Australian airline Qantas is reeling from a significant data breach that has exposed the personal information of millions of its customers. The breach, which occurred in mid-2025, saw the data of approximately 5.7 million customers stolen and subsequently released on the dark web by a hacker collective known as Scattered Lapsus$ Hunters. This incident has been described as one of Australia’s most serious data breaches to date, prompting a swift response from the airline and government agencies. Qantas has confirmed the breach and is actively working with cybersecurity experts and law enforcement to mitigate the damage and support affected customers.
The stolen data includes a range of personal information, varying between individual customers. Exposed details include customer names, email addresses, and frequent flyer numbers. In some cases, more sensitive information such as home and business addresses, dates of birth, phone numbers, gender, and even meal preferences were also compromised. The breach has raised significant concerns about the potential for identity theft and sophisticated phishing scams targeting affected individuals. While Qantas has reassured customers that no financial details, credit card information, or identity documents were accessed, the sheer volume of personal data leaked presents a considerable risk. The airline has emphasized that passwords and PINs were not compromised, and hackers did not gain access to Frequent Flyer accounts.
The Nature of the Attack
The data breach originated from a cyberattack that targeted a third-party platform used by a Qantas call center. The airline first detected unusual activity on this platform on June 30, 2025, and took immediate steps to contain the incident. The attack was not a direct breach of Qantas’s core systems but rather a vulnerability in a connected third-party service. The hackers, identified as the collective Scattered Lapsus$ Hunters, are a known group with a history of similar attacks on major corporations. This group is believed to operate internationally, with members in countries including the US, UK, and Australia. Their method in this and other attacks has involved social engineering, where they impersonate IT support staff to convince legitimate employees to grant them access to company systems.
A Coordinated Global Campaign
The attack on Qantas was part of a much larger, coordinated campaign by Scattered Lapsus$ Hunters that targeted over 40 companies worldwide. Other prominent victims of this hacking spree include major international brands such as Toyota, Disney, McDonald’s, and Adidas. The attackers’ primary target was customer data stored on the Salesforce platform, a popular customer relationship management (CRM) software. Salesforce has stated that the breach was not due to any vulnerability in their own software but rather the result of successful social engineering tactics employed by the hackers. The hackers would call company employees, pretending to be from the IT department, and trick them into providing the necessary access credentials. This method proved to be highly effective, allowing the group to amass a vast trove of data from numerous companies.
Timeline of the Breach and Response
The initial breach was detected by Qantas on June 30, 2025, when the airline noticed unusual activity on a third-party call center platform. Qantas immediately took steps to contain the breach and launched an investigation. In July 2025, the airline began proactively notifying customers whose data may have been compromised, advising them of the types of information involved. Also in July, Qantas sought and obtained an interim injunction from the New South Wales Supreme Court. This legal action was taken to prevent the stolen data from being accessed, viewed, shared, or published by anyone, including third parties. Despite these efforts, the situation escalated in October 2025. After a ransom demand was not met, the hacker group Scattered Lapsus$ Hunters released the stolen data on the dark web. This public release of the data significantly increased the risk for affected customers and prompted a further response from Qantas and government agencies.
Data Security Measures and Customer Support
In the wake of the data breach, Qantas has implemented a series of measures to enhance its data security and support affected customers. The airline has been working closely with cybersecurity experts to investigate the incident and strengthen its systems against future attacks. This includes increased training for staff, enhanced system monitoring and detection capabilities, and a thorough review of third-party platform security. For customers, Qantas has established a 24/7 support line to address concerns and provide assistance. The airline is also offering access to specialist identity protection services to help customers monitor for fraudulent activity. Qantas has been in continuous communication with affected customers via email, providing them with specific details about which of their personal information was compromised. The company is also working with government agencies, including the Australian Federal Police and the Australian Cyber Security Centre, to manage the fallout from the breach and pursue the perpetrators.
Recommendations for Affected Customers
Given the nature of the leaked data, customers are being urged to remain vigilant against potential scams and fraudulent activity. The Australian Cyber Security Centre and the National Anti-Scam Centre have issued warnings about the increased risk of phishing emails, scam text messages, and fraudulent phone calls. Customers are advised to be cautious of any unsolicited communication, especially if it purports to be from Qantas. It is recommended to independently verify the identity of any caller by contacting the company through official channels. Furthermore, customers are encouraged to enable two-step authentication on their personal email and other online accounts to add an extra layer of security. Staying informed about the latest cybersecurity threats is also crucial, and resources are available on the websites of the Australian Cyber Security Centre and Scamwatch. Customers should also be wary of anyone claiming to have their data and demanding payment for its removal, as this is likely to be a scam.
Legal and Governmental Response
The Qantas data breach has triggered a significant response from both legal and governmental bodies in Australia. The injunction obtained by Qantas from the NSW Supreme Court is a key part of this response, making it illegal to access, view, or share the stolen data. The Minister for Cybersecurity, Tony Burke, has publicly warned people not to go looking for the data on the dark web, even to check if their own information is present. The Australian Federal Police and the Australian Cyber Security Centre are actively involved in the investigation, working with Qantas to track down the hackers and prevent further misuse of the data. This incident has also brought the issue of corporate data security back into the national spotlight, with renewed calls for stronger regulations and penalties for companies that fail to adequately protect customer information. The breach is likely to have long-lasting implications for data security practices and policies in Australia, as the government and businesses grapple with the growing threat of cybercrime.