Criminals behind the theft of personal data from over 5 million Qantas customers say all information will be posted online in four days, if demands are not met.
Criminals behind the theft of personal data of over 5 million Qantas customers during a cyber attack earlier this year say all information will be posted online in four days, if demands are not met.
Some 153 gigabytes of Qantas data was stolen in the June 28 breach, in which a group of cyber criminals used social engineering techniques to trick a third-party customers service platform operated by a call centre in the Philippines into granting access to its systems.
Research from cybersecurity company UpGuard said once access was granted, the threat actors would add a fraudulent integration into the Salesforce system which gave the attackers administrative level access to the systems and the ability to exfiltrate data.
The data stolen comprised almost six million Qantas accounts, including full names, addresses, emails, phone numbers, dates of birth and frequent flyer numbers.
The group which claimed responsibility for the attack are known as Scattered Lapsus$ Hunters.
It is believed to be comprised of threat actors from several high profile cyber criminal groups including Scattered Spider, ShinyHunters and Lapsus$.
The third-party platform involved in the breach was San Francisco-based cloud software focused on sales and customer service.
Qantas was one of 39 large companies listed as having had data stolen as a result of the Salesforce breach, which also included Adidas, Toyota, Disney and Google.
Now, the criminal group has taken to a newly created website to boast of its skills, warn Salesforce it must negotiate, and threaten the data would be released publicly in the coming days.
On the website, the group lauds its skills in "high-value corporate data acquisition and strategic breach operations", and warned Salesforce to engage with them before October 10, on which date it would publish the stolen data in full online.
"We highly advise you proceed into the right direction, your organisation can prevent the release of this data, regain control over the situation and all operations remain stable as always," the website said.
"We highly recommend a decision-maker to get involved as we are presenting a clear and mutually beneficial opportunity to resolve this matter."
"If Salesforce does not engage with us to resolve this, we will completely target each and every indiviual (sic) customers of theirs listed below, failure to comply will result in massive consequences.
"If we come to a resolution (with Salesforce) all individual extortions against your customers will be withdrawn from. Nobody else will have to pay us, if you pay, Salesforce."
It comes after Qantas last week was granted a six-month non-publication order over the names of solicitors working for the company on the matter by NSW Supreme Court Justice Francois Kunc.
"In relation to the lawyers (a non-publication order) might be... justifiable on the basis that the perpetrators have some temporary ire against the legal advisors," he said.
"It is depressing as it is obvious to observe that their attention will move on."
Justice Kunc said the perpetrators of the attack seemed to be "beyond our reach" and said hacking activities like the Qantas breach presented a "serious societal problem".
"The threat represented to our community, to our commerce, by these actors is very real."
That followed Qantas obtaining an interim injunction in the NSW Supreme Court to prevent the stolen data being accessed, viewed, released, used, transmitted or published by anyone, including by third parties.
While injunctions like that stop the information being shared within Australia, it does little to stop its spread by threat actors involved.
In fact, Scattered Lapsus$ Hunters didn't just ignore the injunction; they published all the court files showing Qantas' application for the injunction on a now-deleted Telegram channel.
Qantas executives had their annual bonuses, handed out in September, cut by 15 per cent because of the breach.
"While management took immediate action to contain the breach, support customers and put additional protections in place, in recognition of the seriousness of the incident, we decided to reduce 2024/25 short term bonuses by 15 per centages points for the CEO and executive management," Qantas Group chair John Mullen said.
That works out to a reduction of $250,000 in pay for Qantas chief executive Vanessa Hudson.
A statement from Salesforce said the company was "aware of recent extortion attempts by threat actors".
"Our findings indicate these attempts relate to past or unsubstantiated incidents, and we remain engaged with affected customers to provide support," the statement said.
"At this time, there is no indication that the Salesforce platform has been compromised, nor is this activity related to any known vulnerability in our technology."
While the statement denies there had been an actual hack, it links to a March 2025 blog post on its own website detailing how companies can guard against social engineering-based cyber attacks - the very attack vector used in Scattered Lapsus$ Hunters' claimed breach.
Law enforcement from the nations comprising the Five Eyes Alliance had previously detailed the techniques used by the criminal group.
Authorities from the US, UK, Australia and Canada released a joint cybersecurity advisory in response to recent activity by Scattered Spider against commercial targets.
The advisory did not mention the Qantas breach by name but referred to activity in June which matched the reported techniques used in the Qantas breach.
The advisory said the group were known for using push bombing and subscriber identity module (SIM) swap attacks to obtain credentials, install remote access tools and bypass multi-factor authentication (MFA).
Push bombing is a social engineering tactic used in cyberattacks where attackers flood a user with repeated MFA requests, overwhelming the user and tricking them into approving one of the prompts.
SIM swapping involves the cybercriminal convincing telecommunications carriers to transfer control of a targeted user’s phone number to a SIM card in their possession, gaining control over the phone and access to MFA prompts.
