Qantas Airways suffered a major cyber breach in July 2025, where hackers accessed a third-party call center platform containing sensitive customer data. The stolen information included personal details of over **five million customers**: **one million** had phone numbers, birth dates, and home addresses compromised, while **four million** had names and email addresses exposed. Additional leaked data included frequent flyer details, genders, and meal preferences. The breach was linked to the **Scattered Lapsus$ Hunters** hacker group, which published the data after Qantas refused to meet ransom demands. Despite obtaining a court injunction to block further dissemination, cybersecurity experts like **Troy Hunt** dismissed its effectiveness, citing past failures in similar cases. The incident follows a wave of high-profile Australian breaches (Optus, Medibank, MediSecure) and aligns with a **25% surge in reported data breaches** in 2024, per the **Office of the Australian Information Commissioner**. Qantas is collaborating with cybersecurity firms and Australian agencies to mitigate fallout, though the leaked data—including addresses and birth dates—poses long-term risks of identity theft and fraud.
TPRM report: https://www.rankiteo.com/company/qantas
"id": "qan2733027101325",
"linkid": "qantas",
"type": "Cyber Attack",
"date": "6/2024",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'customers_affected': '5,000,000+',
'industry': 'Aviation/Transportation',
'location': 'Australia',
'name': 'Qantas Airways',
'size': 'Large (Fortune 500 equivalent)',
'type': 'Airline'}],
'attack_vector': ['Third-Party Platform Exploitation (Salesforce/Call Center)',
'Data Exfiltration',
'Public Data Release'],
'customer_advisories': ['Public statement on Qantas website (Oct 12, 2025).',
'Recommendations for customers to monitor for '
'identity theft.',
'Assurance that no further breaches detected.'],
'data_breach': {'data_exfiltration': 'Confirmed (data published by hackers '
'post-ransom deadline)',
'number_of_records_exposed': '5,000,000+',
'personally_identifiable_information': ['Full Names',
'Email Addresses',
'Phone Numbers',
'Home/Business '
'Addresses',
'Birth Dates',
'Genders'],
'sensitivity_of_data': 'High (includes addresses, birth '
'dates, and contact details)',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)',
'Customer Profiles',
'Frequent Flyer Data',
'Preference Data (e.g., meal '
'choices)']},
'date_detected': '2025-07',
'date_publicly_disclosed': '2025-10-12',
'description': "Australia's Qantas Airways confirmed that hackers released "
'stolen customer data months after a cyber breach in July '
'2025. The breach targeted a third-party call center platform, '
'exposing personal information of over 5 million customers, '
'including names, email addresses, phone numbers, birth dates, '
'home addresses, genders, and meal preferences. The hacker '
'group Scattered Lapsus$ Hunters is believed to be responsible '
'after their ransom deadline passed. Qantas obtained a court '
'injunction to block further data dissemination but faced '
'skepticism about its effectiveness.',
'impact': {'brand_reputation_impact': "Severe (one of Australia's largest "
'breaches, trending on social media)',
'customer_complaints': 'High (public outcry reported)',
'data_compromised': ['Names (5M+ customers)',
'Email addresses (5M+ customers)',
'Frequent flyer details (5M+ customers)',
'Home/Business addresses (~1M customers)',
'Phone numbers (~1M customers)',
'Birth dates (~1M customers)',
'Genders (~1M customers)',
'Meal preferences (~1M customers)'],
'identity_theft_risk': 'High (PII including addresses, birth '
'dates, and phone numbers exposed)',
'legal_liabilities': ['Court Injunction Filed to Block Data '
'Dissemination',
'Potential Regulatory Fines (under '
