The saga for Qantas began on June 30, when cyber-criminals accessed nearly 6 million customer accounts through a third-party vendor at a Qantas call centre in Manila. A week later, Qantas was approached by what it labelled a “potential” cybercriminal.
The airline later confirmed that 5.7 million customers had their information accessed, including name, phone numbers, business phone numbers, addresses and even the food preferences of thousands of travellers. It revealed later that the “majority” of a subset of 2.8 million customer records had frequent flyer information, including the level of Qantas membership accessed.
Rather than directly hacking Salesforce’s systems – which remain secure – the hackers exploited the human element. Using voice phishing calls, they convinced IT helpdesk staff to install what appeared to be legitimate software: a modified version of Salesforce’s Data Loader tool, which is normally used to bulk-import data.
Once installed, this Trojan horse gave hackers unfettered access to customer databases.
Qantas chief executive Vanessa Hudson.Credit: Oscar Colman
The Scattered Lapsus$ Hunters collective has already claimed responsibility for earlier attacks on British retailers including Marks & Spencer, Co-op and Jaguar Land Rover. Security researchers at Google’s Threat Intelligence Group warn the group has “proven particularly effective at tricking employees”.
The hackers’ technical infrastructure suggests ties to “The Com” – a loosely organised cybercriminal ecosystem comprising small, disparate groups known for increasingly brazen attacks and, in some cases, violent activity. British police arrested four suspects under 21 in July following the breaches targeting UK retailers.
Loading
Salesforce has told its clients it won’t pay the ransom. “I can confirm Salesforce will not engage, negotiate with, or pay any extortion demand,” a company spokesman told this masthead.
Sophos security researcher Aiden Sinnott warns the group’s October 10 deadline should be taken seriously. “A lot of what they post is intentional misinformation and trolling,” he said. “But they aren’t averse to leaking huge amounts of data.”
This comes at a sensitive time for the airline, given the prominent role its lounges have in catering to influential politicians, judges and policymakers.
Qantas has pursued a legal strategy of trying to minimise the legal public disclosure of the personal details of the affected customers, including the status as members of Qantas’ loyalty programs.
On October 2, Qantas received final orders from the NSW Supreme Court on an injunction against the hacking group, even though the exact details of their identity were unclear.
This legal strategy, while protecting the identity of victims, prevents media, social media and other lawful entities from publishing the sensitive information, even as it may be sold on the dark web to criminals.
The NSW judge suppressed the names of a Qantas expert, and the lawyers and barristers representing the airline in court, according to AAP.
The stolen data reportedly includes customer dates of birth, passport numbers and purchase histories.
Credit: Bloomberg
Clayton Utz partner James Neil said Qantas’ injunction is an example of where “litigation can be used to indirectly target parties”, in this case primarily media and social media platforms.
Loading
“I don’t think their main concern though is nefarious actors working through the dark web. It really is the larger organisations who might have a broader reach in publishing information.”
The airline, in a period of rebuilding public trust under CEO Vanessa Hudson, has taken pains to show it takes customer privacy seriously.
Hudson’s 2025 annual bonus was cut by 15 percentage points in September as a result of the impact the cyber incident had on customers. “This reflects their shared accountability while acknowledging the ongoing efforts to support customers and put in place additional protections for customers,” said chairman John Mullen.
Hudson’s short-term incentive plan was cut by $250,000, with $550,000 cut for all other executives.
The Business Briefing newsletter delivers major stories, exclusive coverage and expert opinion. Sign up to get it every weekday morning.
