Qantas Airways is grappling with the aftermath of a significant cyberattack that has implicated nearly 40 major corporations. The hacker group, known as Scattered Lapsus$ Hunters, is threatening to release sensitive passenger data unless ransoms are paid by Friday. This attack has primarily targeted customers of the cloud technology giant, Salesforce.
The hackers have reportedly stolen close to one billion records through a technique called “vishing” or voice phishing, where they impersonate legitimate employees to deceive IT help desks into granting access. High-profile companies, including Qantas, Toyota, Disney, and Ikea, have been given a tight deadline to initiate ransom negotiations. The compromised data allegedly includes customer birth dates, passport numbers, and purchase histories collected between April 2024 and September 2025.
Qantas’ Response and Cybersecurity Measures
Qantas has acknowledged a post that contains samples of the stolen data from itself and about 40 other companies. The airline is actively monitoring the situation with the assistance of cybersecurity experts. “Ensuring continued vigilance and providing ongoing support for our customers remain our top priorities,” the airline stated.
Qantas has implemented additional security measures, enhanced training for its teams, and strengthened system monitoring and detection since the incident occurred. The airline also offers a 24/7 support line and specialist identity protection advice to affected customers.
Background of the Cyberattack
The ordeal for Qantas began on June 30, when cybercriminals accessed nearly six million customer accounts through a third-party vendor at a Qantas call center in Manila. A week later, Qantas was approached by what it described as a “potential” cybercriminal. The airline later confirmed that 5.7 million customers had their information accessed, including names, phone numbers, addresses, and even food preferences.
Rather than directly hacking Salesforce’s systems, which remain secure, the hackers exploited human vulnerabilities. By using voice phishing calls, they convinced IT help desk staff to install a seemingly legitimate software—a modified version of Salesforce’s Data Loader tool. This Trojan horse provided hackers with unrestricted access to customer databases.
Broader Implications and Expert Opinions
The Scattered Lapsus$ Hunters collective has previously claimed responsibility for attacks on major British retailers, including Marks & Spencer, Co-op, and Jaguar Land Rover. Google’s Threat Intelligence Group warns that the group has “proven particularly effective at tricking employees.”
The hackers’ technical infrastructure suggests connections to “The Com,” a loosely organized cybercriminal ecosystem known for brazen attacks. In July, British police arrested four suspects under the age of 21 following breaches targeting UK retailers.
Salesforce has informed its clients it will not pay the cyber ransom. “I can confirm Salesforce will not engage, negotiate with, or pay any extortion demand,” a company spokesman stated.
Sophos security researcher Aiden Sinnott warns, “A lot of what they post is intentional misinformation and trolling, but they aren’t averse to leaking huge amounts of data.”
Legal and Strategic Responses
This cyberattack occurs at a sensitive time for Qantas, given the important role its lounges play in catering to influential politicians, judges, and policymakers. In response, Qantas has pursued a legal strategy to minimize public disclosure of affected customers’ personal details, including loyalty program statuses.
On October 2, Qantas secured final orders from the NSW Supreme Court for an injunction against the hacking group, despite the unclear details of their identity. This legal strategy, while protecting victim identities, restricts media and social platforms from publishing sensitive information, even as it may be sold on the dark web.
Clayton Utz partner James Neil commented, “Qantas’ injunction is an example of where litigation can be used to indirectly target parties, primarily media and social media platforms.”
Qantas, under CEO Vanessa Hudson, is in a period of rebuilding public trust. Hudson’s 2025 annual bonus was reduced by 15 percentage points due to the cyber incident’s impact on customers. “This reflects their shared accountability while acknowledging the ongoing efforts to support customers and put in place additional protections,” said chairman John Mullen.
As the deadline looms, the airline and other affected companies face pressure to negotiate or risk the exposure of sensitive data. The situation underscores the increasing sophistication of cyber threats and the critical importance of robust cybersecurity measures.
