Cyber expert warns release of Qantas data on dark web amounts to opening virtual Pandora’s box
Cyber criminals who tricked a Manila call centre worker into sharing access have unleashed a massive data dump of Qantas customer information.
Qantas has confirmed a global cyber criminal group has come good on its threat to post information stolen from the airline’s Manila call centre database.
Scattered Lapsus$ Hunters is understood to have uploaded more than 150 gigabytes of data to the dark web late Saturday, after database provider Salesforce refused to pay a ransom.
The group had previously warned of “massive consequences” in the absence of payment.
Information stolen from several other companies including Gap, Fujifilm and Vietnam Airlines was also posted by the hackers on their dark web data leak site.
A New South Wales Supreme Court injunction granted to Qantas prevents third parties such as the media from accessing, viewing, releasing, using or publishing the stolen data, which includes personal details of 5.7 million customers.
However, senior staff research engineer at US cybersecurity firm Tenable, Satnam Narang, said the release of the data was the equivalent to “Pandora’s box” being opened.
“Now that the data is freely available, the stolen data is circulating, irrespective of the status of the data leak site,” said Mr Narang.
“Qantas customers whose data has been exposed in this breach may be more likely to receive follow-on social engineering attempts to potentially steal other types of data, or be used as part of other spam-related content targeting them via phone numbers and emails.”
A Qantas spokesman said they were investigating what data was part of the release with the help of cyber security experts.
“In July Qantas proactively advised all impacted customers of the types of their personal data that was contained in the impacted system and this has not changed,” the spokesman said.
The details stored on the affected database were customers’ names, birthdates, addresses, emails, phone numbers, frequent flyer numbers, status tier and points balances.
Qantas stressed that no passport details or financial information was present.
In the meantime, Qantas continued to work closely with Australian government agencies including the Australian cyber security centre and federal police.
Mr Narang said much of the data stolen from Qantas was likely “already in circulation due to data breaches from various institutions”.
“It is always generally wise for customers to remain sceptical about unsolicited text or email messages, whether related to their financial or banking institutions, as well as email, social media and other common accounts,” he said.
Salesforce has refused to engage or negotiate with the hackers, comprising of the groups Scattered Spider, Lapsus$ and ShinyHunters.
The multinational company was targeted after databases connected to a range of Salesforce customers were breached, including Disney, KLM, Air France and Google.
In the case of Qantas, the hackers used a “social engineering” method, posing as a senior airline employee to convince a call centre operator in Manila to share access with a database.
Salesforce insisted the breach was not due to “any known vulnerability” in the platform and encouraged all customers to follow security best practices to protect their data.
The Qantas spokesman said additional security measures had been put in place, “including increased training across our teams and strengthened system monitoring and detection since the incident occurred”.
In response to the hack, Qantas executives were docked 15 per cent of their short term bonus in the 2025 financial year. However, the board has made it clear they will face no further penalty in relation to the cyber incident.
More Coverage
To join the conversation, please log in. Don't have an account? Register
Join the conversation, you are commenting as Logout