The **Trinity of Chaos** ransomware collective (linked to Lapsus$, Scattered Spider, and ShinyHunters) exposed a significant breach of **Qantas Airways**, leaking **substantial PII records** of passengers, including loyalty program details, internal communications, and activity histories. The attack, initially disclosed via extortion emails, resulted in regulatory fines for negligence under GDPR-like frameworks (e.g., Australia’s *Privacy Act*), but the stolen data remains monetized on dark web markets. The breach likely stemmed from **Salesforce instance exploitation** (via vishing/OAuth token theft in Salesloft’s Drift AI chat integration), aligning with the group’s pattern of targeting high-value corporate data. The leaked samples confirm exposure of **millions of customer records**, heightening risks of identity theft, phishing, and reputational damage. Qantas’ failure to fully mitigate the incident—despite prior warnings—exacerbates compliance and operational risks, with cybercriminals leveraging the data for ongoing malicious campaigns, including AI-driven social engineering.
TPRM report: https://www.rankiteo.com/company/qantas
"id": "qan2902229100425",
"linkid": "qantas",
"type": "Ransomware",
"date": "10/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'industry': 'Manufacturing',
'location': 'Global (HQ: Japan)',
'name': 'Toyota Motor Corporation',
'size': 'Large (Fortune 100)',
'type': 'Automotive'},
{'industry': 'Transportation',
'location': 'Global (HQ: USA)',
'name': 'FedEx',
'size': 'Large (Fortune 100)',
'type': 'Logistics'},
{'industry': 'Media',
'location': 'Global (HQ: USA)',
'name': 'Disney/Hulu',
'size': 'Large (Fortune 100)',
'type': 'Entertainment'},
{'industry': 'Environmental Services',
'location': 'USA',
'name': 'Republic Services',
'size': 'Large',
'type': 'Waste Management'},
{'industry': 'Transportation',
'location': 'Global (HQ: USA)',
'name': 'UPS',
'size': 'Large (Fortune 100)',
'type': 'Logistics'},
{'customers_affected': '39M+ records (claimed)',
'industry': 'Aviation',
'location': 'Mexico',
'name': 'Aeromexico',
'size': 'Large',
'type': 'Airline'},
{'industry': 'Home Improvement',
'location': 'Global (HQ: USA)',
'name': 'Home Depot',
'size': 'Large (Fortune 100)',
'type': 'Retail'},
{'industry': 'Hotels',
'location': 'Global (HQ: USA)',
'name': 'Marriott',
'size': 'Large (Fortune 100)',
'type': 'Hospitality'},
{'industry': 'Aviation',
'location': 'Vietnam',
'name': 'Vietnam Airlines',
'size': 'Large',
'type': 'Airline'},
{'industry': 'Pharmacy',
'location': 'USA',
'name': 'Walgreens',
'size': 'Large (Fortune 100)',
'type': 'Retail'},
{'customers_affected': 'North American customers '
'(disclosed 2025-09-21)',
'industry': 'Manufacturing',
'location': 'Global (HQ: Netherlands)',
'name': 'Stellantis',
'size': 'Large (Fortune 100)',
'type': 'Automotive'},
{'industry': 'Restaurant',
'location': 'Global (HQ: USA)',
'name': "McDonald's",
'size': 'Large (Fortune 100)',
'type': 'Food Service'},
{'industry': 'Restaurant',
'location': 'Global (HQ: USA)',
'name': 'KFC',
'size': 'Large',
'type': 'Food Service'},
{'industry': 'Apparel',
'location': 'Global (HQ: Japan)',
'name': 'ASICS',
'size': 'Large',
'type': 'Retail'},
{'industry': 'Apparel',
'location': 'Global (HQ: USA)',
'name': 'GAP',
'size': 'Large',
'type': 'Retail'},
{'industry': 'Publishing',
'location': 'USA',
'name': 'HMH (Houghton Mifflin Harcourt)',
'size': 'Medium',
'type': 'Education'},
{'industry': 'Imaging',
'location': 'Global (HQ: Japan)',
'name': 'Fujifilm',
'size': 'Large',
'type': 'Technology'},
