Court records reveal details of communication between hackers and Qantas.
July 24, 2025 |
In large data breach incidents affected organisations find controlling the information flow is difficult. For starters hackers post notices proclaiming their “achievements”. That is why a more open and transparent approach is the best. Advise customers/clients/patients what has happened and provided as much information as can safely be given. It is when companies shut down communication or are obtuse, deliberately or otherwise, that problems arise. There are often internal leaks from disgruntled staff. There is often the appearance that there is something to hide. That gets the media interested. And sooner or later more information is found. Qantas’ poor communications after the data breach and generally average response is more about having no coherent data breach response plan and any real idea about how to communicate. It has become an art overseas.
What has come to light is further information about communications between Qantas and the hackers. Qantas provided notification of the data breach on 2 July. On 4 July it provided an update saying it had not been contacted by anyone. Sure enough later that day the hackers sent Qantas 4 emails setting out the scope of the data breach. Qantas’ notices makes no reference to any of that until 7 July, after receiving multiple emails from the hackers. Qantas did not respond to them so the hackers emailed on 7 July. Only then did Qantas respond. Then there was an exchange with Qantas sending 11 emails. The emails are heavily redacted but little imagination is required to guess at what the hackers wanted to “resolve” the situation. Cyberdaily sets out the tortured process in Qantas hack: Court documents reveal scope of communications between hackers and the Flying Kangaroo. It is more common than one would think for companies to ignore communications from hackers, not appreciate that they are being contacted or, in some situations, not check their emails. Hackers will often make contact.
The cyber daily article provides:
A self-identified hacking “collective” made several attempts to open communications with Qantas before the airline responded.
Court documents obtained by Cyber Daily from the Supreme Court of NSW have shed new light on the timeline of events and on the initial attempts at communication by the hackers to contact Qantas.
The documents reveal that as Australia’s national carrier was engaging in its first steps to shape the narrative around a cyber attack that was about to impact millions of Australians, the hackers behind the attack were readying their own next moves.
Qantas first confirmed that one of its offshore offices hosting customer data in a third-party platform had been compromised on 2 July and that the initial incident of unauthorised access had occurred the day before, on Monday, 1 July.
On 4 July, at just after 6am, Qantas published another update on the incident, outlining its ongoing response and investigation to the incident, and noting that, at that time, “Qantas has not been contacted by anyone claiming to have the data, and we’re continuing to work with the government authorities to investigate the incident.”
First contact
However, later on that same day, the hackers sent Qantas several emails outlining the scope of the data impacted. The emails were provided by Qantas to the Supreme Court as part of its efforts to obtain an injunction against the publication or sharing of the stolen data.
Qantas received at least three emails on 4 July, all with the same subject line: “[CRITICAL – REPLY] Qantas Airways Limited Databreach/Cyberattack”. As provided to Cyber Daily, the emails are heavily redacted, but it appears the hackers identified themselves to Qantas.
“Hello, we are [REDACTED],” the email said.
“We’re contacting you to inform you that we’re the collective that’s behind the Qantas Airways Limited (qantas.com) databreach, one of the biggest in Australia’s history, close in the rankings of the Optus, Medibank, and Latitude hacks.”
The next sentence is entirely redacted, and following that, the hackers reveal the total count of compromised records (also redacted), and details of what they possess, namely full names and email addresses, phone numbers and dates of birth, and Frequent Flyer numbers. The hackers also warned they had “much more” than that, before saying: “We will provide large samples of the data below.”
What follows is almost nine pages of what appear to be lines of data, likely each corresponding to a single customer’s data, in much the same way hackers share sample data on hacking forums. This list is also redacted, and at the end of the email, the hackers provide a Tox address for initial contact.
The other letters are largely similar in content, though with the headers redacted, it’s impossible to know if they’re from the same individual and sent to the same Qantas representative, or from different members of the so-called collective, and sent to several contact points at the airline. All the emails include a 72-hour deadline to make contact.
What appears to possibly be a fourth email, or possibly a separate attachment, is entirely redacted, but it does appear to have both lines of text and, possibly, images, all obscured.
Qantas did not initially return the hackers’ emails, and on 7 July, the threat actor sent a follow-up.
Second attempt
Again, this email is heavily redacted, but it appears to be lengthier and may outline the consequences if Qantas does not enter into negotiations with the hackers.
“This is our second attempt at reaching out to resolve this matter,” the email said. The next four or so lines are redacted, but the email continues after that.
“At this time, no information has been disclosed or distributed,” the hackers said.
“If you are not the appropriate contact for this matter, please forward this message to someone with the authority to address confidential risk-related issues.”
What follows are more lines of redacted customer data, though the hackers do give Qantas another 72-hour deadline to respond. Still, the requested nature of that response is also redacted.
Reaching out
At this point, Qantas finally contacted the hackers, and while Qantas provided this correspondence to the court, the version provided to Cyber Daily is, understandably, almost completely redacted. All that’s readable is the subject line of the Qantas email reply, “Reaching out”.
In the exchange of emails that followed, a Qantas spokesperson sent a total of six emails after the first one, of varying lengths, while the airline received 11 in response, the last three all appearing to be without response from the airline.
In a description of the documents provided to the court, dated 16 July, Qantas said it had provided a “complete log of the email exchange between Qantas and the defendant between 4 and 15 July 2025”.
Qantas had revealed on the evening of 7 July that it had been in contact with “a potential cyber criminal” but that as the incident was an ongoing criminal matter, it “won’t be commenting any further on the detail of the contact”.
Qantas’ latest update, posted to its online News Room, said that investigations remained ongoing and that it was “progressively emailing affected customers”.
“We remain in constant contact with the National Cyber Security Coordinator, Australian Cyber Security Centre and the Australian Federal Police,” Qantas CEO Vanessa Hudson said in the 9 July update.
“I would like to thank the various agencies and the federal government for their continued support.”
When contacted by Cyber Daily with questions regarding this correspondence, Qantas said it had no further comment at this time.