CarMax',
'size': 'Large',
'type': 'Retailer'},
{'data_leaked': {'size': '36 GB'},
'industry': 'Media',
'location': 'USA',
'name': 'Disney/Hulu',
'size': 'Large',
'type': 'Entertainment'},
{'data_leaked': {'size': '22 GB'},
'industry': 'Credit Reporting',
'location': 'USA',
'name': 'TransUnion',
'size': 'Large',
'type': 'Financial Services'},
{'data_leaked': {'size': '172.95 GB'},
'industry': 'Aviation',
'location': 'Mexico',
'name': 'Aeroméxico',
'size': 'Large',
'type': 'Airline'},
{'data_leaked': {'size': '64 GB'},
'industry': 'Automotive',
'location': 'Japan',
'name': 'Toyota Motor Corporation',
'size': 'Large',
'type': 'Manufacturer'},
{'data_leaked': {'size': '59 GB'},
'industry': 'Automotive',
'location': 'Netherlands',
'name': 'Stellantis',
'size': 'Large',
'type': 'Manufacturer'},
{'data_leaked': {'size': '42 GB'},
'industry': 'Utilities',
'location': 'USA',
'name': 'Republic Services',
'size': 'Large',
'type': 'Waste Management'},
{'data_leaked': {'size': '23 GB'},
'industry': 'Automotive Services',
'location': 'USA',
'name': 'TripleA (AAA)',
'size': 'Large',
'type': 'Insurance'},
{'data_leaked': {'size': '1.1 GB'},
'industry': 'Luxury Goods',
'location': 'USA',
'name': 'Saks Fifth Avenue',
'size': 'Large',
'type': 'Retailer'},
{'data_leaked': {'size': '18 GB'},
'industry': 'Accounting',
'location': 'USA',
'name': '1-800Accountant',
'size': 'Medium',
'type': 'Financial Services'},
{'data_leaked': {'size': '88 GB'},
'industry': 'Publishing',
'location': 'USA',
'name': 'Houghton Mifflin Harcourt (HMH)',
'size': 'Large',
'type': 'Education'},
{'data_leaked': {'size': '35 GB'},
'industry': 'EdTech',
'location': 'USA',
'name': 'Instructure (Canvas)',
'size': 'Medium',
'type': 'Technology'},
{'data_leaked': {'size': '19 GB'},
'industry': 'Advertising',
'location': 'USA',
'name': 'Google AdSense',
'size': 'Large',
'type': 'Technology'},
{'data_leaked': {'size': '3.2 GB'},
'industry': 'Media',
'location': 'USA',
'name': 'HBO Max',
'size': 'Large',
'type': 'Entertainment'},
{'data_leaked': {'size': '1.1 TB'},
'industry': 'Transportation',
'location': 'USA',
'name': 'FedEx',
'size': 'Large',
'type': 'Logistics'},
{'data_leaked': {'size': '51 GB'},
'industry': 'Aviation',
'location': 'France/Netherlands',
'name': 'Air France & KLM',
'size': 'Large',
'type': 'Airline'},
{'data_leaked': {'size': '19.43 GB'},
'industry': 'Home Improvement',
'location': 'USA',
'name': 'Home Depot',
'size': 'Large',
'type': 'Retailer'},
{'data_leaked': {'size': '10 GB'},
'industry': 'Luxury Goods',
'location': 'France',
'name': 'Kering (Gucci, Balenciaga, etc.)',
'size': 'Large',
'type': 'Retailer'}],
'attack_vector': ['Exploitation of Salesforce Vulnerability',
'Unauthorized Data Exfiltration'],
'customer_advisories': ['Qantas: Previous advisory in July 2025 about a '
'third-party breach (likely linked).',
'Other Companies: Most have not issued public '
'statements as of October 10, 2025.'],
'data_breach': {'data_encryption': ['Unencrypted (data was in plaintext '
'JSON/CSV formats)'],
'data_exfiltration': {'method': 'Likely via exploited '
'Salesforce API or '
'authentication flaw',
'storage': 'JSON/CSV files hosted on '
'hacker-controlled leak '
'portal',
'timeline': 'Prior to October 3, 2025 '
'(discovery date)'},
'file_types_exposed': ['JSON (primary)', 'CSV (Fujifilm)'],
'number_of_records_exposed': {'leaked_so_far': 29733000,
'total_claimed': 989000000,
'unreleased': 959267000},
'personally_identifiable_information': ['Full Names',
'Dates of Birth',
'Passport Numbers',
'Phone Numbers',
'Email Addresses',
'Mailing Addresses '
'(with geolocation)',
'Frequent Flyer '
'Numbers',
'Internal Account IDs',
'Gender',
'Age',
'Corporate Roles',
'Tax Information '
'(partial)'],
'sensitivity_of_data': ['High (PII, passport numbers, '
'internal CRM fields)'],
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)',
'Loyalty Program Data',
'Customer Relationship '
'Management (CRM) Metadata',
'Internal Business Records',
'Geolocation Data',
'Corporate Contact Information',
'Travel History',
'Financial Metadata (e.g., '
'currency used, points '
'balance)']},
'date_detected': '2025-10-03',
'date_publicly_disclosed': '2025-10-03',
'description': 'On October 3, 2025, hackers under the collective name '
"'Scattered Lapsus$ Hunters' (a fusion of Scattered Spider, "