{'industry': 'EdTech',
'location': 'USA',
'name': 'Instructure (Canvas)',
'size': 'Medium',
'type': 'Education Technology'},
{'industry': 'Grocery',
'location': 'USA',
'name': 'Albertsons',
'size': 'Large',
'type': 'Retail'},
{'industry': 'Utilities',
'location': 'Global (HQ: France)',
'name': 'Engie Resources',
'size': 'Large',
'type': 'Energy'},
{'industry': 'Grocery Delivery',
'location': 'USA',
'name': 'Instacart',
'size': 'Large',
'type': 'E-Commerce'},
{'industry': 'Pet Supplies',
'location': 'USA',
'name': 'Petco',
'size': 'Large',
'type': 'Retail'},
{'industry': 'Fashion',
'location': 'Global (HQ: France)',
'name': 'Kering (Gucci, Balenciaga, Brioni, Alexander '
'McQueen)',
'size': 'Large',
'type': 'Luxury Goods'},
{'industry': 'Apparel',
'location': 'Global (HQ: Germany)',
'name': 'Puma',
'size': 'Large',
'type': 'Retail'},
{'industry': 'Jewelry',
'location': 'Global (HQ: Switzerland)',
'name': 'Cartier',
'size': 'Large',
'type': 'Luxury Goods'},
{'industry': 'Apparel',
'location': 'Global (HQ: Germany)',
'name': 'Adidas',
'size': 'Large',
'type': 'Retail'},
{'industry': 'Insurance',
'location': 'USA',
'name': 'TripleA (AAA)',
'size': 'Large',
'type': 'Automotive Services'},
{'industry': 'Aviation',
'location': 'Australia',
'name': 'Qantas Airways',
'size': 'Large',
'type': 'Airline'},
{'industry': 'Used Cars',
'location': 'USA',
'name': 'CarMax',
'size': 'Large',
'type': 'Automotive Retail'},
{'industry': 'Luxury Department Store',
'location': 'USA',
'name': 'Saks Fifth Avenue',
'size': 'Large',
'type': 'Retail'},
{'industry': 'Accounting',
'location': 'USA',
'name': '1-800 Accountant',
'size': 'Small/Medium',
'type': 'Financial Services'},
{'industry': 'Aviation',
'location': 'Europe (France/Netherlands)',
'name': 'Air France & KLM',
'size': 'Large',
'type': 'Airline'},
{'industry': 'Advertising',
'location': 'Global (HQ: USA)',
'name': 'Google (AdSense/AdWords)',
'size': 'Large (Fortune 100)',
'type': 'Technology'},
{'industry': 'Networking',
'location': 'Global (HQ: USA)',
'name': 'Cisco',
'size': 'Large (Fortune 100)',
'type': 'Technology'},
{'industry': 'Jewelry',
'location': 'Global (HQ: USA)',
'name': 'Pandora.net',
'size': 'Large',
'type': 'E-Commerce'},
{'industry': 'Credit Reporting',
'location': 'Global (HQ: USA)',
'name': 'TransUnion',
'size': 'Large',
'type': 'Financial Services'},
{'industry': 'Fashion',
'location': 'Global (HQ: France)',
'name': 'Chanel',
'size': 'Large',
'type': 'Luxury Goods'},
{'industry': 'Furniture',
'location': 'Global (HQ: Netherlands)',
'name': 'IKEA',
'size': 'Large',
'type': 'Retail'},
{'industry': 'Manufacturing',
'location': 'UK',
'name': 'Jaguar Land Rover',
'size': 'Large',
'type': 'Automotive'},
{'industry': 'Aviation',
'location': 'Vietnam',
'name': 'Noi Bai Airport',
'size': 'Large',
'type': 'Transportation'},
{'industry': 'Aviation',
'location': 'Vietnam',
'name': 'Tan Son Nhat Airport',
'size': 'Large',
'type': 'Transportation'},
{'customers_affected': '160M+ records (claimed)',
'industry': 'Credit Reporting',
'location': 'Vietnam',
'name': 'National Credit Information Center (CIC) of '
'Vietnam',
'size': 'Government',
'type': 'Financial Services'},
{'industry': 'CRM',
'location': 'Global (HQ: USA)',
'name': 'Salesforce (Customer Instances)',
'size': 'Large',
'type': 'Technology'}],
'attack_vector': ['Vishing',
'Stolen OAuth Tokens',
'Salesforce Instance Exploitation (Salesloft’s Drift AI '
'Chat Integration)',
'Dark Web Data Leak Site (DLS)',
'Social Engineering'],
'customer_advisories': ['Monitor financial accounts for fraud (PII exposure).',
