The Qantas data breach from earlier this year has resurfaced. In its latest customer update on the June cybersecurity incident, Qantas has confirmed that stolen customer data has been published to the internet. The company originally issued a customer update on the data breach in early July, shortly after it occurred, and has published several new versions since then. The date of the breach was June 30, 2025, according to the security update. The company stated the breach occurred via a compromised third-party platform, not its internal systems. Qantas is an Australian airline that flies both domestically within Australia and internationally. It is headquartered near Sydney, Australia, and was founded in 1920.
Qantas Data Leak Linked to Scattered Lapsus$ Hunters Hacker Group
The Guardian reported that the third-party system involved was Salesforce, and that the attack was attributed to the hacker group Scattered Lapsus$ Hunters. It said that Salesforce had publicly declined to give in to extortion attempts by the hackers, who then made the Qantas data public.
The Guardian also reported that around 40 total companies were impacted by the breach, and that the Qantas data included around five million customer records. In a recent entry of its Container 7 blog, Immersive Labs described the hacker group as a coalition of groups: Scattered Spider, Lapsusapsus$, and ShinyHunters. That blog also provides an overview of some of their tactics.
Scope and Data of the Qantas Data Breach
In its September 11, 2025, security update for customers, Qantas provided information on the type of data that was compromised. It said that the data compromised differed by customer, and that for most customers it was comprised of items like name, email address, and frequent flyer number. For some customers, it said the compromised data included additional fields such as address, date of birth, phone number, gender, and even meal preferences. It also stated, “There was no impact to Qantas Frequent Flyer accounts. Passwords, PINs, and login details were not accessed or compromised. The data that was compromised is not enough to gain access to Frequent Flyer accounts”.
The Sydney Morning Herald reported that the number of Qantas customers affected was about 5.7 million (somewhat higher than The Guardian). Significantly, in the same Sydney Morning Herald article, the publication indicated that Salesforce says the attack did not involve a compromise of its platform.
Law Enforcement Involvement and Hacker Adaptation
In its customer security update, Qantas said that it has obtained an injunction from the New South Wales Supreme Court to prevent anyone from using the stolen data. They also informed a variety of Australian government entities, including the Australian Federal Police, the Federal Government’s National Cyber Security Coordinator, and the Australian Cyber Security Centre.
Security Buzz reached out to industry expert Noelle Murata, Sr. Security Engineer of Xcape, Inc., who commented on the law enforcement response. “With the FBI’s involvement, many of the organization’s known websites were taken down; however, the group continued to release batches of stolen data and spun up new platforms for distribution. While the data breach was significant in terms of records exfiltrated, affecting nearly 5.7 million customers, however, credit card, passport, and website credentials were not accessed or compromised."
She added, "Organizations need to realize that data exfiltration following a breach is inevitable and should design their technical controls to be consistent with their business risk”.
Advice from Qantas for Its Customers
Qantas provides several pieces of advice for its customers affected by the breach in its security update. They counsel heightened awareness when receiving digital communications such as texts and emails, especially if the sender says they are Qantas. They advise using two-factor authentication on digital accounts and not giving passwords to any other party.
All of these points are sound advice for anyone. Readers can see the full list of recommendations on the Qantas customer security update page.
Conclusion
Qantas continues to follow up on the breach, including customer outreach. To its credit, it has updated its web content on the topic frequently since the original breach occurred, and it provides an extensive “frequently asked questions” section on its update page. Its transparency should reinforce trust among its customers.
Murata further commented, “The takeaways for organizations are to be vigilant about vendor choices and vendor management; even reputable third parties can be unreliable. For customers, the best you can do is boost your password management skills; don’t reuse passwords and implement multi-factor authentication MFA wherever possible.”
This incident highlights the growing dependence on SaaS platforms and the shared responsibility for data security between SaaS vendors and their customers. It illustrates the agility of modern cybercrime groups and the limits of law enforcement actions in combating the actions of hacker groups. Finally, it underscores the need for a fast, coordinated response to breaches.
