Personal data of around five million Qantas passengers has surfaced on the dark web after the airline fell victim to a massive ransomware attack. The cybercriminal group, Scattered Lapsus$ Hunters, released the data publicly when their ransom demands went unmet.
The hackers uploaded the stolen files on Saturday, tagging them as “leaked” and warning, “Don’t be the next headline, should have paid the ransom.”
The compromised information reportedly includes email addresses, phone numbers, dates of birth, and frequent flyer membership details from Qantas’ customer records. However, the airline confirmed that no financial data, credit card details, or passport numbers were exposed in this breach.
The cyberattack is part of a larger global campaign that has impacted 44 organisations worldwide, with up to a billion customer records potentially compromised. The infiltration occurred through a Salesforce database breach in June, extending from April 2024 to September 2025.
Cyber intelligence
expert Jeremy Kirk from Intel 471 said the attackers are a long-established criminal network with members operating across the US, UK, and Australia.
He noted: “This particular group is not a new threat; they've been around for some time.”
Kirk added: “They're very skilled in knowing how companies have connected different systems together.”
Major global brands such as Gap, Vietnam Airlines, Toyota, Disney, McDonald’s, Ikea, and Adidas were also affected by the same campaign.
While Qantas customers’ financial data was not exposed, experts have warned that the leaked personal details could be exploited for identity theft and phishing scams.
Kirk cautioned: “These days, a lot of threat groups are now generating personalised phishing emails.”
He continued: “They're getting better and better at this, and these types of breaches help fuel that underground fraudster economy.”
Qantas has since launched a 24/7 customer support line and provided specialist identity protection assistance to those affected.
A company representative stated, “We continue to offer a 24/7 support line and specialist identity protection advice to affected customers.”
In July, Qantas secured a permanent court order from the NSW Supreme Court to block any unauthorised access, sharing, or publication of the stolen data.
Salesforce, whose database was infiltrated, confirmed that it would not negotiate or pay ransom demands, stating: “We will not engage, negotiate with, or pay any extortion demand.” The company also clarified that its platform itself remained uncompromised and that it continues to work closely with affected clients.
A Qantas spokesperson added: “With the help of specialist cyber security experts, we are investigating what data was part of the release.”
They continued: “We have also put in place additional security measures, increased training across our teams, and strengthened system monitoring and detection since the incident occurred.”
