Qantas Airways, Australia’s national carrier, suffered a major cyberattack in early July 2024, where hackers breached a third-party platform (Salesforce) used by its customer contact center. The attack resulted in the theft of sensitive customer data, including **names, email addresses, phone numbers, birthdays, home/business addresses, gender, and meal preferences**—affecting **5.7 million customers**. While no financial data (credit cards, passports) was compromised, the leaked information was later **shared online and held for ransom** by cybercriminals linked to the **Scattered Lapsus$ Hunters** group. The breach occurred via **social engineering**, with hackers impersonating IT staff to trick employees into granting access. Qantas obtained a legal injunction to block further data dissemination, though experts dismissed its effectiveness. The incident is part of a broader attack targeting multiple global firms (Disney, Google, Toyota, etc.) via Salesforce, with hackers demanding ransom by an **October 10 deadline**. This follows prior Qantas cybersecurity failures, including a 2023 app glitch exposing passenger details and a 2022 ransomware attack on Australian ports operator DP World.
TPRM report: https://www.rankiteo.com/company/qantas
"id": "qan2402124101325",
"linkid": "qantas",
"type": "Breach",
"date": "6/2022",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '5.7 million',
'industry': 'Aviation',
'location': 'Australia',
'name': 'Qantas Airways',
'size': 'Large (national carrier)',
'type': 'Airline'},
{'industry': 'Technology (CRM)',
'location': 'Global (HQ: USA)',
'name': 'Salesforce',
'size': 'Large',
'type': 'Software Provider'},
{'industry': 'Media/Entertainment',
'location': 'Global (HQ: USA)',
'name': 'Disney',
'size': 'Large',
'type': 'Entertainment Conglomerate'},
{'industry': 'Tech/Cloud Services',
'location': 'Global (HQ: USA)',
'name': 'Google',
'size': 'Large',
'type': 'Technology Company'},
{'industry': 'Furniture/Retail',
'location': 'Global (HQ: Netherlands)',
'name': 'IKEA',
'size': 'Large',
'type': 'Retailer'},
{'industry': 'Automotive',
'location': 'Global (HQ: Japan)',
'name': 'Toyota',
'size': 'Large',
'type': 'Automaker'},
{'industry': 'Food Service',
'location': 'Global (HQ: USA)',
'name': "McDonald's",
'size': 'Large',
'type': 'Fast Food Chain'},
{'industry': 'Aviation',
'location': 'France',
'name': 'Air France',
'size': 'Large',
'type': 'Airline'},
{'industry': 'Aviation',
'location': 'Netherlands',
'name': 'KLM',
'size': 'Large',
'type': 'Airline'}],
'attack_vector': ['Social Engineering',
'Phishing (IT Impersonation)',
'Third-Party Exploitation (Salesforce)'],
'customer_advisories': ['Email notifications to affected customers (Qantas, '
'Google)'],
'data_breach': {'data_exfiltration': True,
'number_of_records_exposed': '5.7 million (Qantas); '
'unspecified for other firms',
'personally_identifiable_information': ['Names',
'Email addresses',
'Phone numbers',
'Home/business '
'addresses',
'Dates of birth',
'Gender',
'Meal preferences',
'Frequent flyer '
'details'],
'sensitivity_of_data': 'Moderate (no financial/passport data; '
'includes addresses, birthdays, meal '
'preferences)',
'type_of_data_compromised': ['Personal Identifiable '
'Information (PII)',
'Customer Records']},
'date_detected': '2023-07-XX',
'date_publicly_disclosed': '2023-07-XX (Qantas); 2023-08-XX (Google); '
'2023-10-XX (public leak)',
'description': 'Australian national carrier Qantas Airways confirmed that '
'data from ~5.7 million customers stolen in a cyberattack was '
'shared online, part of a broader leak affecting dozens of '
"firms (including Disney, Google, IKEA, Toyota, McDonald's, "
'Air France, and KLM). The attack targeted Salesforce, with '
