Peter A Clarke

The Scattered Lapsus$Hunters have followed through on their threat to publish data stolen from a range of targets of their Salesforce data breach. They published Qanta data on the dark web. It is reported widely, including by the Australian with Cyber expert warns release of Qantas data on dark web amounts to opening virtual Pandora’s box. It has also been covered by Nine News with Qantas to face scrutiny after personal data of 5.7 million customers released, minister says, the Guardian’s Hackers leak Qantas data containing 5 million customer records after ransom deadline passes and Australian Cyber Security Magazine’s Stolen Qantas Customer Records Surface on Dark Web to name but a few. The Government has predictably stated it will not negotiate with cyber criminals or pay ransoms. The thing is that its data was not stolen and it isn’t the subject of any demand. Qantas has released a statement. Maurice Blackburn has made a representative complaint to the Office of the Australian Information Commissioner alleging that Qantas has breached the Privacy Act 1988 in failing to adequately protect the personal information of its customers.

Qantas has placed significant store on the permanent injunction made by the New South Wales Supreme Court.  It will have some impact on media and those who may otherwise be inquisitive. It’s impact on cyber criminals who may wish to use personal information for social engineering or identity theft.

While Qantas is looking forward and recounting what additional security measures have been put in place the melancholy reality is that poor cyber security, in particular training, has put Qantas in this current predicament.  The sober reality is that many companies have inadequate security and woeful training of its staff and contractors.

The Qantas statement provides:

Qantas is one of a number of companies globally that has had data released by cyber criminals following a cyber incident in early July, where customer data was stolen via a third party platform. With the help of specialist cyber security experts, we are investigating what data was part of the release.  

Through the NSW Supreme Court, we have an ongoing injunction in place to prevent the stolen data being accessed, viewed, released, used, transmitted or published by anyone, including third parties.

We have also put in place additional security measures, increased training across our teams and strengthened system monitoring and detection since the incident occurred.  

In July Qantas proactively advised all impacted customers of the types of their personal data that was contained in the impacted system and this has not changed.  

We will continue to share updates on qantas.com and through our 24/7 support line on 1800 971 541 or +61 2 8028 0534 where customers have ongoing access to specialist identity protection services. 

Qantas continues to work closely with Australian Government agencies, including the Australian Cyber Security Centre and the Australian Federal Police. 

We recommend that customers continue to remain vigilant to any misuse of their personal information: 

• • Remain alert, especially with email, text messages or telephone calls, particularly where the sender or caller purports to be from Qantas. Always independently verify the identity of the caller by contacting them on a number available through official channels; 

• • Where available, use two-step authentication – such as an authentication application – for personal email accounts and other online accounts; 

• • Stay informed on the latest threats by visiting the Australian Cyber Security Centre and the National Anti-Scam Centre’s Scamwatch webpage; 

• • Visit IDCARE’s Learning Centre and the Office of the Australian Information Commissioner website for further information and resources on protecting personal information; and 

• • Do not provide your online account passwords, or any personal or financial information. Qantas will never contact customers requesting passwords, booking reference details or sensitive login information. 

Customers who believe they have been targeted by scammers should report it to Scamwatch. 

The Australian article provides:

Scattered Lapsus$ Hunters is understood to have uploaded more than 150 gigabytes of data to the dark web late Saturday, after database provider Salesforce refused to pay a ransom.

The group had previously warned of “massive consequences” in the absence of payment.

Information stolen from several other companies including Gap, Fujifilm and Vietnam Airlines was also posted by the hackers on their dark web data leak site.

A New South Wales Supreme Court injunction granted to Qantas prevents third parties such as the media from accessing, viewing, releasing, using or publishing the stolen data, which includes personal details of 5.7 million customers.

However, senior staff research engineer at US cybersecurity firm Tenable, Satnam Narang, said the release of the data was the equivalent to “Pandora’s box” being opened.

“Now that the data is freely available, the stolen data is circulating, irrespective of the status of the data leak site,” said Mr Narang.

“Qantas customers whose data has been exposed in this breach may be more likely to receive follow-on social engineering attempts to potentially steal other types of data, or be used as part of other spam-related content targeting them via phone numbers and emails.”

A Qantas spokesman said they were investigating what data was part of the release with the help of cyber security experts.

“In July Qantas proactively advised all impacted customers of the types of their personal data that was contained in the impacted system and this has not changed,” the spokesman said.

The details stored on the affected database were customers’ names, birthdates, addresses, emails, phone numbers, frequent flyer numbers, status tier and points balances.

Qantas stressed that no passport details or financial information was present.

In the meantime, Qantas continued to work closely with Australian government agencies including the Australian cyber security centre and federal police.

Mr Narang said much of the data stolen from Qantas was likely “already in circulation due to data breaches from various institutions”.

“It is always generally wise for customers to remain sceptical about unsolicited text or email messages, whether related to their financial or banking institutions, as well as email, social media and other common accounts,” he said.

Salesforce has refused to engage or negotiate with the hackers, comprising of the groups Scattered Spider, Lapsus$ and ShinyHunters.

The multinational company was targeted after databases connected to a range of Salesforce customers were breached, including Disney, KLM, Air France and Google.

In the case of Qantas, the hackers used a “social engineering” method, posing as a senior airline employee to convince a call centre operator in Manila to share access with a database.

Salesforce insisted the breach was not due to “any known vulnerability” in the platform and encouraged all customers to follow security best practices to protect their data.

The Qantas spokesman said additional security measures had been put in place, “including increased training across our teams and strengthened system monitoring and detection since the incident occurred”.

In response to the hack, Qantas executives were docked 15 per cent of their short term bonus in the 2025 financial year. However, the board has made it clear they will face no further penalty in relation to the cyber incident.