Australian airline Qantas has confirmed that the personal data of up to 5.7 million customers was stolen in a major cyberattack last month (12 September). Portions of the data have since been leaked onto the dark web and public internet.
The attack was carried out by the hacker group “Scattered LAPSUS$ Hunters,” which breached the systems of Salesforce, a third-party provider working with Qantas. The hackers demanded a ransom, threatening to release the stolen data if payment was not made. After Qantas and Salesforce refused to pay, the hackers publicly dumped large amounts of customer data on 11 October.
Leaked information includes names, emails, addresses, dates of birth, phone numbers, genders, and frequent flyer details, but no credit card numbers, passports, or passwords were compromised. Qantas stated that it is conducting a comprehensive investigation and has obtained a court injunction from the New South Wales Supreme Court prohibiting anyone from viewing, using, or sharing the stolen information.
According to The Sydney Morning Herald, the hackers did not directly break into Salesforce’s systems. Instead, they used social engineering tactics, impersonating legitimate employees and calling IT help desks to obtain login credentials. In Qantas’s case, the breach reportedly originated through a customer service centre in the Philippines. Salesforce reiterated that it does not negotiate or pay ransoms.
Australian Transport Minister Catherine King confirmed that she is among the victims and urged the public to change their passwords and enable two-factor authentication. Communications Minister Michelle Rowland said the federal government is strengthening privacy laws, giving more power to the Information Commissioner, and increasing penalties for companies that fail to protect customer data.
Qantas has since launched a dedicated helpline and identity protection service to help affected customers monitor and secure their personal information.