'hackers using social engineering to breach a third-party '
'customer contact center system. Sensitive customer data '
'(names, emails, addresses, birthdays, etc.) was exfiltrated '
'and held for ransom by the Scattered Lapsus$ Hunters group. '
'No financial or passport data was compromised. Qantas '
'obtained a legal injunction to block data dissemination, '
'though experts doubt its effectiveness.',
'impact': {'brand_reputation_impact': 'High (publicized breach of 5.7M '
'records; part of multi-company attack)',
'data_compromised': True,
'identity_theft_risk': 'Moderate (PII exposed: names, emails, '
'addresses, birthdays)',
'legal_liabilities': 'Legal injunction obtained (Supreme Court of '
'New South Wales)',
'operational_impact': 'Legal injunction filed; customer '
'notifications; reputational damage',
'payment_information_risk': 'None (no credit card or financial '
'data compromised)',
'systems_affected': ['Salesforce corporate servers',
'Qantas customer contact center system']},
'initial_access_broker': {'data_sold_on_dark_web': True,
'entry_point': 'Customer support employees (tricked '
'via IT impersonation)',
'high_value_targets': ['Salesforce corporate '
'servers',
'Customer contact center '
'systems']},
'investigation_status': 'Ongoing (cooperation with Australian security '
'services)',
'lessons_learned': ['Social engineering remains a highly effective attack '
'vector, exploiting human trust rather than technical '
'vulnerabilities.',
'Third-party vendor risks (e.g., Salesforce) can amplify '
'breach impact across multiple organizations.',
'Legal injunctions have limited efficacy in preventing '
'dark web data dissemination.'],
'motivation': ['Financial Gain (Ransom)', 'Data Theft for Dark Web Sale'],
'post_incident_analysis': {'root_causes': ['Successful social engineering (IT '
'impersonation) targeting customer '
'support staff.',
'Inadequate access controls for '
'third-party platforms '
'(Salesforce).',
'Lack of MFA or behavioral '
'authentication for high-risk '
'systems.']},
'ransomware': {'data_exfiltration': True, 'ransom_demanded': True},
'recommendations': ['Enhance employee training on social engineering and '
'phishing (especially for customer support teams).',
'Implement multi-factor authentication (MFA) for '
'third-party platform access.',
'Conduct regular third-party risk assessments for vendors '
'handling sensitive data.',
'Develop cross-organizational incident response protocols '
'for supply chain attacks.'],
'references': [{'source': 'Agence France-Presse (AFP)'},
{'source': 'Qantas Airways Statement (2023-07)'},
{'source': 'Google Cloud Security Communications (2023-08)'},
{'source': 'Unit 42 Research Note (Scattered Lapsus$ Hunters)'},
{'source': 'FBI Warning on Salesforce Attacks'}],
'regulatory_compliance': {'legal_actions': ['Legal injunction (Qantas vs. '
'data dissemination)']},
'response': {'communication_strategy': ['Public statements (Qantas, Google)',
'Media engagement'],
'containment_measures': ['Legal injunction to block data '
'dissemination',
'Access revocation for compromised '
'systems'],
'incident_response_plan_activated': True,
'law_enforcement_notified': True,
'remediation_measures': ['Customer notifications (email)',
'Impact analysis (Google)'],
'third_party_assistance': ['Australian security services',
'Legal counsel (for injunction)']},
'stakeholder_advisories': ['Public statements by Qantas, Google; media '
'briefings'],
'threat_actor': 'Scattered Lapsus$ Hunters (cybercriminal alliance)',
'title': 'Qantas Airways and Multiple Global Firms Data Breach via Salesforce '
'Cyberattack',
'type': ['Data Breach',
'Ransomware Extortion',
'Third-Party Vendor Compromise'],
'vulnerability_exploited': 'Human error (tricked customer support employees '
'into granting access)'}