Australian airline Qantas has confirmed that personal data from 5.7 million customers was leaked on the dark web after cybercriminals breached a third-party Salesforce platform used by the carrier's Manila-based call center. The October 12 data dump by hacker collective Scattered Lapsus$ Hunters followed failed ransom demands targeting dozens of global companies including Disney, Google, IKEA, Toyota, and other airlines, marking one of 2025's largest corporate data breaches and raising serious questions about third-party vendor security in the aviation industry.
On June 30, 2025, hackers gained unauthorized access to Qantas customer data by using social engineering tactics against a Manila-based call center operator managing the airline's Salesforce customer service platform. The cybercriminals, operating as Scattered Lapsus$ Hunters, reportedly convinced staff to grant system access by impersonating IT personnel through a technique known as "vishing" or voice phishing.
Despite Qantas obtaining a Supreme Court of New South Wales injunction in July prohibiting the data's publication or distribution, the hackers released the information on October 12 after their ransom deadline passed. The criminals marked the data as "leaked" on dark web forums with the message: "Don't be the next headline, should have paid the ransom." The breach represents part of a coordinated campaign targeting over 40 companies worldwide that use Salesforce platforms, with the stolen data reportedly totaling around one billion customer records globally.
The attack reveals sophisticated coordination among cybercriminals who avoid using technical exploits for psychological manipulation. Rather than breaching Salesforce's infrastructure directly, Scattered Lapsus$ Hunters exploited the human element - call center workers trained to be helpful. By posing as legitimate IT staff, they gained credentials that provided sweeping access to customer databases across multiple corporations.
This breach exposes critical vulnerabilities in global supply chains where companies entrust sensitive customer data to offshore vendors with potentially weaker security protocols. For the quarter of Australia's population potentially affected, the exposed information creates lasting risks, while passwords can be changed, dates of birth and addresses remain permanently compromised, enabling sophisticated phishing campaigns for years to come.
Federal Cyber Security Minister Tony Burke warned affected customers to remain vigilant against scammers, advising "If you're getting a call you're not expecting, hang up, call back through the official line." The sophistication of the attack drew attention from cybersecurity researcher Troy Hunt, who noted the hackers' success came through manipulation rather than technical prowess, "They have been very effective. And it hasn't been using any sophisticated technical exploits... they have exploited really the oldest tricks in the books." Dr. Marthie Grobler from CSIRO's Data61 stressed specific risks for frequent flyers, warning that stolen details "could be used to make fake refund or flight rescheduling scams more convincing." Meanwhile, Salesforce maintained its stance against negotiating with cybercriminals, with a spokesperson insisting the company "will not engage, negotiate with, or pay any extortion demand."
Maurice Blackburn law firm has lodged a complaint with Australia's Office of the Information Commissioner alleging privacy law violations, potentially triggering a class action lawsuit. Under current regulations, Qantas faces maximum penalties of AU$50 million or 30% of turnover - whichever is greater - marking a significant escalation from previous data breach cases.
Scattered Lapsus$ Hunters emerged as a formidable cyber extortion group specializing in social engineering attacks against corporate targets. Unlike traditional ransomware operators who encrypt systems, this collective focuses exclusively on data theft and extortion, using sophisticated psychological manipulation to breach security through human vulnerabilities rather than technical exploits.
The group has demonstrated remarkable success rates by exploiting the service industry's customer-first mentality, where support staff are trained to be helpful and accommodating. Their campaigns usually involve extensive research to identify vendor relationships, followed by coordinated vishing attacks where multiple operators work together to create believable scenarios that convince employees to bypass security protocols.
Security researchers note the group's professional approach includes detailed playbooks for different industries, native-speaker operators for various regions, and sophisticated data handling infrastructure capable of processing terabytes of stolen information. Their willingness to follow through on publication threats - as demonstrated in the Qantas case - gives them significant leverage over victims who cannot afford public data exposure.
Intelligence firm Unit 42 characterizes their operation as "a coordinated effort to steal data and hold it for ransom," with the group maintaining strict deadlines and professional communication channels. Their October 10 ultimatum to affected companies demonstrated their business-like approach to cybercrime, treating data theft as a commercial enterprise with clear terms and consequences for non-payment.
Social engineering is a manipulation technique where attackers trick people into revealing confidential information or granting system access.
Vishing (voice phishing) involves fraudulent phone calls where criminals impersonate legitimate organizations to steal sensitive information.
A data dump occurs when cybercriminals publish stolen information publicly, typically on dark web forums.
The dark web comprises hidden internet sites accessible only through specialized browsers like Tor. Cybercriminals use these platforms to sell stolen data, communicate anonymously, and operate leak sites beyond law enforcement's easy reach.