Qantas suffered a significant cyber incident where **5.7 million customers' personal data**—including names, addresses, and potentially other personally identifiable information (PII)—was **stolen and leaked on the dark web** by the cybercrime group *Scattered Lapsus$ Hunters* after the airline refused to pay a ransom. The breach originated from a **phishing attack targeting a Qantas call center worker in the Philippines**, who was tricked into granting access to a third-party platform (Salesforce) containing customer records. The exposed data, which cannot be easily changed (e.g., names, dates of birth), heightens risks of **follow-on scams**, such as fraudsters impersonating Qantas to extract banking details under the guise of compensation. Customers reported **poor communication from Qantas**, with many learning of developments via media rather than direct notifications. The breach may result in **hefty financial penalties** under Australia’s Privacy Act, with experts arguing fines must be substantial to deter corporate negligence. The federal government reiterated its stance against negotiating with hackers, while Qantas offered limited support via IDCARE on a case-by-case basis. The incident underscores systemic vulnerabilities in third-party vendor security and corporate accountability.
TPRM report: https://www.rankiteo.com/company/qantas
"id": "qan2502025101425",
"linkid": "qantas",
"type": "Ransomware",
"date": "5/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '5.7 million',
'industry': 'Aviation',
'location': 'Australia',
'name': 'Qantas',
'size': 'Large (5.7 million customers affected)',
'type': 'Airline'}],
'attack_vector': ['Social Engineering',
'Third-Party Compromise (Salesforce)',
'Insider Manipulation (Call Center Worker)'],
'customer_advisories': ['IDCARE Support Offered on Case-by-Case Basis'],
'data_breach': {'data_exfiltration': 'Yes (Released on Dark Web)',
'number_of_records_exposed': '5.7 million',
'personally_identifiable_information': ['Names',
'Addresses',
'Potentially Dates of '
'Birth'],
'sensitivity_of_data': 'High (PII cannot be changed, e.g., '
'date of birth)',
'type_of_data_compromised': ['Names',
'Addresses',
'Personally Identifiable '
'Information (PII)']},
'date_detected': '2023-07-00',
'description': 'Frustration is mounting among Qantas customers after their '
'names and addresses were released on the dark web by the '
'cybercrime collective Scattered Lapsus$ Hunters. The stolen '
'data of 5.7 million customers was exposed after Qantas failed '
'to pay the demanded ransom. The breach occurred in July when '
'cybercriminals tricked a Qantas call center worker in the '
'Philippines into handing over access to customer information '
'stored on the third-party platform Salesforce. Affected '
'customers have criticized Qantas for poor communication and '
'lack of support, while experts warn of potential scams and '
'regulatory fines under the Australian Privacy Act.',
'impact': {'brand_reputation_impact': ['Severe Damage Due to Poor Handling',
'Public Criticism',
'Media Scrutiny'],
'customer_complaints': ['Poor Communication',
'Lack of Direct Notifications',
'Anxiety Over Identity Theft Risks'],
'data_compromised': ['Names',
'Addresses',
'Personally Identifiable Information (PII)'],
'identity_theft_risk': ['High (Due to PII Exposure)'],
'legal_liabilities': ['Potential Fines Under Australian Privacy '
'Act',
'Regulatory Investigations'],
'operational_impact': ['Customer Trust Erosion',
'Reputational Damage',
'Potential Regulatory Fines'],
'systems_affected': ['Salesforce (Third-Party Platform)']},
'initial_access_broker': {'data_sold_on_dark_web': 'Yes (By Scattered Lapsus$ '
'Hunters)',
'entry_point': 'Qantas Call Center Worker in the '
'Philippines (Tricked via Social '
'Engineering)',
'high_value_targets': ['Customer PII Data on '
'Salesforce']},
'investigation_status': 'Ongoing (Regulatory and Internal)',
'lessons_learned': ['Prioritize security over profit maximization for '
'shareholders.',
'Ensure timely and transparent communication with '
'affected customers.',
'Third-party platform security must be rigorously vetted '
'and monitored.',
'Proactive measures are needed to prevent social '
'engineering attacks.'],
'motivation': ['Financial Gain (Ransom Demand)',
'Data Theft for Dark Web Sale'],
'post_incident_analysis': {'root_causes': ['Social Engineering Attack on Call '
'Center Worker',
'Inadequate Third-Party Security '
'(Salesforce Access Controls)',
'Poor Incident Communication and '
'Customer Support']},
'ransomware': {'data_exfiltration': 'Yes (Released on Dark Web)',
'ransom_demanded': 'Yes (Unspecified Amount)',
'ransom_paid': 'No'},
'recommendations': ['Implement stricter access controls and multi-factor '
'authentication for third-party platforms.',
'Provide free identity monitoring services to affected '
'customers.',
'Enhance employee training to prevent social engineering '
'attacks.',
'Establish a clear, proactive communication plan for data '
'breaches.',
'Conduct regular security audits of third-party vendors.'],
'references': [{'source': 'ABC News', 'url': 'https://www.abc.net.au/news'},
{'source': 'AAP (Bianca De Marchi)'},
{'source': 'Reuters (Hollie Adams)'}],
'regulatory_compliance': {'fines_imposed': ['Speculated to be in Billions '
'(Under Investigation)'],
'legal_actions': ['Regulatory Investigation by '
'Office of the Australian '
'Information Commissioner'],
'regulations_violated': ['Potential Violation of '
'Australian Privacy Act '
'(Australian Privacy '
'Principles)']},
'response': {'communication_strategy': ['Statement on Qantas Website',
'No Direct Customer Notifications '
'(Criticized)'],
'recovery_measures': ['Case-by-Case Support via IDCARE'],
'third_party_assistance': ['IDCARE (Identity Support for '
'Affected Customers)']},
'stakeholder_advisories': ['Statement on Qantas Website'],
'threat_actor': 'Scattered Lapsus$ Hunters',
'title': 'Qantas Customer Data Leak on the Dark Web',
'type': ['Data Breach', 'Dark Web Leak', 'Social Engineering Attack'],
'vulnerability_exploited': ['Human Error (Tricked Call Center Worker)',
'Third-Party Platform Security (Salesforce)']}