Qantas data breach exposes millions of customers

"It does nothing to stop criminals from sharing the data," said Troy Hunt, a cybersecurity expert.

SYDNEY: Australian airline Qantas has confirmed that personal data from 5.7 million customers, stolen in a cyberattack earlier this year, has now been leaked online. The breach is part of a wider global incident affecting several major companies, including Disney, Google, IKEA, Toyota, McDonald’s, and airlines Air France and KLM.

The cyberattack targeted software provider Salesforce, which was used by Qantas and other firms for customer management. Salesforce acknowledged it was aware of recent extortion attempts by cybercriminals, though it has not confirmed the full extent of the data leak.

Qantas revealed in July that hackers had infiltrated one of its customer contact centres, gaining access to a third-party system later identified as Salesforce. The compromised data includes customer names, email addresses, phone numbers, dates of birth, and frequent flyer details. In some cases, home or business addresses, gender, and meal preferences were also exposed.

The airline assured that no credit card information, financial data, or passport details were affected. It has since obtained a legal injunction from the Supreme Court of New South Wales to prevent the stolen data from being accessed or distributed. However, cybersecurity experts remain skeptical about the effectiveness of such legal measures.

“It does nothing to stop criminals from sharing the data,” said Troy Hunt, a cybersecurity expert. “It has little impact beyond Australia and offers no real protection.”

Google responded to inquiries by referencing a previous statement confirming that one of its corporate Salesforce servers had been targeted. The company said it had completed an impact analysis and notified potentially affected businesses.

Cybersecurity researchers have linked the attack to a group known as Scattered Lapsus$ Hunters. According to Unit 42, a research organization, the group claimed responsibility for breaching Salesforce customer systems and demanded ransom payments, reportedly setting an October 10 deadline.

Experts believe the hackers used social engineering tactics, impersonating trusted personnel to manipulate customer support staff into granting access. The FBI recently issued a warning about such techniques, noting their effectiveness despite relying on basic deception rather than advanced technical exploits.

The Qantas breach follows a series of high-profile cyber incidents in Australia, raising concerns about the country’s data protection standards. Last year, the airline faced criticism after a mobile app glitch exposed passenger details. In 2023, operations at major ports were disrupted when hackers infiltrated systems belonging to DP World, which handles nearly 40 percent of Australia’s freight trade.

As investigations continue, the incident underscores the growing threat of cybercrime and the urgent need for stronger safeguards across both public and private sectors.