Hackers leak Qantas data on 5M customers after ransom deadline passes

Hackers say they have leaked the personal records of 5 million Qantas customers on the dark web, after a ransom deadline set by the cybercriminals passed. The airline is one of more than 40 firms globally caught up in the hack, reported to contain up to 1 billion customer records. The hacker collective Scattered Lapsus$ Hunters released an extortion note on a data leaks site on the dark web last week, demanding payment in return for preventing the stolen data from being shared. The Qantas data, which was stolen from a Salesforce database in a major cyber-attack in June, included customers’ email addresses, phone numbers, birth dates and frequent flyer numbers. It did not contain credit card details, financial information or passport details. On Saturday the group marked the data as “leaked”, writing: “Don’t be the next headline, should have paid the ransom.” Sign up: AU Breaking News email Jeremy Kirk, the executive editor of Cyber Threat Intelligence, said 44 companies had been included in the leak including Gap, Vietnam Airlines, Toyota, Disney, McDonald’s, Ikea, and Adidas. He said the hacker group was well known and operated out of countries such as the US, UK and Australia. “This particular group is not a new threat; they’ve been around for some time,” Kirk said. “But they’re very skilled in knowing how companies have connected different systems together.” A Qantas spokesperson previously told Guardian Australia its priorities were “continued vigilance and providing ongoing support for our customers” after the June attack. “We continue to offer a 24/7 support line and specialist identity protection advice to affected customers,” the spokesperson said. A Salesforce spokesperson told Guardian Australia the company “will not engage, negotiate with, or pay any extortion demand”. There was no indication the Salesforce platform had been compromised, the company said via a statement. “We are aware of recent extortion attempts by threat actors, which we have investigated in partnership with external experts and authorities. Our findings indicate these attempts relate to past or unsubstantiated incidents, and we remain engaged with affected customers to provide support,” it said. It is understood the global data was stolen between April 2024 and September 2025 and includes personal and contact information of the companies’ customers and employees, including dates of birth, purchase histories and passport numbers. “No company wants to see, you know, hundreds of thousands, or, millions of records of their customers just on the internet,” Kirk said. “That’s awful. It’s awful for the companies. It’s awful for the people affected.” In July, Qantas obtained an ongoing injunction from the NSW supreme court ensuring protections to prevent the stolen data being accessed, viewed, released, used, transmitted or published by anyone, including third parties. Kirk said there was no financial data but criminals could potentially use leaked personal information to open credit cards. He said people should monitor their accounts for suspicious activity, and beware of scam emails that are personalised. “These days, a lot of threat groups are now generating personalised phishing emails,” he said. “They’re getting better and better at this – and these types of breaches help sort of fuel that economy, that underground fraudster economy.” Qantas has been contacted for comment.