Qantas among 40 companies caught up in major extortion attempt by hackers

Airline giant Qantas is bracing for the fallout from a massive cyberattack that has swept up nearly 40 major corporations as hackers threaten to leak sensitive passenger data unless ransoms are paid by Friday.

Hacker collective Scattered Lapsus$ Hunters claims to have stolen almost 1 billion records by targeting customers of cloud technology giant Salesforce. Their weapon of choice is “vishing”, or voice phishing, hackers posing as legitimate employees and calling company IT helpdesks, convincing unsuspecting staff to grant them access.

The group has given high-profile companies including Qantas, Toyota, Disney and Ikea just days to begin ransom negotiations. The data stolen from the range of companies reportedly includes customer dates of birth, passport numbers and purchase histories collected between April 2024 and September 2025. No Qantas customer passport numbers or financial details were stolen.

Australia’s top cyber cop, Cyber Security Coordinator Lieutenant General Michelle McGuinness, confirmed at Senate estimates on Wednesday that the hack included the home addresses and phone numbers of several high office holders. Almost all federal MPs have Chairman’s Club memberships with Qantas.

Qantas said it was aware of a post that contains samples of data stolen from itself and about 40 other companies. The airline says it is actively monitoring the situation with the help of specialist cybersecurity experts.

“Ensuring continued vigilance and providing ongoing support for our customers remain our top priorities,” the airline said.

“We continue to offer a 24/7 support line and specialist identity protection advice to affected customers.

“We have also put in place additional security measures, increased training across our teams and strengthened system monitoring and detection since the incident occurred,” Qantas said.

The saga for Qantas began on June 30, when cyber-criminals accessed nearly 6 million customer accounts through a third-party vendor at a Qantas call centre in Manila. A week later, Qantas was approached by what it labelled a “potential” cybercriminal.

The airline later confirmed that 5.7 million customers had their information accessed, including name, phone numbers, business phone numbers, addresses and even the food preferences of thousands of travellers. It revealed later that the “majority” of a subset of 2.8 million customer records had frequent flyer information, including the level of Qantas membership accessed.

Rather than directly hacking Salesforce’s systems – which remain secure – the hackers exploited the human element. Using voice phishing calls, they convinced IT helpdesk staff to install what appeared to be legitimate software: a modified version of Salesforce’s Data Loader tool, which is normally used to bulk-import data.

Once installed, this Trojan horse gave hackers unfettered access to customer databases.

The Scattered Lapsus$ Hunters collective has already claimed responsibility for earlier attacks on British retailers including Marks & Spencer, Co-op and Jaguar Land Rover. Security researchers at Google’s Threat Intelligence Group warn the group has “proven particularly effective at tricking employees”.

The hackers’ technical infrastructure suggests ties to “The Com” – a loosely organised cybercriminal ecosystem comprising small, disparate groups known for increasingly brazen attacks and, in some cases, violent activity. British police arrested four suspects under 21 in July following the breaches targeting UK retailers.

Salesforce has told its clients it won’t pay the ransom. “I can confirm Salesforce will not engage, negotiate with, or pay any extortion demand,” a company spokesman told this masthead.

Sophos security researcher Aiden Sinnott warns the group’s October 10 deadline should be taken seriously. “A lot of what they post is intentional misinformation and trolling,” he said. “But they aren’t averse to leaking huge amounts of data.”

This comes at a sensitive time for the airline, given the prominent role its lounges have in catering to influential politicians, judges and policymakers.

Qantas has pursued a legal strategy of trying to minimise the legal public disclosure of the personal details of the affected customers, including the status as members of Qantas’ loyalty programs.

On October 2, Qantas received final orders from the NSW Supreme Court on an injunction against the hacking group, even though the exact details of their identity were unclear.

This legal strategy, while protecting the identity of victims, prevents media, social media and other lawful entities from publishing the sensitive information, even as it may be sold on the dark web to criminals.

The NSW judge suppressed the names of a Qantas expert, and the lawyers and barristers representing the airline in court, according to AAP.

Clayton Utz partner James Neil said Qantas’ injunction is an example of where “litigation can be used to indirectly target parties”, in this case primarily media and social media platforms.

“I don’t think their main concern though is nefarious actors working through the dark web. It really is the larger organisations who might have a broader reach in publishing information.”

The airline, in a period of rebuilding public trust under CEO Vanessa Hudson, has taken pains to show it takes customer privacy seriously.

Hudson’s 2025 annual bonus was cut by 15 percentage points in September as a result of the impact the cyber incident had on customers. “This reflects their shared accountability while acknowledging the ongoing efforts to support customers and put in place additional protections for customers,” said chairman John Mullen.

Hudson’s short-term incentive plan was cut by $250,000, with $550,000 cut for all other executives.

The Business Briefing newsletter delivers major stories, exclusive coverage and expert opinion. Sign up to get it every weekday morning.