Hackers from the **Scattered Lapsus$ Hunters** group leaked the personal records of **5 million Qantas customers** on the dark web after the company failed to meet a ransom demand. The breach, originating from a **Salesforce database cyber-attack in June**, exposed sensitive customer data, including **email addresses, phone numbers, birth dates, and frequent flyer numbers**—though no financial or passport details were compromised. The leaked data was part of a larger global hack affecting **over 40 companies**, with up to **1 billion customer records** stolen between **April 2024 and September 2025**. While Qantas secured a **NSW Supreme Court injunction** to restrict further dissemination, experts warn the exposed information could enable **personalized phishing scams and identity fraud**. The hackers publicly taunted Qantas with the message: *“Don’t be the next headline, should have paid the ransom.”* Salesforce denied platform compromise but acknowledged extortion attempts linked to past incidents. Qantas continues to offer **24/7 support and identity protection advice** to affected customers.
TPRM report: https://www.rankiteo.com/company/qantas
"id": "qan2562025101125",
"linkid": "qantas",
"type": "Ransomware",
"date": "4/2024",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '5,000,000',
'industry': 'Aviation',
'location': 'Australia',
'name': 'Qantas',
'size': 'Large (5 million customers affected)',
'type': 'Airline'},
{'industry': 'Technology',
'location': 'Global',
'name': 'Salesforce',
'size': 'Large',
'type': 'Cloud Services Provider'},
{'industry': 'Fashion',
'location': 'Global',
'name': 'Gap',
'type': 'Retailer'},
{'industry': 'Aviation',
'location': 'Vietnam',
'name': 'Vietnam Airlines',
'type': 'Airline'},
{'industry': 'Automotive',
'location': 'Global',
'name': 'Toyota',
'type': 'Automotive Manufacturer'},
{'industry': 'Media',
'location': 'Global',
'name': 'Disney',
'type': 'Entertainment'},
{'industry': 'Hospitality',
'location': 'Global',
'name': 'McDonald’s',
'type': 'Fast Food'},
{'industry': 'Furniture',
'location': 'Global',
'name': 'Ikea',
'type': 'Retailer'},
{'industry': 'Sportswear',
'location': 'Global',
'name': 'Adidas',
'type': 'Retailer'}],
'attack_vector': ['Third-Party (Salesforce Database)', 'Data Exfiltration'],
'customer_advisories': ['Monitor accounts for suspicious activity',
'Beware of personalized phishing emails',
'Contact Qantas support for identity protection '
'advice'],
'data_breach': {'data_exfiltration': 'Yes (leaked on dark web)',
'number_of_records_exposed': '5,000,000 (Qantas); up to '
'1,000,000,000 (global)',
'personally_identifiable_information': ['Email Addresses',
'Phone Numbers',
'Birth Dates',
'Frequent Flyer '
'Numbers',
'Passport Numbers '
'(for some global '
'victims)'],
'sensitivity_of_data': 'High (includes dates of birth, '
'purchase histories, passport numbers '
'for some victims)',
'type_of_data_compromised': ['Personal Identifiable '
'Information (PII)',
'Contact Information']},
'date_detected': '2024-06',
'date_publicly_disclosed': '2024-09-21',
'description': 'Hackers leaked the personal records of 5 million Qantas '
'customers on the dark web after a ransom deadline passed. The '
'data, stolen from a Salesforce database in June, included '
'email addresses, phone numbers, birth dates, and frequent '
'flyer numbers. The hacker collective Scattered Lapsus$ '
'Hunters demanded payment to prevent the data from being '
'shared, but Qantas refused to pay. The leak is part of a '
'larger breach affecting over 40 global companies, with up to '
'1 billion customer records compromised.',
'impact': {'brand_reputation_impact': 'High (negative publicity, loss of '
'customer trust)',
'customer_complaints': 'Expected (due to personal data exposure)',
'data_compromised': ['Email Addresses',
'Phone Numbers',
'Birth Dates',
'Frequent Flyer Numbers'],
'identity_theft_risk': 'High (personal data exposed, risk of '
'phishing/scams)',
'legal_liabilities': ['NSW Supreme Court Injunction to Prevent '
'Data Misuse'],
'operational_impact': ['Customer Support Burden',
'Legal Injunctions'],
'payment_information_risk': 'Low (no credit card or financial data '
'exposed)',
'systems_affected': ['Salesforce Database']},
'initial_access_broker': {'data_sold_on_dark_web': 'Yes (leaked after ransom '
'deadline passed)',
'entry_point': 'Salesforce Database (compromised '
'between April 2024–September 2025)',
'high_value_targets': ['Customer Databases (PII)',
'Frequent Flyer Programs']},
'investigation_status': 'Ongoing (in collaboration with authorities and '
'external experts)',
'lessons_learned': ['Third-party vendor risks (Salesforce database targeted)',
'Importance of refusing ransom payments to avoid '
'encouraging cybercrime',
'Need for proactive customer support (identity protection '
'advice) post-breach',
'Legal measures (injunctions) can mitigate damage but not '
'prevent initial leaks'],
'motivation': ['Financial Gain (Extortion)', 'Reputation Damage'],
'post_incident_analysis': {'corrective_actions': ['Strengthen third-party '
'security requirements',
'Enhance data encryption '
'and access logging',
'Improve incident response '
'coordination with vendors',
'Expand customer '
'notification and '
'protection programs'],
'root_causes': ['Third-party vulnerability '
'(Salesforce database breach)',
'Likely insufficient access '
'controls or monitoring for '
'exfiltration',
'Threat actor sophistication '
"(Scattered Lapsus$ Hunters' "
'expertise in system '
'connections)']},
'ransomware': {'data_encryption': 'No (data stolen but not encrypted)',
'data_exfiltration': 'Yes',
'ransom_demanded': 'Yes (unspecified amount)',
'ransom_paid': 'No'},
'recommendations': ['Enhance third-party risk assessments (e.g., Salesforce '
'security audits)',
'Implement stricter data access controls and monitoring '
'for high-value databases',
'Educate customers on phishing risks post-breach '
'(personalized scams likely)',
'Collaborate with law enforcement and cybersecurity firms '
'for threat intelligence sharing',
'Consider proactive dark web monitoring for leaked data'],
'references': [{'date_accessed': '2024-09-21',
'source': 'The Guardian Australia',
'url': 'https://www.theguardian.com/australia-news'},
{'date_accessed': '2024-09-21',
'source': 'Cyber Threat Intelligence (Jeremy Kirk, Executive '
'Editor)'}],
'regulatory_compliance': {'legal_actions': ['NSW Supreme Court Injunction (to '
'block data misuse)']},
'response': {'communication_strategy': ['Public Statements',
'Customer Advisories'],
'containment_measures': ['Legal Injunction to Block Data '
'Access/Use'],
'enhanced_monitoring': 'Likely (advised customers to monitor '
'accounts)',
'incident_response_plan_activated': 'Yes (24/7 support line, '
'identity protection advice)',
'law_enforcement_notified': 'Yes (investigated with authorities)',
'remediation_measures': ['Customer Support (Identity Protection '
'Advice)',
'Monitoring for Suspicious Activity'],
'third_party_assistance': ['External Cybersecurity Experts',
'Legal Support (NSW Supreme Court '
'Injunction)']},
'stakeholder_advisories': ['24/7 support line for affected customers',
'Identity protection guidance'],
'threat_actor': 'Scattered Lapsus$ Hunters',
'title': 'Qantas Customer Data Leak by Scattered Lapsus$ Hunters',
'type': ['Data Breach', 'Extortion', 'Dark Web Leak']}