'Australian cyber resilience laws)'],
'operational_impact': ['Customer Trust Erosion',
'Legal Injunction Enforcement',
'Cybersecurity Investigation Overhead'],
'systems_affected': ['Third-Party Call Center Platform '
'(Salesforce-linked)',
'Customer Database']},
'initial_access_broker': {'data_sold_on_dark_web': 'Likely (per Scattered '
"Lapsus$ Hunters' modus "
'operandi)',
'entry_point': 'Third-Party Call Center Platform '
'(Salesforce-linked)',
'high_value_targets': ['Customer PII',
'Frequent Flyer Data']},
'investigation_status': 'Ongoing (collaboration with cybersecurity experts '
'and authorities)',
'lessons_learned': ['Third-party vendor risks require stricter oversight '
'(e.g., call center platforms).',
'Court injunctions may be ineffective against '
'cybercriminals (per Troy Hunt).',
'Need for proactive dark web monitoring to detect leaked '
'data early.',
'Customer data minimization (e.g., meal preferences) '
'could reduce exposure.'],
'motivation': ['Financial (Ransom)',
'Data Theft for Dark Web Sale',
'Reputation Damage'],
'post_incident_analysis': {'corrective_actions': ['Termination/remediation of '
'vulnerable third-party '
'contracts.',
'Deployment of dark web '
'monitoring tools.',
'Review of data retention '
'policies (e.g., necessity '
'of storing meal '
'preferences).'],
'root_causes': ['Inadequate third-party vendor '
'security controls.',
'Lack of real-time data '
'exfiltration detection.',
'Over-reliance on legal measures '
'(e.g., injunctions) to mitigate '
'cyber threats.']},
'ransomware': {'data_exfiltration': 'Yes',
'ransom_demanded': 'Yes (by Scattered Lapsus$ Hunters; '
'deadline passed)',
'ransom_paid': 'No (ransom deadline ignored; data released)'},
'recommendations': ['Implement zero-trust architecture for third-party '
'integrations.',
'Enhance incident response plans for ransomware/data '
'extortion scenarios.',
'Conduct regular third-party security audits (especially '
'for customer-facing platforms).',
'Explore data anonymization for non-critical customer '
'preferences.',
'Advocate for stronger international cybercrime '
'enforcement collaboration.'],
'references': [{'date_accessed': '2025-10-12', 'source': 'Reuters'},
{'date_accessed': '2025-10-12',
'source': 'The Guardian Australia'},
{'date_accessed': '2025-10-12',
'source': 'New York Times (via Troy Hunt interview)'},
{'date_accessed': '2025-10-12',
'source': 'vcpost.com (original article)'},
{'date_accessed': '2025-10-12',
'source': 'Twitter (JT @Matkins2021)',
'url': 'https://twitter.com/Matkins2021/status/xxxxxx'}],
'regulatory_compliance': {'legal_actions': ['Court Injunction Filed (to block '
'data dissemination)'],
'regulations_violated': ['Australian Privacy Act '
'(Mandatory Data Breach '
'Notification)',
'Potential GDPR (if EU '
'customers affected)'],
'regulatory_notifications': ['Office of the '
'Australian '
'Information '
'Commissioner (OAIC)']},
'response': {'communication_strategy': ['Public Statements (Oct 12, 2025)',
'Social Media Updates',
'Customer Advisories'],
'containment_measures': ['Court Injunction to Block Data '
'Access/Use',
'Third-Party Platform Review'],
'incident_response_plan_activated': 'Yes (collaboration with '
'cybersecurity experts)',
'law_enforcement_notified': 'Yes (Australian authorities)',
'recovery_measures': ['Customer Communication',
'Data Leak Investigation'],
'third_party_assistance': ['Cybersecurity Experts (unnamed)',
'Australian Security Agencies']},
'stakeholder_advisories': ['Australian Government (cyber resilience laws)',
'Office of the Australian Information Commissioner '
'(OAIC)'],
'threat_actor': 'Scattered Lapsus$ Hunters',
'title': 'Qantas Airways Customer Data Breach via Third-Party Salesforce '
'Platform',
'type': ['Data Breach',
'Third-Party Vendor Compromise',
'Unauthorized Data Disclosure']}