The cyberattack that hit Qantas mid-year has taken a darker turn, with hackers claiming to have released personal data from up to five million customers on the dark web after a ransom deadline expired.
The leak follows months of speculation that a group calling itself Scattered Lapsus$ Hunters was behind the June breach. The collective, which has targeted dozens of multinationals, posted an extortion demand last week warning that it would release data stolen from a Salesforce database used by Qantas unless payment was made.
On Saturday, the group declared the information “leaked,” adding: “Don’t be the next headline, should have paid the ransom.”
According to The Guardian, the dataset includes customer names, contact details, dates of birth and frequent flyer numbers—but not credit card or passport information. Qantas confirmed it is working with cybersecurity specialists to determine the extent of the exposure.
“With the help of specialist cyber security experts, we are investigating what data was part of the release,” a spokesperson said. “We have also put in place additional security measures, increased training across our teams and strengthened system monitoring and detection since the incident occurred.”
The airline said it continues to provide a 24-hour helpline and specialist identity protection advice to affected customers.
Cyber analyst Jeremy Kirk of Intel 471 told The Guardian that Qantas was one of 44 companies listed in the hackers’ publication, alongside Gap, Toyota, Disney and McDonald’s.
“This particular group is not a new threat; they’ve been around for some time,” he said. “But they’re very skilled in knowing how companies have connected different systems together.”
The attack is believed to have compromised up to one billion customer records across multiple firms since April 2024, making it one of the largest coordinated data thefts to date.
Salesforce, the U.S.-based cloud provider linked to the incident, reiterated its refusal to negotiate with cybercriminals. “We will not engage, negotiate with, or pay any extortion demand,” the company told Guardian Australia.
In a statement, Salesforce said its own systems were not directly compromised, describing the extortion attempt as related to “past or unsubstantiated incidents.”
Qantas obtained an injunction from the NSW Supreme Court in July, restricting publication or distribution of the stolen data. The airline has also faced early legal pressure, with Insurance Business reporting that class action firm Maurice Blackburn has lodged a complaint with the Office of the Australian Information Commissioner over the handling of the breach.
The company’s board has already imposed a 15 per cent reduction in short-term bonuses for senior executives, a move that cost chief executive Vanessa Hudson about $250,000. The measure was described as a recognition of “accountability at the highest level” after one of Australia’s largest privacy incidents in recent years.
For insurers and brokers, the Qantas episode underscores the growing exposure from cloud-based dependencies that link multiple clients to a single point of failure.
Aggregation is the real story here. A single vendor compromise—whether Salesforce, Microsoft or another—can instantly cascade across hundreds of insureds. That’s what keeps reinsurers awake at night.
The situation also highlights how privacy and cyber liability covers continue to evolve as regulatory scrutiny intensifies. The government’s mandatory reporting regime, introduced after the Optus and Medibank breaches in 2022, requires firms to disclose and remediate incidents swiftly—yet even full transparency may not limit reputational damage.
The Qantas breach ranks among Australia’s most serious since those twin attacks three years ago. It also coincides with renewed attention on executive accountability for cyber resilience.
Recent corporate governance shifts have seen boards link performance pay to cybersecurity outcomes. The Qantas board suffered major bonus cuts over the hack.
Industry analysts say that, while the Qantas case involves no financial data, the exposure of personal identifiers could still fuel secondary fraud and identity theft. “These days, a lot of threat groups are now generating personalised phishing emails,” Kirk told The Guardian. “They’re getting better and better at this – and these types of breaches help fuel that underground economy.”
The Qantas leak is now shaping up as a defining moment for Australia’s cyber insurance market—a test of how well policy wordings, regulatory frameworks and corporate culture align under real stress.
For Qantas, the focus remains on investigation and customer protection. For insurers, the lessons extend far beyond aviation: as digital interconnection deepens, every breach is an aggregation event waiting to happen.
