Cybercriminals exploited a third-party call center in June 2023 to gain unauthorized access to Qantas’ customer data. After stealing over **5 million records** (153GB) containing **names, email addresses, phone numbers, birth dates, and Qantas Frequent Flyer numbers**, the hackers demanded a ransom. When Qantas refused to comply—citing legal protections from an injunction—the attackers leaked the data on both the **dark web and open internet** on **October 7, 2023**. Initially sold for **$27** on a hacking forum, the dataset was later distributed for free. While **no credit card details, passports, or login credentials** were compromised, the exposed personal information poses risks of **identity theft, phishing, and fraud**. The breach was confirmed legitimate by cybersecurity expert **Troy Hunt**, who found his own family’s data in the leak. Qantas continues investigations with **Australian Cyber Security Centre (ACSC) and the Australian Federal Police (AFP)**, offering identity protection services to affected customers. The incident is part of a broader campaign by the **Scattered Lapsus$ Hunters (SLSH)** group, which explicitly targeted Australian businesses, declaring a 'war' on the country’s organizations.
Source: https://ia.acs.org.au/article/2025/qantas-customer-data-leaked-to-dark-web.html
TPRM report: https://www.rankiteo.com/company/qantas
"id": "qan3602036101325",
"linkid": "qantas",
"type": "Ransomware",
"date": "6/2023",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': '5,000,000',
'industry': 'Aviation/Transportation',
'location': 'Australia (Headquarters: Sydney, NSW)',
'name': 'Qantas Airways',
'size': 'Large (29,000+ employees, ASX-listed)',
'type': 'Airline'}],
'attack_vector': ['Third-Party Call Center Exploit',
'Voice Phishing (UNC60400)',
'Dark Web Data Dump'],
'customer_advisories': ['24/7 Support Line',
'Identity Protection Services',
'Encouragement to Monitor for Scams'],
'data_breach': {'data_encryption': 'No (data published in raw format)',
'data_exfiltration': 'Yes (153GB dumped to dark web and '
'clear-web forums)',
'number_of_records_exposed': '5,000,000',
'personally_identifiable_information': ['Full Names',
'Email Addresses',
'Phone Numbers',
'Dates of Birth',
'Frequent Flyer '
'Numbers'],
'sensitivity_of_data': 'Moderate (no financial/password data, '
'but PII + family links exposed)',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)',
'Loyalty Program Data']},
'date_detected': '2023-06',
'date_publicly_disclosed': '2023-10-07',
'description': 'Cybercriminals published 153GB of alleged Qantas customer '
'data (5 million records) on the dark web and open internet '
'after the airline refused to comply with ransom demands. The '
'breach originated from a third-party call center exploit in '
'June 2023, with data including names, email addresses, phone '
'numbers, birth dates, and Qantas Frequent Flyer numbers. No '
'financial data, passports, or login credentials were '
'compromised. The leak was part of a broader campaign by the '
'Scattered Lapsus$ Hunters (SLSH) group targeting Salesforce '
'customers, though Qantas was one of only six victims whose '
'data was ultimately released. The group declared a specific '
'focus on Australian businesses, citing retaliation for past '
'incidents like the 2022 Optus breach.',
'impact': {'brand_reputation_impact': 'High; publicized leak of 5M records, '
'including high-profile individuals '
'(e.g., Troy Hunt), with potential '
'long-term trust erosion',
'customer_complaints': 'Reported concerns from affected customers '
'(e.g., Troy Hunt confirmed personal/family '
'data exposure)',
'data_compromised': ['Customer Names',
'Email Addresses',
'Phone Numbers',
'Birth Dates',
'Qantas Frequent Flyer Numbers'],
'identity_theft_risk': 'Moderate (PII exposed but no '
'financial/password data)',
