Qantas: Scattered Lapsus$ Hunters Dark Web Leak

Australia's largest airline, Qantas, has confirmed that customer data stolen during a summer 2025 cyberattack has been published on the dark web by the Scattered Lapsus$ Hunters group after the airline refused to pay a ransom. The leak is part of a sprawling Salesforce-linked extortion campaign that has implicated at least 40 global companies and exposed an estimated 1 billion customer records.

What Happened

Qantas publicly confirmed on 12 October 2025 that personal data belonging to its customer base had been dumped to a dark web leak site by the Scattered Lapsus$ Hunters threat group. The dump followed the airline's refusal to engage with the group's extortion demands tied to a breach first disclosed in summer 2025.

Initial forensic findings indicate the intrusion did not originate inside Qantas's core infrastructure. Instead, attackers compromised a Qantas-affiliated call centre in the Philippines, using it as a pivot point to access and exfiltrate customer records. The airline has engaged external cybersecurity specialists and is coordinating with the Australian Federal Police and government agencies on the response.

The Qantas incident is one node in a much larger campaign attributed to Scattered Lapsus$ Hunters, which has targeted Salesforce-hosted customer data belonging to at least 40 multinational organisations, including Toyota, Disney, and IKEA. Salesforce itself was the subject of a separate extortion attempt and has publicly stated it refused to negotiate or pay.

What Was Taken

The published dataset includes a high volume of personally identifiable information drawn from Qantas's loyalty and customer service systems:

• Customer full names
• Dates of birth
• Email addresses
• Frequent flyer loyalty card numbers
• Home addresses and phone numbers for prominent Australian politicians and public figures

Qantas has stated there is no evidence that payment card data or passport details were accessed, indicating the breach was confined to identity and contact records rather than full travel or financial documents. The exposure of residential addresses and direct phone numbers for public officials, however, elevates this beyond a standard PII leak into a potential physical safety concern.

Why It Matters

This incident illustrates three trends that defenders should treat as the new operating baseline. First, the attack underscores that third-party and offshore service providers, such as outsourced call centres, remain the soft underbelly of even tier-one enterprises. Second, the campaign's scale across 40-plus global brands shows that a single compromised SaaS dependency, in this case Salesforce-hosted environments, can cascade into industry-wide exposure. Third, the data dump confirms that public refusal to pay does not always prevent reputational and customer harm, but it does deny attackers revenue and validates a hard-line posture that regulators increasingly expect.

The specific targeting of politicians' home addresses within the dump also signals a shift toward weaponising leak content for doxxing and intimidation rather than purely for financial fraud.

The Attack Technique

The intrusion vector traces back to a Qantas call centre in the Philippines, consistent with the Scattered Lapsus$ Hunters playbook of social-engineering outsourced support staff to gain initial access. The group, a convergence of operators previously linked to Scattered Spider, Lapsus$, and ShinyHunters, is known for voice phishing (vishing), SIM swapping, and impersonation of IT helpdesk personnel to harvest credentials and MFA tokens.

From the call centre foothold, attackers reportedly accessed customer record systems integrated with Salesforce-hosted CRM data, the same platform exploited in the parallel campaign against Toyota, Disney, IKEA, and others. Once the data was staged, the group attempted ransom negotiations directly with Qantas; when those failed, the dataset was published on the group's dark web leak site as a retaliatory measure.

What Organizations Should Do

1. Audit third-party and BPO call centre access. Inventory every outsourced support provider with access to customer CRM data, enforce least privilege, and require hardware-based MFA for all support agent accounts.
2. Harden Salesforce and SaaS CRM tenants. Review connected apps, OAuth tokens, IP allowlists, and session policies. Disable legacy authentication and rotate any API tokens issued to third parties.
3. Train support staff against vishing and helpdesk impersonation. Scattered Lapsus$ Hunters relies heavily on phone-based social engineering. Implement callback verification and out-of-band identity checks for password and MFA resets.
4. Monitor dark web and Telegram channels for early leak indicators. Establish standing collection on Scattered Lapsus$ Hunters, ShinyHunters, and affiliated leak sites to detect exposure before public disclosure.
5. Pre-decide a no-pay posture and rehearse it. Align legal, communications, and executive teams on a non-payment policy and run tabletop exercises that include hostile leak publication scenarios.
6. Segment high-risk customer records. Politically exposed persons (PEPs), executives, and other high-profile customers should have additional access controls and logging on their records to reduce blast radius from a CRM compromise.

Sources: Hackers retaliate against Australian airline by publishing customer data on dark web | Caliber.Az