Peter A Clarke

Ransomware attacks can be protracted, expensive and deeply uncomfortable affairs. As Qantas is discovering with the the collective known as Scattered Lapsus$ Hunters threatening to publish data stolen from Qantas on line unless it is paid a ransom. The sum of the ransom is not disclosed. It is reported in the Australian with Cyber hackers threaten to release stolen Qantas data in ransom demand. It is also reported by the ABC with the audio story Qantas facing ransom deadline and Qantas says ‘legal protections in place’ as cyber hacking group threatens to release personal data. Qantas has gone to extraordinary lengths to get an injunction but also obtain a non publication order over its solicitors. 

That the hackers have paid no heed to the permanent injunction is hardly a surprise.  The question is whether it is more broadly effective.  It may cause pause for those who are inquisitive but conservative and law abiding. It will have no effect on those who wish to use the personal information for criminal ends of those who belong to the younger groups who want to see what the fuss is about.

The Australian article provides:

Known as Scattered Lapsus$ Hunters, the collective includes the groups Scattered Spider, Lapsus$ and ShinyHunters, all of which have been involved in high-profile breaches. They directed their ultimatum at the enterprise software company Salesforce, which is used by blue-chips like Disney, Google, Toyota, Ikea and McDonalds for managing customer databases. All of those companies are caught up in the shakedown.

The criminal group released samples of stolen data on the dark web on Tuesday with its threat to escalate the dump if Salesforce refuses to comply.

A spokesman for the software provider said Salesforce would “not engage, negotiate with or pay any extortion demand”.

The data leak site claimed to have 153 gigabytes worth of Qantas data in its possession, representing the personal details of of 5.7 million customers stolen from the airline’s Manila call centre, according to senior staff research engineer at Tenable, Satnam Narang.

Despite briefly disappearing on Wednesday afternoon, within hours the site had reappeared with threats of exposure in the event Salesforce failed to cough up.

The data stolen from Qantas’ customer database includes names, phone numbers, email addresses and postal addresses, dates of birth, meal preferences and frequent flyer numbers.

In an effort to protect the data post-hack, Qantas obtained an ongoing injunction from the NSW Supreme Court to prevent the information being accessed or transmitted by anyone, including third parties such as the media.

The Salesforce spokesman said it was monitoring the situation, and encouraged customers to remain vigilant against phishing and social engineering attempts.

“Our investigations indicate these (latest) extortion attempts relate to past or unsubstantiated incidents, and we remain engaged with affected customers to provide support,” he said.

Aiden Sinnott, a security researcher at Sophos Counter Threat Unit, said it was difficult to second guess the group claiming responsibility, because a lot of what it posted was “intentional misinformation, mischief and trolling”.

“It is hard to predict what will happen on the 10th (of October),” Mr Sinnott said.

“They aren’t averse to leaking huge amounts of data, so if they do have Qantas data I wouldn’t be surprised if they leaked it.”

Mr Narang said the groups concerned should be taken seriously.

“There are certainly some cybercriminal groups that take previously leaked stolen breach data and repackage it to put pressure on organisations to pay ransom demands,” said Mr Narang.

“However many of the major cybercriminal groups operating today are capable of conducting these social engineering attacks, obtaining massive troves of data with the intention to extort these businesses to the tune of hundreds of thousands to millions of dollars.”

People caught up in the Qantas attack have experienced an increased rate of targeted cyber scams, including emails offering cash back for frequent flyer points nearing expiry.

Qantas continued to work closely with government agencies and the Australian Cyber Security Centre to investigate the hack, previously linked to Scattered Spider.

“Ensuring continued vigilance and providing ongoing support for our customers remain our top priorities,” a Qantas spokeswoman said.

“We continue to offer a 24/7 support line and specialist identity protection advice to affected customers. We have also put in place additional security measures, increased training across our teams, and strengthened system monitoring and detection since the incident occurred.”

Qantas executives had their short-term bonuses cut by 15 per cent in the 2025 financial year, in recognition of the seriousness of the breach.

For chief executive Vanessa Hudson, that amounted to a $250,000 penalty, reducing her total pay for the year to June 30 to $6.3m.

Although Qantas has stopped short of providing compensation to customers, frequent flyers were rewarded with at least 40 status credits in August following the airline’s announcement of a $2.39bn profit.

Maurice Blackburn has taken the first steps towards a class action against Qantas over the cyber breach, filing a complaint with the Office of the Information Commissioner.