'Reset passwords for any services linked to breached '
'companies (e.g., loyalty programs).',
'Beware of phishing emails referencing the breach '
"(e.g., fake 'compensation' offers).",
'Freeze credit reports if SSNs or financial data were '
'exposed (e.g., TransUnion customers).',
'Contact affected companies for clarity on exposed '
'data (e.g., Aeromexico’s 39M records).'],
'data_breach': {'data_encryption': ['Partial (Ransomware Threats, but no '
'widespread encryption reported)'],
'data_exfiltration': ['Confirmed (Samples shared on DLS)',
'Ongoing (Dark Web Monetization)'],
'file_types_exposed': ['CSV/Excel (Customer Records)',
'Emails',
'PDFs (Internal Documents)',
'Database Dumps'],
'number_of_records_exposed': '1,563,633,235 (claimed total); '
'39M+ (Aeromexico); 160M+ '
'(Vietnam CIC)',
'personally_identifiable_information': ['Names',
'Contact Details',
'Loyalty Program Data',
'Travel History',
'Employee IDs',
'Government '
'Affiliation Records'],
'sensitivity_of_data': ['High (PII, Government/Military '
'Personnel)',
'Medium (Corporate Communications)'],
'type_of_data_compromised': ['PII (Passenger Records, Loyalty '
'Points)',
'Corporate Emails',
'Internal Communications',
'Customer-Vendor Relationships',
'Employee Data (Law '
'Enforcement/Military)',
'Advertising Partner Data '
'(Google AdWords)',
'Salesforce Records (Accounts, '
'Contacts, Cases)']},
'date_publicly_disclosed': '2025-10-03',
'description': 'The Trinity of Chaos, a ransomware collective associated with '
'Lapsus$, Scattered Spider, and ShinyHunters, launched a Data '
'Leak Site (DLS) on the TOR network containing 39 companies '
'impacted by past attacks. The group released previously '
'undisclosed information about successful breaches, including '
'data samples from Salesforce instances exploited via vishing '
'and stolen OAuth tokens (Salesloft’s Drift AI chat '
'integration). Threat actors threatened to report breaches to '
'regulators (e.g., GDPR) and disclosed deadlines (October 10, '
'2025) for negotiation to prevent further data publication. '
'The leaked data includes PII, internal communications, and '
'records from Fortune 100 companies, airlines, and technology '
'giants like Cisco and Google. The group claims over 1.5 '
'billion records across 760 companies, with potential impacts '
'including lawsuits, regulatory fines, and advanced phishing '
'campaigns.',
'impact': {'brand_reputation_impact': ['High (Fortune 100 companies, global '
'brands)',
'Loss of Trust in Salesforce Security',
'Media Scrutiny'],
'customer_complaints': ['Expected due to PII exposure'],
'data_compromised': ['PII (Passenger Info, Loyalty Points, '
'Activity History)',
'Internal Communications',
'Customer-Vendor Relationships',
'Employee Records (Law Enforcement, Military, '
'Federal Agencies)',
'Advertising Partner Data (Google AdWords)',
'Salesforce Records (Accounts, Contacts, '
'Opportunities)'],
'identity_theft_risk': ['High (1.5B+ records with PII)',
'Targeted Phishing/Social Engineering'],
'legal_liabilities': ['GDPR Fines (EU-based victims)',
'Criminal Negligence Charges (e.g., Qantas)',
'Class-Action Lawsuits'],
'operational_impact': ['Disrupted Retail/Production (e.g., Jaguar '
'Land Rover)',
'Regulatory Investigations (GDPR, Criminal '
'Negligence)',
'Potential Lawsuits',
'Government Shutdown Overlap (U.S. Federal '
'Agencies)'],
'payment_information_risk': ['Low (Most samples lack passwords but '
'include PII)'],
'systems_affected': ['Salesforce Instances',
'Salesloft’s Drift AI Chat Integration',
