A cyberattack targeting **Salesforce**, a third-party platform used by Qantas, exposed the personal data of **5.7 million customers**. The breach, linked to the **Scattered Lapsus$ Hunters** hacking group, involved **social engineering tactics** where attackers posed as IT staff to gain unauthorized access. Compromised data included **names, email addresses, phone numbers, dates of birth, frequent flyer details, and in some cases, home/business addresses, gender, and meal preferences**. While **no credit card, passport, or banking details** were leaked, the attackers are **holding the stolen data for ransom**, demanding payment by October 10, 2023. Qantas secured a **legal injunction in Australia** to prevent further data dissemination, though experts doubt its global effectiveness. The incident is part of a **wider campaign** affecting other major brands like Disney, Google, and Toyota, highlighting vulnerabilities in **shared cloud platforms** and the persistent threat of **ransomware-driven extortion**.
Source: https://techwireasia.com/2025/10/qantas-data-from-5m-customers-leaked-in-salesforce-breach/
TPRM report: https://www.rankiteo.com/company/qantas
"id": "qan5632856101325",
"linkid": "qantas",
"type": "Cyber Attack",
"date": "10/2023",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'customers_affected': '5.7 million',
'industry': 'Aviation',
'location': 'Australia',
'name': 'Qantas',
'size': 'Large',
'type': 'Airline'},
{'industry': 'Entertainment',
'location': 'Global',
'name': 'Disney',
'size': 'Large',
'type': 'Corporation'},
{'industry': 'Technology',
'location': 'Global',
'name': 'Google',
'size': 'Large',
'type': 'Corporation'},
{'industry': 'Automotive',
'location': 'Global',
'name': 'Toyota',
'size': 'Large',
'type': 'Corporation'},
{'industry': 'Retail',
'location': 'Global',
'name': 'IKEA',
'size': 'Large',
'type': 'Corporation'},
{'industry': 'Food Service',
'location': 'Global',
'name': 'McDonald’s',
'size': 'Large',
'type': 'Corporation'},
{'industry': 'Aviation',
'location': 'France',
'name': 'Air France',
'size': 'Large',
'type': 'Airline'},
{'industry': 'Aviation',
'location': 'Netherlands',
'name': 'KLM',
'size': 'Large',
'type': 'Airline'}],
'attack_vector': 'Social Engineering (Impersonation of IT Staff/Trusted '
'Representatives)',
'customer_advisories': ['Qantas and Google Notified Affected '
'Customers/Partners'],
'data_breach': {'data_exfiltration': True,
'number_of_records_exposed': '5.7 million (Qantas only; '
'others unspecified)',
'personally_identifiable_information': True,
'sensitivity_of_data': 'Moderate (No Financial/Passport Data, '
'but PII Exposed)',
'type_of_data_compromised': ['Personal Identifiable '
'Information (PII)',
'Frequent Flyer Information',
'Contact Details',
'Demographic Data (Gender, Meal '
'Preferences)',
'Addresses (Home/Business)']},
'date_detected': '2023-07-00',
'date_publicly_disclosed': '2023-10-00',
'description': 'A cyberattack on Salesforce exposed data from 5.7 million '
'Qantas customers, along with other global brands like Disney, '
'Google, Toyota, IKEA, McDonald’s, Air France, and KLM. The '
'attackers, identified as Scattered Lapsus$ Hunters, used '
'social engineering to gain access to third-party platforms '
'and are holding the stolen data for ransom. Personal details '
'such as names, email addresses, phone numbers, and dates of '
'birth were compromised, though no financial or passport '
'information was exposed. Qantas secured a legal injunction in '
'Australia to limit data spread, but its effectiveness outside '
'the country is questioned.',
'impact': {'brand_reputation_impact': 'High (Global Brands Affected, Public '
'Disclosure of Breach)',
'data_compromised': True,
'identity_theft_risk': 'Moderate (Personal Details Like Names, '
'Emails, Phone Numbers, DOBs Exposed)',
'legal_liabilities': 'Qantas Secured Injunction from Supreme Court '
'of New South Wales to Prevent Data '
'Publication/Sharing',
'payment_information_risk': 'None (No Credit Card, Passport, or '
'Banking Information Compromised)',
'systems_affected': ['Salesforce Customer Contact Centre '
'Platform']},
'initial_access_broker': {'entry_point': 'Salesforce Customer Contact Centre '
'(via Third-Party Platform)',
'high_value_targets': ['Customer Databases (PII)',
'Frequent Flyer Programs']},
'investigation_status': 'Ongoing (Cooperation with Australian Authorities; '
'Salesforce Aware of Extortion Attempts)',
'lessons_learned': 'The incident highlights the vulnerability of third-party '
'platforms (e.g., Salesforce) as single points of failure '
'for multiple organizations. Social engineering remains a '
'highly effective attack vector, exploiting human error '
'rather than technical flaws. Legal injunctions may have '
'limited efficacy in cross-border cybercrime cases.',
'motivation': 'Financial Gain (Ransom Extortion)',
'post_incident_analysis': {'root_causes': ['Social Engineering Exploits '
'(Impersonation of IT Staff)',
'Inadequate Access Controls for '
'Third-Party Platforms',
'Human Error (Employees Tricked '
'into Sharing Credentials)']},
'ransomware': {'data_exfiltration': True, 'ransom_demanded': True},
'recommendations': ['Enhance employee training to recognize social '
'engineering tactics (e.g., impersonation scams).',
'Implement multi-factor authentication (MFA) and stricter '
'access controls for third-party platforms.',
'Conduct regular audits of third-party vendors’ security '
'practices.',
'Develop cross-border legal strategies to address data '
'breaches with global implications.',
'Improve incident response coordination among affected '
'entities in supply-chain attacks.'],
'references': [{'source': 'AFP (Agence France-Presse)'},
{'source': 'Troy Hunt (Cybersecurity Researcher)'},
{'source': 'Unit 42 (Cybersecurity Research Team)'},
{'source': 'FBI Warning on Salesforce Client Scams'},
{'source': 'CloudTech News (TechForge Media)',
'url': 'https://www.cloudcomputing-news.net/'}],
'regulatory_compliance': {'legal_actions': ['Qantas Secured Injunction from '
'Supreme Court of New South '
'Wales']},
'response': {'communication_strategy': ['Public Disclosure',
'Customer Notifications (e.g., Google '
'Notified Affected Partners)'],
'containment_measures': ['Legal Injunction to Prevent Data '
'Spread (Australia-Only)'],
'incident_response_plan_activated': True,
'law_enforcement_notified': True},
'threat_actor': 'Scattered Lapsus$ Hunters',
'title': 'Salesforce Breach Exposes Data from 5.7 Million Qantas Customers '
'and Other Global Brands',
'type': ['Data Breach', 'Extortion', 'Social Engineering'],
'vulnerability_exploited': 'Human Error (Credential Sharing/System Access '
'Granted via Deception)'}