Hackers linked to the group *Scattered Lapsus$ Hunters* breached Qantas’ third-party **Salesforce environment** in mid-2025, exfiltrating and leaking **personal data of 5–5.7 million customers** (part of a broader 1-billion-record haul) on the dark web after a ransom deadline expired. The exposed data included **names, email addresses, phone numbers, dates of birth, and frequent-flyer numbers**, though **payment and passport details remained secure**. The attack exploited **social engineering and credential abuse** via integrated third-party connections rather than a direct Salesforce breach. While Qantas obtained an injunction to limit dissemination and enhanced monitoring, the leak heightens risks of **phishing, account takeovers, and reputational damage**, with regulators scrutinizing vendor controls under Australia’s stricter post-Optus data protection laws. The airline faces **increased customer-service costs, identity-protection expenses, and potential penalties**, alongside eroded passenger trust and commercial impacts like reduced frequent-flyer engagement. Strategic responses include **credential resets, scam-awareness campaigns, and tighter supplier access controls**, though long-term reputational recovery remains uncertain.
Source: https://simpleflying.com/hackers-customer-data-qantas-ransomware/
TPRM report: https://www.rankiteo.com/company/qantas
"id": "qan0302203101325",
"linkid": "qantas",
"type": "Breach",
"date": "6/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '5-5.7 million',
'industry': 'Aviation',
'location': 'Australia',
'name': 'Qantas',
'size': 'Large (millions of customers)',
'type': 'Airline'}],
'attack_vector': ['Social Engineering',
'Credential Abuse',
'Third-Party Vulnerability (Salesforce)'],
'customer_advisories': ['Guidance on spotting phishing attempts',
'Identity protection resources'],
'data_breach': {'data_exfiltration': True,
'number_of_records_exposed': '5-5.7 million',
'personally_identifiable_information': True,
'sensitivity_of_data': 'High (sufficient for phishing/account '
'takeover)',
'type_of_data_compromised': ['Personal Identifiable '
'Information (PII)',
'Frequent-Flyer Data']},
'description': "Hackers tied to the group 'Scattered Lapsus$ Hunters' "
'published Qantas customer data on the dark web after a ransom '
'deadline expired. The breach, linked to a compromised '
'third-party Salesforce environment in mid-2025, exposed '
'personal details of 5-5.7 million customers, including names, '
'email addresses, phone numbers, dates of birth, and '
'frequent-flyer numbers. No payment data or passport records '
'were accessed. Qantas obtained an injunction to deter '
'dissemination and has strengthened monitoring capabilities '
'while supporting impacted customers.',
'impact': {'brand_reputation_impact': 'Severe; undermined passenger trust, '
'regulatory scrutiny',
'conversion_rate_impact': 'Potential decline in frequent-flyer '
'engagement and bookings',
'customer_complaints': 'Expected increase due to phishing risks '
'and trust erosion',
'data_compromised': ['Names',
'Email Addresses',
'Phone Numbers',
'Dates of Birth',
'Frequent-Flyer Numbers'],
'identity_theft_risk': 'High (phishing, account takeover attempts)',
'legal_liabilities': ["Potential fines under Australia's "
'post-Optus regime',
'Enforceable undertakings'],
'operational_impact': ['Increased Customer Service Loads',
'Identity Protection Costs',
'Reputational Damage'],
'payment_information_risk': 'None (no payment data exposed)',
'systems_affected': ['Salesforce Tenant (Third-Party)']},
'initial_access_broker': {'data_sold_on_dark_web': True,
'entry_point': 'Compromised Salesforce tenant '
'(third-party)',
'high_value_targets': ['Customer PII',
'Frequent-Flyer Data']},
'investigation_status': 'Ongoing (authorities investigating)',
'lessons_learned': ['Third-party vendor risks require stricter access '
'controls and monitoring.',
'Data minimization practices must be enforced to limit '
'exposure.',
'Proactive customer communication is critical to mitigate '
'reputational harm.',
'Incident response coordination with third parties (e.g., '
'Salesforce) is essential.'],
'motivation': ['Financial Gain (Extortion)', 'Data Theft for Dark Web Sale'],
'post_incident_analysis': {'corrective_actions': ['Strengthened monitoring '
'and credential reset '
'policies.',
'Tighter supplier access '
'controls.',
'Enhanced incident response '
'coordination with vendors.',
'Customer-facing scam '
'prevention campaigns.'],
'root_causes': ['Inadequate third-party access '
'controls in Salesforce '
'environment.',
'Social engineering/credential '
'abuse vulnerabilities.',
'Lack of data minimization in '
'third-party integrations.']},
'ransomware': {'data_exfiltration': True, 'ransom_demanded': True},
'recommendations': ['Implement stricter supplier access controls and audit '
'trails.',
'Enhance data minimization strategies to reduce exposure '
'in third-party systems.',
'Invest in advanced threat detection for credential abuse '
'and social engineering.',
'Develop a robust customer support framework for '
'post-breach identity protection.',
'Conduct regular third-party security assessments and '
'penetration testing.'],
'references': [{'source': 'The Guardian'},
{'source': 'Shutterstock (reported imagery)'}],
'regulatory_compliance': {'legal_actions': ['Regulatory Scrutiny',
'Potential Enforceable '
'Undertakings'],
'regulations_violated': ["Australia's Privacy Act "
'(post-Optus regime)'],
'regulatory_notifications': True},
'response': {'communication_strategy': ['Public Statements',
'Customer Advisories on Scam '
'Prevention'],
'containment_measures': ['Credential Resets',
'Increased Monitoring for Unusual '
'Activity',
'Injunction to Deter Data '
'Dissemination'],
'enhanced_monitoring': True,
'incident_response_plan_activated': True,
'law_enforcement_notified': True,
'recovery_measures': ['Customer Communications (Scam Awareness)',
'Identity Protection Support'],
'remediation_measures': ['Strengthened Monitoring Capabilities',
'Supplier Access Tightening'],
'third_party_assistance': ['Salesforce', 'Law Enforcement']},
'stakeholder_advisories': ['Customer communications on scam awareness',
'Regulatory updates'],
'threat_actor': 'Scattered Lapsus$ Hunters',
'title': 'Qantas Customer Data Breach by Scattered Lapsus$ Hunters',
'type': ['Data Breach', 'Extortion', 'Third-Party Compromise'],
'vulnerability_exploited': 'Third-party Salesforce tenant '
'misconfiguration/access controls'}