On 12 October 2025, Qantas confirmed a massive data breach exposing personal details of **5.7 million customers** after hacker group **Scattered LAPSUS$ Hunters** leaked the data on the dark web. The attack targeted **Salesforce systems** used by Qantas between June and July 2025, following a failed ransom demand. Compromised data included **full names, email addresses, home/business addresses, dates of birth, phone numbers, gender, and frequent flyer details**, though **credit card data, passwords, and passport numbers remained secure**.The breach was part of a broader campaign affecting **40+ global firms**, including Google, Disney, and Air France-KLM. While Qantas notified affected customers in July and implemented **24/7 support hotlines and identity protection services**, experts warned of **heightened risks of phishing, identity theft, and fraud**. Authorities emphasized the illegality of accessing the leaked data and urged vigilance against scams exploiting the exposed information.The incident underscored vulnerabilities in third-party cloud providers and the cascading risks of **customer data leaks**, with criminals likely leveraging the details for **convincing impersonation scams** (e.g., fake refunds or flight rescheduling). Qantas claimed to have secured remaining data and strengthened defenses, but the long-term reputational and operational impacts remain significant.
TPRM report: https://www.rankiteo.com/company/qantas
"id": "qan5093150101325",
"linkid": "qantas",
"type": "Ransomware",
"date": "6/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': '5,700,000',
'industry': 'aviation',
'location': 'Australia',
'name': 'Qantas',
'size': 'large (5.7 million customers affected)',
'type': 'airline'}],
'attack_vector': 'third-party compromise (Salesforce systems)',
'customer_advisories': ['Check for official emails from @qantas.com or '
'@qantas.com.au.',
'Use Qantas 24/7 hotline (1800 971 541 or +61 2 8028 '
'0534 for overseas).',
"Monitor 'Have I Been Pwned' for breach updates."],
'data_breach': {'data_exfiltration': 'yes (leaked on dark web)',
'number_of_records_exposed': '5,700,000',
'personally_identifiable_information': ['full names',
'email addresses',
'Frequent Flyer '
'numbers',
'home/business '
'addresses',
'dates of birth',
'phone numbers',
'gender'],
'sensitivity_of_data': 'high (PII, frequent flyer details)',
'type_of_data_compromised': ['personal identifiable '
'information (PII)',
'customer profiles']},
'date_detected': '2025-07-01',
'date_publicly_disclosed': '2025-10-12',
'description': 'On Sunday, 12 October 2025, Qantas confirmed that personal '
'data from more than five million customers had been leaked on '
'the dark web. The data breach followed a ransom threat from a '
'hacker group called Scattered LAPSUS$ Hunters after '
'Salesforce, a cloud software provider linked to Qantas, '
'refused to pay. The attack targeted customer data stored in '
'Salesforce systems used by Qantas between June and July 2025. '
'The breach was part of a larger campaign that hit more than '
'40 global firms, including Google, Disney, and Air '
'France-KLM. The stolen data includes full names, email '
'addresses, Frequent Flyer membership numbers, home/business '
'addresses, dates of birth, phone numbers, gender, and meal '
'preferences in limited cases. Credit card data, passport '
'numbers, and passwords were not exposed.',
'impact': {'brand_reputation_impact': 'high (quarter of Australian population '
'affected; potential loss of trust)',
'customer_complaints': 'expected surge due to scams',
'data_compromised': ['full names',
'email addresses',
'Frequent Flyer membership numbers',
'home addresses',
'business addresses',
'dates of birth',
'phone numbers',
'gender',
'meal preferences'],
'identity_theft_risk': 'high',
'operational_impact': 'increased scam risks (phishing, identity '
'theft, fraud)',
'payment_information_risk': 'none (credit card data and passwords '
'not exposed)',
'systems_affected': ['Salesforce cloud systems']},
'initial_access_broker': {'data_sold_on_dark_web': 'yes (leaked after ransom '
'deadline)',
'entry_point': 'Salesforce cloud systems '
'(third-party compromise)',
'high_value_targets': ['customer PII',
'Frequent Flyer program '
'data'],
'reconnaissance_period': 'June–July 2025 (data '
'targeted during this '
'period)'},
'investigation_status': 'ongoing (customer notifications completed; scam '
'warnings issued)',
'lessons_learned': 'Third-party vendor risks (Salesforce compromise); '
'importance of multi-factor authentication (MFA) and '
'customer education on scam prevention; need for proactive '
'monitoring of dark web for leaked data.',
'motivation': 'financial (ransom extortion)',
'post_incident_analysis': {'corrective_actions': ['Strengthened data security '
'and defenses.',
'Enhanced customer support '
'(24/7 hotline, identity '
'protection services).',
'Public awareness campaigns '
'on scam prevention.'],
'root_causes': ['third-party vendor vulnerability '
'(Salesforce)',
'failure to pay ransom leading to '
'data leak']},
'ransomware': {'data_exfiltration': 'yes (leaked after ransom deadline '
'passed)',
'ransom_demanded': 'yes (threatened leak if unpaid by 3 pm '
'AEDT, 11 October 2025)',
'ransom_paid': 'no (Salesforce refused)'},
'recommendations': ['Activate MFA on critical accounts (email, banking, '
'government).',
'Change passwords for Qantas and reused credentials; use '
'strong, unique passwords.',
'Verify legitimacy of communications (check sender '
'domains, avoid clicking suspicious links).',
'Monitor financial statements and credit reports for '
'unauthorized activity.',
'Report identity theft or scams to banks and the '
'Australian Cyber Security Centre.',
'Avoid searching for leaked data on the dark web (risk of '
'malware).'],
'references': [{'source': 'SBS News'},
{'source': 'The Guardian'},
{'source': 'Australian Cyber Security Centre (ACSC)'},
{'source': "RMIT University's Centre for Cyber Security "
'(Matthew Warren)'},
{'source': "CSIRO's Data61 (Dr. Marthie Grobler)"},
{'source': 'University of New South Wales (Arash Shaghaghi)'}],
'regulatory_compliance': {'regulatory_notifications': 'yes (Australian '
'government and '
'cybersecurity '
'authorities involved)'},
'response': {'communication_strategy': ['email notifications to affected '
'customers (July 2025)',
'public advisories via media',
'24-hour hotline',
'warnings against dark web searches'],
'containment_measures': ['securing remaining data',
'strengthening defenses'],
'incident_response_plan_activated': 'yes (immediate steps to '
'secure data and notify '
'customers)',
'law_enforcement_notified': 'yes (Australian government '
'involved)',
'remediation_measures': ['24/7 support hotline',
'identity protection services for '
'affected users']},
'stakeholder_advisories': 'Australian government (Cybersecurity Minister Tony '
'Burke) warned against accessing leaked data; urged '
'vigilance for scams.',
'threat_actor': 'Scattered LAPSUS$ Hunters',
'title': 'Qantas Data Breach Exposed Over 5 Million Customers',
'type': ['data breach', 'ransomware threat']}