'Corporate Email Systems',
'Dark Web Data Leak Site (DLS)',
'Telegram Channels']},
'initial_access_broker': {'backdoors_established': ['Persistent access via '
'Salesforce instances',
'Dark Web data '
'monetization channels'],
'data_sold_on_dark_web': ['Confirmed (1.5B+ records '
'advertised)',
'Samples shared on DLS',
'Ongoing monetization via '
'Telegram/forums'],
'entry_point': ['Stolen OAuth Tokens (Salesloft '
'Drift)',
'Vishing Attacks',
'Compromised Corporate Emails',
'Exploited Salesforce '
'Misconfigurations'],
'high_value_targets': ['Fortune 100 companies',
'Airlines (PII-rich '
'databases)',
'Government/Military '
'personnel data',
'Advertising platforms '
'(Google AdWords)'],
'reconnaissance_period': ['Up to 3 years (e.g., '
'Vietnam Airlines)',
'Historical access since '
'2019 (claimed)']},
'investigation_status': 'Ongoing (Multi-agency: FBI, GDPR authorities, '
'private firms like Resecurity)',
'lessons_learned': ['OAuth token security requires stricter monitoring '
'(Salesloft Drift integration).',
'Dark Web monitoring is critical for early detection of '
'leaked data.',
'Regulatory threats (e.g., GDPR reporting) are '
'increasingly used as leverage by ransomware groups.',
'Supply chain risks (e.g., Salesforce instances) can '
'amplify breach impacts across industries.',
'Proactive communication with threat actors may prevent '
'public disclosure (failed in this case).',
'Government shutdowns can hinder cybersecurity response '
'capabilities.'],
'motivation': ['Financial Gain',
'Data Monetization',
'Reputation Damage',
'Regulatory Pressure (GDPR Fines)',
'Disruption'],
'post_incident_analysis': {'corrective_actions': ['Salesforce: Enforce token '
'expiration and anomaly '
'detection for OAuth '
'integrations.',
'Companies: Implement Dark '
'Web monitoring for '
'brand/employee data.',
'Airlines: Encrypt PII and '
'limit access to loyalty '
'program databases.',
'Government: Mandate breach '
'disclosure timelines '
'(e.g., 72 hours under '
'GDPR).',
'Advertising platforms: '
'Audit third-party access '
'to customer data (e.g., '
'Google AdWords partners).',
'Law enforcement: '
'Prioritize disruption of '
'ransomware leak sites '
'(e.g., DDoS mitigation).'],
'root_causes': ['Insecure OAuth token management '
'in Salesforce integrations '
'(Drift).',
'Lack of Dark Web monitoring for '
'early leak detection.',
'Delayed patching of known '
'Salesforce vulnerabilities '
'(UNC6040/UNC6395).',
'Insufficient segmentation of '
'high-value data (e.g., airline '
'passenger records).',
'Failure to engage with threat '
'actors preemptively (e.g., '
'Salesforce’s dismissed claims).',
'Regulatory gaps in cross-border '
'data breach notifications (e.g., '
'Vietnam CIC).']},
'ransomware': {'data_encryption': ['Limited (Focus on Exfiltration + '
'Extortion)'],
'data_exfiltration': ['Massive (1.5B+ records claimed)'],
'ransom_demanded': ['Undisclosed (Negotiation Deadline: '
'2025-10-10)',
'Threats of Regulatory Reporting (GDPR)'],
'ransomware_strain': ['Custom (Trinity of Chaos)',
'Associated with Lapsus$/Scattered '
'Spider TTPs']},
'recommendations': ['Implement Zero Trust Architecture for cloud services '
'(e.g., Salesforce).',
'Enforce MFA and conditional access policies for all '
'OAuth integrations.',
'Conduct third-party risk assessments for SaaS providers '
'(e.g., Drift, Salesloft).',
'Establish a Dark Web monitoring program to detect leaked '
'credentials/data.',
'Develop a pre-emptive regulatory engagement strategy '
'(e.g., GDPR breach notifications).',