'Lapsus$, and ShinyHunters) claimed to have stolen 989 million '
'records from 39 major global companies by exploiting a '
'Salesforce vulnerability. The group demanded negotiations '
'with Salesforce and the affected firms by October 10, 2025, '
'threatening to release the entire dataset if ignored. On '
'October 10, 2025, they publicly leaked data from 6 of the 39 '
'companies: Qantas Airways, Vietnam Airlines, Albertsons, GAP, '
'Fujifilm, and Engie Resources. The leaked data includes PII, '
'loyalty program details, CRM metadata, and internal business '
'records, posing severe risks of identity theft, fraud, and '
'reputational damage.',
'impact': {'brand_reputation_impact': ['Severe damage to trust in affected '
'companies and Salesforce',
'Potential customer churn',
'Negative media coverage'],
'customer_complaints': ['Expected surge due to PII exposure and '
'identity theft risks'],
'data_compromised': {'data_types': ['Personally Identifiable '
'Information (PII)',
'Loyalty Program Data',
'Internal CRM Metadata',
'Business Contact Details',
'Geolocation Data',
'Financial Transaction Records',
'Corporate Tax Information',
'Travel History',
'Customer Preferences',
'Internal Reports/Links'],
'leaked_records': {'Albertsons': 672000,
'Engie Resources': 537000,
'Fujifilm': 224000,
'GAP, INC.': 224000,
'Qantas Airways': 5000000,
'Vietnam Airlines': 23000000,
'total_leaked': 29733000},
'total_records': 989000000},
'identity_theft_risk': ['High (due to exposed PII: passports, '
'addresses, DOB, etc.)'],
'legal_liabilities': ['GDPR violations (for EU customer data)',
'Class-action lawsuits',
'Regulatory fines (e.g., CCPA, APPI, etc.)'],
'operational_impact': ['Potential disruption to customer service '
'operations (e.g., loyalty programs, CRM)',
'Increased fraud monitoring costs',
'Regulatory scrutiny and compliance '
'burdens'],
'payment_information_risk': ['Moderate (some datasets include '
'financial metadata but not full '
'payment details)'],
'systems_affected': ['Salesforce CRM Platform',
"Third-Party Vendor Systems (e.g., Qantas' "
'July 2025 breach)']},
'initial_access_broker': {'backdoors_established': ['Possible (to maintain '
'persistence for data '
'exfiltration)'],
'data_sold_on_dark_web': ['Threatened but not '
'confirmed; initial leaks '
"were free to 'prove' "
'authenticity'],
'entry_point': ['Exploited Salesforce vulnerability '
'(likely API or authentication '
'flaw)'],
'high_value_targets': ['Airlines (Qantas, Vietnam '
'Airlines, Air France/KLM) '
'for PII and loyalty data',
'Retailers (GAP, Albertsons) '
'for customer purchase '
'histories',
'Luxury Brands (Cartier, '
'Chanel) for high-net-worth '
'individual data'],
'reconnaissance_period': ['Unknown (likely '
'weeks/months prior to '
'October 3 disclosure)']},
'investigation_status': 'Ongoing (as of October 2025)',
'lessons_learned': ['Third-party vendor risks remain a critical attack '
'vector, especially for cloud-based CRM platforms like '
'Salesforce.',
'Multi-factor authentication (MFA) and API security '
'controls are essential for protecting customer data at '
'scale.',
'Proactive threat intelligence monitoring can help detect '
'reconnaissance by groups like Scattered Lapsus$ Hunters.',
'Transparency in breach disclosures (e.g., naming '
'third-party vendors) can help customers assess their '
'risk.',
'Legacy data retention policies may exacerbate breaches '
'(e.g., storing passport numbers or decades-old loyalty '
'data).'],
'motivation': ['Financial Extortion',
'Reputation Damage',
'Data Theft for Dark Web Sales'],
'post_incident_analysis': {'corrective_actions': ['Salesforce: Emergency '
'patches, enhanced logging, '
'and customer '
'notifications.',
'Affected Companies: Data '
'minimization efforts, CRM '
'access reviews, and '
'incident response drills.',
'Industry: Push for '
'stricter third-party risk '
'management standards in '
'cloud services.'],
'root_causes': ['Inadequate security controls in '
'Salesforce’s API/authentication '
'systems.',
'Over-reliance on third-party '
'vendors without robust oversight '
'(e.g., Qantas’ July 2025 breach).',
'Excessive data '
'collection/retention (e.g., '
'storing passport numbers in CRM '
'systems).',
'Delayed patching or lack of '
'detection for the exploited '
