Threat actors have published the personal information of millions of Qantas Airways customers on the dark web following the airline’s July cyberattack, which stemmed from a compromise of a third-party platform linked to Salesforce. Qantas confirmed on Sunday that it was among several global companies whose stolen data had been released by cybercriminals.
Almost six million Qantas customers were affected by the breach, which exposed names, email addresses, phone numbers, dates of birth, and frequent flyer numbers. The incident is now being regarded as one of the largest and most high-profile cyberattacks in Australia’s aviation history.
Attackers Exploit Salesforce-Linked Systems in Global Data Leak
Qantas stated that the attackers gained access to data through a third-party platform connected to its systems. Similar intrusions have impacted other multinational firms using Salesforce-linked integrations, including Disney, Google, IKEA, Toyota, McDonald’s, and airlines Air France and KLM.
Despite the scale of the exposure, the airline clarified that no financial information, passwords, or identity documents were compromised.
“Passwords, PINs, and login details were not accessed or compromised,” Qantas said in an official statement. “No identity documents, credit card numbers, or personal financial details were accessed or compromised as a result of the incident.”
The company emphasized that while payment data remains secure, the stolen information could still be exploited for phishing and social engineering campaigns. With millions of records containing names and contact details now circulating online, security analysts warn that Qantas customers may be targeted by highly convincing scam attempts impersonating the airline or related partners.
Legal Actions, Court Injunctions, and Hacker Ultimatums
To prevent the spread of the stolen data, Qantas has taken the unusual step of obtaining an injunction from the New South Wales Supreme Court. The order prohibits any third parties from accessing, viewing, or publishing the compromised data. While such legal measures cannot erase data from the dark web, they provide a framework for pursuing individuals or entities that interact with or distribute the stolen material.
In response to the attackers’ ransom demands, Qantas has also filed a lawsuit against “persons unknown.” The case encompasses anyone involved in the theft, ransom communications, or dissemination of the leaked data.
The hacker collective behind the incident, known as Scattered Lapsus$ Hunters, had reportedly threatened to release stolen data from over 40 Salesforce-connected companies unless ransom payments were made. The group set a public deadline of 3 p.m. AEDT on Saturday for payment compliance.
When the ransom demand went unmet, the attackers followed through on their threat. According to The Guardian, the hackers marked the Qantas data as “leaked” and posted a message reading: “Don’t be the next headline, should have paid the ransom.”
Salesforce, whose systems were indirectly linked to the attack, reiterated its firm stance against ransom payments. “Salesforce will not engage, negotiate with, or pay any extortion demand,” the company said in a public statement.
“We are working with cybersecurity experts to determine exactly what information was exposed and will continue to support customers affected by this global incident,” a Qantas spokesperson stated.
Expert Confirms Qantas Data Leak on the Dark Web
Cybersecurity researcher Troy Hunt, founder of Have I Been Pwned, confirmed that Qantas customer data is now circulating on dark web marketplaces. Hunt noted that, so far, the hackers appear to have released information from six companies, including Qantas, but may hold additional datasets from other global enterprises.
“The data is legitimate and contains customer identifiers consistent with what Qantas would store,” Hunt said. “While payment data wasn’t exposed, the level of personal detail is still significant.”
Experts are warning that the leaked data could have long-term repercussions for affected individuals. Threat actors could use the exposed information to conduct spear-phishing, identity theft, or fraudulent loyalty program redemption attempts.
Australian regulators are also monitoring the situation closely. Under the Notifiable Data Breaches scheme, Qantas may be required to report full details of the breach to the Office of the Australian Information Commissioner (OAIC) once the scope of the leak is fully confirmed.
The incident highlights growing risks within cloud-connected enterprise ecosystems, where third-party service integrations create expanded attack surfaces. With major corporations worldwide now implicated in the same breach, investigators suspect that Scattered Lapsus$ Hunters exploited a common supply chain vulnerability within Salesforce-linked systems.
As Qantas continues its forensic analysis, the airline has urged customers to remain vigilant against suspicious communications, emphasizing that it will never request personal or payment information via unsolicited messages. The company has not disclosed whether it received a direct ransom demand before the data release but maintains that it will not pay or negotiate with extortionists.
The Qantas breach underscores the rising threat of coordinated extortion campaigns targeting interconnected corporate platforms. It also serves as a warning for organizations relying heavily on third-party infrastructure to implement stricter vendor security assessments and continuous monitoring.
