What Happened

In October 2025, Qantas Airways confirmed that customer data stolen earlier in the year has been made public by cybercriminals following a ransom deadline.

The original breach occurred in July 2025, when hackers accessed a third-party customer service / call center platform used by Qantas. The attackers exfiltrated data including names, email addresses, phone numbers, birth dates, physical addresses, and frequent flyer information.

Importantly, Qantas states that no financial data, passwords, or passport information were part of the breach.

After failing to secure a ransom payment by the attacker’s deadline, the hacker collective — known as Scattered Lapsus$ Hunters — began to publish the stolen records.

Qantas has since obtained a court injunction to block distribution, viewing, or use of the data.

Scope & Impact

• The leaked data spans over 5 million customers.

• Some customers’ records include highly sensitive personal information (addresses, dates of birth, contact numbers), while for others, only names and email addresses were exposed.

• The breach is part of a wider cascade affecting around 40 companies globally via attacks tied to Salesforce platform dependencies.

• Threat actors used social engineering / voice-phishing (“vishing”) targeting helpdesk staff to gain access — rather than exploiting software vulnerabilities in Salesforce directly.

Qantas Response & Measures

• Qantas asserts it is cooperating with cybersecurity experts, law enforcement, and regulatory authorities to assess scale and contain further exposure.

• It has maintained an ongoing court injunction preventing the stolen data from being accessed, viewed, published, or used.

• The airline established 24/7 support lines and identity protection advisories for affected customers.

• In an internal accountability move, Qantas reduced executive bonuses by 15% in the 2025 fiscal year to reflect the breach’s impact.

• Qantas continues to stress that its core operations and safety systems remain unaffected.

Threat Actor & Motivation

• The breach is attributed to Scattered Lapsus$ Hunters, a collaboration of hacking groups including Scattered Spider and ShinyHunters.

• The group apparently targeted downstream service providers (e.g. third-party platforms) rather than Qantas’s core infrastructure.

• After their ransom demand was unmet, they began publishing data in stages to pressure compliance.

Lessons & Implications

1. Third-party risk is front and centre
   Qantas did not suffer a direct infrastructure breach; instead, the attack vector was via an external service provider used for customer operations. This underscores how supply chain and vendor risks can bypass traditional internal defenses.

2. Social engineering remains potent
   Rather than zero-day exploits, attackers relied on deception of human personnel (vishing) to inject malicious access.

3. Data leaks after missed ransom deadlines are real
   Even when companies refuse ransom demands, attackers may proceed to publish sensitive data.

4. Legal injunctions have limited practical enforcement
   Blocking public dissemination might delay but cannot fully prevent leaks, especially in decentralized and anonymized digital environments.

5. Transparency & customer trust are critical
   Swift notification, support, and visible accountability measures (e.g. executive bonus cuts) can help preserve trust.

6. Proactive resilience & segmentation needed
   Stronger segmentation, stricter access controls, vendor oversight, and continuous monitoring of third-party systems must become standard defenses.

Final Word

The Qantas breach of 2025 is a stark reminder: in today's interconnected enterprise ecosystems, the weakest link is no longer just internal systems — it’s often the external ones we rely on. When attackers turn supply chains and SaaS dependencies into attack vectors, organizations must reframe their security posture. The question isn’t just if a vendor will be compromised, but when, and how quickly impact ripples across the entire ecosystem.

Disclaimer: ClearPhish maintains a strict policy of not participating in the theft, distribution, or handling of stolen data or files. The platform does not engage in exfiltration, downloading, hosting, or reposting any illegally obtained information. Any responsibility or legal inquiries regarding the data should be directed solely at the responsible cybercriminals or attackers, as ClearPhish is not involved in these activities. We encourage parties affected by any breach to seek resolution through legal channels directly with the attackers responsible for such incidents.