'vulnerability.']},
'ransomware': {'data_encryption': ['No (data was exfiltrated, not encrypted)'],
'data_exfiltration': ['Yes (989M records claimed, 29.7M '
'leaked)'],
'ransom_demanded': ['Negotiation demanded (no specific amount '
'disclosed)'],
'ransom_paid': ['Unknown (no reports of payments)']},
'recommendations': [{'for_salesforce': ['Conduct a full security audit of API '
'endpoints and authentication '
'mechanisms.',
'Implement behavioral analytics to '
'detect anomalous data access '
'patterns.',
'Enhance customer guidance on '
'securing CRM integrations.']},
{'for_affected_companies': ['Offer comprehensive identity '
'theft protection to affected '
'customers (e.g., credit '
'monitoring, fraud alerts).',
'Review and minimize PII '
'storage in CRM systems '
'(e.g., avoid storing '
'passport numbers unless '
'absolutely necessary).',
'Conduct tabletop exercises '
'for third-party breach '
'response.',
'Engage legal counsel to '
'prepare for regulatory '
'inquiries and class-action '
'risks.']},
{'for_customers': ['Monitor financial accounts and credit '
'reports for suspicious activity.',
'Enable MFA on all accounts, '
'especially those linked to leaked '
'emails/phone numbers.',
'Be cautious of phishing attempts '
'referencing the breach (e.g., fake '
"'compensation' offers)."]},
{'for_industry': ['Advocate for standardized third-party '
'risk management frameworks.',
'Push for stronger enforcement of data '
'minimization principles in cloud '
'services.',
'Invest in dark web monitoring to '
'detect leaked credentials early.']}],
'references': [{'date_accessed': '2025-10-10',
'source': 'Hackread.com',
'url': 'https://www.hackread.com/salesforce-data-breach-scattered-lapsus-hunters/'},
{'date_accessed': '2025-10-10',
'source': 'Telegram (Threat Actor Communication)'},
{'date_accessed': '2025-07-01',
'source': 'Qantas Airways (July 2025 Breach Acknowledgment)'}],
'regulatory_compliance': {'legal_actions': ['Potential class-action lawsuits',
'Regulatory investigations (e.g., '
'by ICO, FTC)'],
'regulations_violated': ['GDPR (for EU customer '
'data)',
'CCPA (California Consumer '
'Privacy Act)',
'APPI (Japan’s Act on the '
'Protection of Personal '
'Information)',
'Australia’s Privacy Act '
'1988',
'Other regional data '
'protection laws'],
'regulatory_notifications': ['Likely required for '
'GDPR (within 72 hours '
'of discovery)',
'State-level '
'notifications in the '
'U.S. (e.g., '
'California Attorney '
'General)']},
'response': {'communication_strategy': ['Limited public statements (e.g., '
'Qantas acknowledged July 2025 '
'third-party breach but did not name '
'vendor)',
'Telegram/Dark Web monitoring for '
'further leaks'],
'containment_measures': ['Salesforce likely patched the '
'exploited vulnerability',
'Affected companies may have isolated '
'CRM systems',
'Password resets for exposed accounts'],
'enhanced_monitoring': ['Expected for Salesforce and affected '
'companies'],
'incident_response_plan_activated': ['Likely (given scale, but '
'not publicly confirmed)'],
'law_enforcement_notified': ['Probable (FBI, Interpol, or '
'national cybercrime units)'],
'network_segmentation': ['Likely implemented post-breach'],
'remediation_measures': ['Forensic analysis of breached systems',
'Customer notifications (where legally '
'required)',
'Credit monitoring services for '
'affected individuals'],
'third_party_assistance': ['Cybersecurity firms (e.g., Mandiant, '
'CrowdStrike) likely engaged',
'Salesforce’s internal security '
'team']},
'stakeholder_advisories': ['Salesforce: Likely issued private advisories to '
'customers about the vulnerability and patching.',
'Affected Companies: Internal communications to '
'employees and possibly regulators.',
'Cybersecurity Agencies: Alerts about the threat '
'actor group’s tactics (e.g., CISA, NCSC, ACSC).'],
'threat_actor': {'affiliations': ['Scattered Spider',
'Lapsus$',
'ShinyHunters'],
'name': 'Scattered Lapsus$ Hunters',
'type': 'Hacktivist/Cybercriminal Collective'},
'title': 'Massive Data Breach via Salesforce Vulnerability by Scattered '
'Lapsus$ Hunters (2025)',
'type': ['Data Breach', 'Third-Party Vulnerability Exploitation', 'Extortion'],
'vulnerability_exploited': 'Unspecified Salesforce vulnerability (likely API '
'or authentication flaw)'}