'legal_liabilities': ['NSW Supreme Court Interim Injunction (July '
'2023)',
'Potential GDPR/Privacy Act Violations',
'AFP/FBI Investigation'],
'operational_impact': 'Ongoing investigation and customer support '
'operations; legal injunctions to mitigate '
'data spread',
'payment_information_risk': 'None (no credit card or financial '
'data compromised)',
'systems_affected': ['Third-Party Call Center Platform',
'Customer Management System (Salesforce '
'Instance)']},
'initial_access_broker': {'data_sold_on_dark_web': 'Yes (initially for ~$27 '
'on clear-web forum, later '
'free on dark web)',
'entry_point': 'Third-Party Call Center (linked to '
'Salesforce customer management '
'platform)',
'high_value_targets': ['Qantas Frequent Flyer '
'Program Data',
'Customer PII'],
'reconnaissance_period': 'Likely months (UNC60400 '
'voice phishing campaigns '
'targeted Salesforce '
"customers for 'several "
"months' per Google GTIG)"},
'investigation_status': 'Ongoing (Qantas collaborating with ACSC/AFP; data '
'legitimacy confirmed by third parties)',
'motivation': ['Financial Gain (Ransom Extortion)',
'Retaliation Against Australian Businesses',
'Reputation Damage'],
'post_incident_analysis': {'root_causes': ['Third-Party Vendor Security '
'Weaknesses',
'Voice Phishing Vulnerabilities '
'(UNC60400)',
'Inadequate Data Segmentation (PII '
'accessible via call center)']},
'ransomware': {'data_encryption': 'No (data exfiltrated but not encrypted on '
'Qantas systems)',
'data_exfiltration': 'Yes (153GB)',
'ransom_demanded': 'Yes (amount undisclosed; deadline: '
'2023-10-10)',
'ransom_paid': 'No'},
'references': [{'date_accessed': '2023-10', 'source': 'ABC News Australia'},
{'date_accessed': '2023-10-09', 'source': 'Information Age'},
{'date_accessed': '2023-10-07',
'source': 'Have I Been Pwned (Troy Hunt)',
'url': 'https://haveibeenpwned.com'},
{'date_accessed': '2023-10-10',
'source': 'Scattered Lapsus$ Hunters (SLSH) Telegram Channel'},
{'date_accessed': '2023-10-09',
'source': 'Australian Federal Police (AFP) Advisory',
'url': 'https://www.cyber.gov.au/report'}],
'regulatory_compliance': {'legal_actions': ['NSW Supreme Court Interim '
'Injunction (July 2023)',
'AFP/FBI Investigation'],
'regulations_violated': ['Potential: Australian '
'Privacy Act 1988',
'Potential: GDPR (for EU '
'customers)'],
'regulatory_notifications': ['Australian Cyber '
'Security Centre '
'(ACSC)',
'Australian Federal '
'Police (AFP)']},
'response': {'communication_strategy': ['Public Statements (via ABC, '
'Information Age)',
'Website Updates',
'Direct Customer Notifications (via '
'email/support line)'],
'containment_measures': ['Legal Injunction to Block Data '
'Access/Release',
'Dark Web Monitoring'],
'enhanced_monitoring': 'Likely (given collaboration with '
'ACSC/AFP)',
'incident_response_plan_activated': 'Yes (collaboration with '
'ACSC, AFP, and '
'cybersecurity experts)',
'law_enforcement_notified': 'Yes (AFP, FBI involved; NSW Supreme '
'Court injunction obtained)',
'recovery_measures': ['24/7 Support Line for Customers',
'Ongoing Updates via Qantas Website'],
'remediation_measures': ['Investigation into leaked data scope',
'Identity protection services for '
'affected customers'],
'third_party_assistance': ['Australian Cyber Security Centre '
'(ACSC)',
'Australian Federal Police (AFP)',
'Specialist Cybersecurity Experts '
'(unnamed)']},
'stakeholder_advisories': 'Qantas website updates; ACSC/AFP public warnings '
'about scams',
'threat_actor': ['Scattered Lapsus$ Hunters (SLSH)', 'UNC60400'],
'title': 'Qantas Customer Data Leak via Third-Party Call Center Exploit',
'type': ['Data Breach',
'Ransomware Extortion',
'Third-Party Vendor Compromise'],
'vulnerability_exploited': 'Unspecified vulnerability in third-party call '
'center platform (linked to Salesforce customer '
'management instances)'}