Hackers from the cybercrime collective **Scattered Lapsus$ Hunters** breached Qantas’ systems via **vishing (voice phishing)**, tricking employees into granting access to customer data stored on a **Salesforce-linked cloud platform**. The attack, first disclosed in **July 2023**, resulted in the theft of **nearly 6 million customer records**, including **names, email addresses, phone numbers, birth dates, frequent flyer numbers, home addresses, and gender details**—though no credit card data was compromised. After Qantas and Salesforce refused to pay a ransom, the hackers **leased the stolen data on the dark web**, exposing affected individuals to **identity theft, phishing scams, and fraudulent account creation**. The breach compounds risks for Australians already impacted by prior incidents (e.g., Medibank, Optus), with authorities warning of **impersonation attempts, fake login prompts, and long-term dark web exploitation** of personal data. Qantas advised customers to enable **two-factor authentication**, avoid suspicious links, and monitor for unauthorized account activity.
TPRM report: https://www.rankiteo.com/company/qantas
"id": "qan2562025101325",
"linkid": "qantas",
"type": "Cyber Attack",
"date": "7/2023",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '5,900,000 (approx.)',
'industry': 'Aviation/Transportation',
'location': 'Australia',
'name': 'Qantas',
'size': 'Large (nearly 6 million customer records '
'compromised)',
'type': 'Airline'},
{'industry': 'Technology',
'location': 'Global (HQ: USA)',
'name': 'Salesforce',
'size': 'Enterprise',
'type': 'Cloud Software Provider'}],
'attack_vector': 'Vishing (Voice Phishing)',
'customer_advisories': ['Remain alert for phishing attempts (email, text, '
'calls)',
'Use two-step authentication',
'Never share passwords or sensitive login details',
'Check credit reports for fraud',
'Contact IDCare or Scamwatch if suspicious activity '
'occurs'],
'data_breach': {'data_exfiltration': 'Confirmed (data released on dark web)',
'number_of_records_exposed': '5,900,000 (approx.)',
'personally_identifiable_information': ['Names',
'Email Addresses',
'Phone Numbers',
'Birth Dates',
'Home Addresses '
'(partial)',
'Frequent Flyer '
'Numbers'],
'sensitivity_of_data': 'Moderate to High (includes home '
'addresses, birth dates, and frequent '
'flyer details)',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)',
'Customer Account Data']},
'date_detected': '2023-07-00',
'date_publicly_disclosed': '2023-07-00',
'description': 'Hackers from the cybercrime collective Scattered Lapsus$ '
'Hunters released Qantas customer data onto the dark web after '
'the airline and Salesforce refused to pay a ransom. The '
'breach, initially disclosed in July, involved vishing (voice '
'phishing) attacks to trick employees into granting access to '
'customer data. Nearly 6 million records were compromised, '
'including names, email addresses, phone numbers, birth dates, '
'and frequent flyer numbers. The Australian government and '
'Qantas are investigating the leak, which follows similar '
'high-profile breaches affecting Medibank and Optus.',
'impact': {'brand_reputation_impact': 'High (part of a series of major '
'Australian breaches, including '
'Medibank and Optus)',
'customer_complaints': 'Reports of impersonation attempts and '
'unauthorized account access post-breach',
'data_compromised': ['Names',
'Email Addresses',
'Phone Numbers',
'Birth Dates',
'Frequent Flyer Numbers',
'Home Addresses (for some customers)',
'Gender (for some customers)'],
'identity_theft_risk': 'High (phishing attempts reported, '
'including MyGov account access attempts)',
'legal_liabilities': 'NSW Supreme Court injunction filed to block '
'access to stolen data; potential regulatory '
'scrutiny',
'operational_impact': 'Increased customer support demands, '
'reputational damage, legal injunctions to '
'prevent data access',
'payment_information_risk': 'None (credit card details reportedly '
'not affected)',
'systems_affected': ['Qantas Customer Database (hosted on '
'Salesforce platform)']},
'initial_access_broker': {'data_sold_on_dark_web': 'Yes (Qantas data '
'confirmed leaked)',
'entry_point': 'Vishing (voice phishing calls to '
'employees)',
'high_value_targets': ['Salesforce-linked global '
'corporations (e.g., Disney, '
'Google, IKEA, Toyota, '
'Qantas)']},
'investigation_status': 'Ongoing (Qantas, federal government, and police '
'involved)',
'motivation': 'Financial Gain (Extortion/Ransom)',
'post_incident_analysis': {'root_causes': ['Successful vishing attack '
'exploiting human error',
'Inadequate verification of caller '
'identities']},
'ransomware': {'data_exfiltration': 'Yes',
'ransom_demanded': 'Yes (by Scattered Lapsus$ Hunters; amount '
'undisclosed)',
'ransom_paid': 'No (Qantas and Salesforce refused to '
'negotiate)'},
'recommendations': ['Enable two-step authentication for online accounts',
'Avoid clicking links in unsolicited emails/texts',
'Verify caller identities via official channels',
'Monitor credit reports for fraudulent activity',
'Use resources like IDCare, Australian Cyber Security '
'Centre, and Scamwatch'],
'references': [{'date_accessed': '2023-10-00',
'source': 'ABC News',
'url': 'https://www.abc.net.au/news'},
{'date_accessed': '2023-10-00',
'source': 'University of New South Wales (Professor Richard '
'Buckland)'}],
'regulatory_compliance': {'legal_actions': ['NSW Supreme Court injunction to '
'prevent data access'],
'regulatory_notifications': ['Federal Government',
'Australian Federal '
'Police']},
'response': {'communication_strategy': ['Public statements (July and '
'post-dark web leak)',
'Direct emails to affected customers',
'Media interviews (e.g., Transport '
'Minister Catherine King)'],
'containment_measures': ['NSW Supreme Court injunction to block '
'data access',
'Dark web monitoring'],
'enhanced_monitoring': 'Dark web channels monitored to confirm '
'leaked data',
'incident_response_plan_activated': 'Yes (investigation ongoing '
'since July)',
'law_enforcement_notified': 'Yes',
'recovery_measures': ['Customer notifications (July)',
'Advisories on phishing risks'],
'third_party_assistance': ['Federal Government',
'Australian Federal Police',
'Cybersecurity Experts']},
'stakeholder_advisories': ['Federal Government (Transport Minister Catherine '
'King)',
'Australian Federal Police',
'Cybersecurity Experts (e.g., Professor Richard '
'Buckland)'],
'threat_actor': 'Scattered Lapsus$ Hunters',
'title': 'Qantas Customer Data Leak on the Dark Web',
'type': ['Data Breach', 'Ransomware Extortion', 'Vishing Attack'],
'vulnerability_exploited': 'Human Error (Social Engineering via Phone Calls)'}