Brinztech Alert: Qantas Customer Data Leaked in Salesforce Supply-Chain Attack

Dark Web News Analysis

The hacker group known as “Scattered Lapsus$ Hunters” has publicly leaked a database containing the records of an estimated 5 million Qantas customers on a dark web forum. This action was taken after a ransom deadline set by the cybercriminals passed without payment. The incident is a direct consequence of a major supply-chain attack that occurred in June 2025, where the threat actors compromised a Salesforce database environment used by Qantas and dozens of other major global companies. After the deadline expired, the group marked the Qantas data as “leaked,” with the message, “Don’t be the next headline, should have paid the ransom.”

The leaked Qantas data reportedly includes a range of customer Personally Identifiable Information (PII), such as email addresses, phone numbers, dates of birth, and frequent flyer numbers. While initial reports indicate that credit card details and passport information were not included, this PII is still highly valuable to criminals. It enables them to craft sophisticated and highly personalized phishing and social engineering scams targeting Qantas customers, particularly high-value frequent flyers. By impersonating the airline with a high degree of credibility, attackers can attempt to steal valuable frequent flyer miles (a virtual currency), phish for account credentials, or trick customers into revealing financial information. This leak is part of a much larger campaign that has impacted over 40 major brands, including Toyota, Disney, and Adidas.

Key Cybersecurity Insights

This high-profile data leak highlights several critical cybersecurity trends:

• Major Supply-Chain Attack via a Core SaaS Provider: This incident underscores the immense risk posed by the modern SaaS supply chain. The attackers did not need to breach Qantas’s own network; instead, they compromised a widely used third-party platform (Salesforce). This single point of failure gave them access to the sensitive customer data of not just one, but over 40 major corporations, demonstrating the cascading and widespread impact of a single breach in a critical cloud service.
• High Risk of Targeted Phishing and Frequent Flyer Fraud: The specific data leaked—names, contact details, and frequent flyer numbers—is a perfect toolkit for social engineering. Cybercriminals will use this data to create highly convincing and personalized phishing emails. These scams will likely aim to steal valuable frequent flyer miles, compromise user accounts by tricking them into revealing passwords, or manipulate victims into revealing more sensitive financial data.
• Extortion-Driven Data Leak Following Ransom Non-Payment: The incident follows a classic double-extortion playbook. The “Scattered Lapsus$ Hunters” group first exfiltrated the data, then used the threat of its public release to extort the affected companies. When the ransom was not paid, they weaponized the data by leaking it publicly to cause maximum reputational damage, a tactic designed to pressure future victims into paying.

Mitigation Strategies

In response to this significant data leak, a coordinated response from the company, its customers, and the broader business community is required:

• Enable MFA and Monitor for Phishing and Account Fraud: All Qantas Frequent Flyer members must ensure their accounts are protected with Multi-Factor Authentication (MFA). They should be on high alert for personalized phishing emails or text messages that use their name and frequent flyer number to appear legitimate. All unsolicited communications should be treated with extreme suspicion, and users should regularly monitor their accounts for any unauthorized activity.
• Activate High-Priority Incident Response and Customer Support: Qantas must continue to execute its incident response plan, which includes providing a dedicated 24/7 support line and specialist identity protection services for the 5 million affected customers. Transparent and continuous communication is critical to help customers understand the risks and take protective measures, which helps to mitigate long-term reputational damage.
• Conduct Rigorous Audits of Third-Party SaaS Security: This breach is a critical reminder for all businesses to rigorously vet the security posture of their third-party SaaS providers. This includes reviewing the provider’s security controls, clearly understanding the shared responsibility model for data protection, and implementing strict access controls and continuous monitoring for all third-party application integrations to limit the blast radius of a potential supply-chain attack.

Secure Your Organization with Brinztech As a cybersecurity provider, we can protect your business from the threats discussed here. Contact us to learn more about our services.

Questions or Feedback? For expert advice, use our ‘Ask an Analyst’ feature. Brinztech does not warrant the validity of external claims. For new inquiries or to report this post, please email us: contact@brinztech.com