Cyber hackers threaten to release stolen Qantas data in ransom demand
Hackers claim to possess 153 gigabytes of stolen Qantas customer data and have given Salesforce until Friday to pay up before releasing everything.
Three hacker groups are collaborating behind a threat to release sensitive data stolen in the cyber attack on Qantas unless a ransom is paid by Friday.
Known as Scattered Lapsus$ Hunters, the collective includes the groups Scattered Spider, Lapsus$ and ShinyHunters, all of which have been involved in high-profile breaches. They directed their ultimatum at the enterprise software company Salesforce, which is used by blue-chips like Disney, Google, Ikea and McDonalds for managing customer databases. All of those companies are caught up in the shakedown.
The criminal group released samples of stolen data on the dark web on Tuesday with its threat to escalate the dump if Salesforce refuses to comply.
A spokesman for the software provider said Salesforce would “not engage, negotiate with or pay any extortion demand”.
The data leak site claimed to have 153 gigabytes worth of Qantas data in its possession, representing the personal details of of 5.7 million customers stolen from the airline’s Manila call centre, according to senior staff research engineer at Tenable, Satnam Narang.
Despite briefly disappearing on Wednesday afternoon, within hours the site had reappeared with threats of exposure in the event Salesforce failed to cough up.
The data stolen from Qantas’ customer database includes names, phone numbers, email addresses and postal addresses, dates of birth, meal preferences and frequent flyer numbers.
In an effort to protect the data post-hack, Qantas obtained an ongoing injunction from the NSW Supreme Court to prevent the information being accessed or transmitted by anyone, including third parties such as the media.
The Salesforce spokesman said it was monitoring the situation, and encouraged customers to remain vigilant against phishing and social engineering attempts.
“Our investigations indicate these (latest) extortion attempts relate to past or unsubstantiated incidents, and we remain engaged with affected customers to provide support,” he said.
Aiden Sinnott, a security researcher at Sophos Counter Threat Unit, said it was difficult to second guess the group claiming responsibility, because a lot of what it posted was “intentional misinformation, mischief and trolling”.
“It is hard to predict what will happen on the 10th (of October),” Mr Sinnott said.
“They aren’t averse to leaking huge amounts of data, so if they do have Qantas data I wouldn’t be surprised if they leaked it.”
Mr Narang said the groups concerned should be taken seriously.
“There are certainly some cybercriminal groups that take previously leaked stolen breach data and repackage it to put pressure on organisations to pay ransom demands,” said Mr Narang.
“However many of the major cybercriminal groups operating today are capable of conducting these social engineering attacks, obtaining massive troves of data with the intention to extort these businesses to the tune of hundreds of thousands to millions of dollars.”
People caught up in the Qantas attack have experienced an increased rate of targeted cyber scams, including emails offering cash back for frequent flyer points nearing expiry.
Qantas continued to work closely with government agencies and the Australian Cyber Security Centre to investigate the hack, previously linked to Scattered Spider.
“Ensuring continued vigilance and providing ongoing support for our customers remain our top priorities,” a Qantas spokeswoman said.
“We continue to offer a 24/7 support line and specialist identity protection advice to affected customers. We have also put in place additional security measures, increased training across our teams, and strengthened system monitoring and detection since the incident occurred.”
Qantas executives had their short-term bonuses cut by 15 per cent in the 2025 financial year, in recognition of the seriousness of the breach.
For chief executive Vanessa Hudson, that amounted to a $250,000 penalty, reducing her total pay for the year to June 30 to $6.3m.
Although Qantas has stopped short of providing compensation to customers, frequent flyers were rewarded with at least 40 status credits in August following the airline’s announcement of a $2.39bn profit.
Maurice Blackburn has taken the first steps towards a class action against Qantas over the cyber breach, filing a complaint with the Office of the Information Commissioner.
To join the conversation, please log in. Don't have an account? Register
Join the conversation, you are commenting as Logout