'Train employees on vishing/social engineering tactics '
'used by groups like Lapsus$.',
'Isolate high-value systems (e.g., airline passenger '
'databases) with network segmentation.',
'Prepare for DDoS attacks on leak sites (e.g., Trinity of '
'Chaos DLS).',
'Coordinate with law enforcement (FBI, INTERPOL) for '
'threat actor disruption.',
'Review incident response plans for ransomware extortion '
'+ data leak scenarios.'],
'references': [{'source': 'Resecurity Threat Intelligence Report'},
{'source': 'FBI Flash Warning (Salesforce Exploitation)'},
{'date_accessed': '2025-10-03',
'source': 'Trinity of Chaos Data Leak Site (TOR)'},
{'date_accessed': '2025-10-03',
'source': 'Telegram Channel (SLSH 6.0 Part 3)'},
{'date_accessed': '2025-06-04',
'source': 'Google Security Blog (UNC6040 Incident)'},
{'date_accessed': '2025-09-21',
'source': 'Stellantis Breach Disclosure'},
{'source': 'Qantas GDPR Fine Announcement'}],
'regulatory_compliance': {'fines_imposed': ['Potential (e.g., Qantas '
'previously fined for negligence)',
'GDPR Penalties (Up to 4% of '
'global revenue)'],
'legal_actions': ['Class-Action Lawsuits (Expected)',
'Criminal Negligence Charges '
'(Threatened)',
'Regulatory Investigations '
'(Ongoing)'],
'regulations_violated': ['GDPR (EU-based victims)',
'Vietnam Data Protection '
'Laws',
'Australian Privacy Act '
'(Qantas)',
'U.S. State Breach Laws'],
'regulatory_notifications': ['GDPR Authorities (EU)',
'FBI (USA)',
'Vietnamese CERT',
'Australian OAIC']},
'response': {'communication_strategy': ['Public Statements (Downplaying '
'Impact, e.g., Salesforce)',
'Customer Advisories (Deadline: '
'2025-10-10)',
'Media Engagement'],
'containment_measures': ['Salesforce Instance Isolation',
'OAuth Token Revocation',
'Dark Web Takedown Attempts (DDoS on '
'DLS)'],
'enhanced_monitoring': ['FBI Indicators of Compromise (IoCs)',
'Dark Web Threat Intelligence'],
'incident_response_plan_activated': ['Likely (e.g., Google’s '
'mitigation for UNC6040)',
'Salesforce Flash Warning '
'(FBI)'],
'law_enforcement_notified': ['FBI (Flash Warning)',
'Potential GDPR Regulators (EU)',
'Australian Authorities (Qantas)'],
'network_segmentation': ['Likely (to isolate Salesforce '
'instances)'],
'recovery_measures': ['Data Restoration (Backups)',
'Customer Notification (e.g., Stellantis)',
'Regulatory Filings'],
'remediation_measures': ['Patch Management (Salesforce)',
'Multi-Factor Authentication (MFA) '
'Enforcement',
'Employee Training (Anti-Phishing)'],
'third_party_assistance': ['Resecurity (Threat Intelligence)',
'FBI (Investigation)',
'Dark Web Monitoring Firms']},
'stakeholder_advisories': ['Fortune 100 companies: Prepare for potential '
'lawsuits and regulatory inquiries.',
'Salesforce customers: Audit OAuth integrations '
'(e.g., Drift) and monitor for IoCs.',
'Airlines: Expect GDPR fines and customer '
'compensation claims (e.g., Air France/KLM, '
'Qantas).',
'Government agencies: Assess exposure of employee '
'data (e.g., FBI, DHS records in Cisco breach).',
'Advertising partners: Review Google AdWords '
'account security for compromised credentials.'],
'threat_actor': ['Trinity of Chaos',
'Lapsus$',
'Scattered Spider',
'ShinyHunters',
'UNC6040',
'UNC6395',
'1973cn'],
'title': 'Trinity of Chaos Ransomware Collective Data Leak Site (DLS) '
'Disclosure',
'type': ['Data Breach', 'Ransomware', 'Data Exfiltration', 'Extortion'],
'vulnerability_exploited': ['Salesforce Instance Misconfiguration',
'Salesloft’s Drift AI Chat Integration (OAuth '
'Token Theft)',
'Unpatched Systems (Historical)',
'Human Error (Phishing/Vishing)']}