-
Customer data that was stolen in a July breach has been leaked on the dark web, affecting over five million Qantas customers.
-
Exposed details for more than one million customers include sensitive information such as phone numbers, addresses, and dates of birth.
-
The hacker group Scattered Lapsus$ Hunters claimed responsibility for the breach after the deadline for the ransom had passed, linking it to an attack on a global third-party service provider.
On Saturday, Qantas Airways confirmed that customer information stolen in a cyber breach in July has been posted on the dark web, exposing the details of more than five million customers.
This move turns one of Australia’s biggest data breaches from a theft to a public exposure, several months after it had occurred. The airline said they were one of over 40 companies worldwide affected by the compromise of a third-party platform.
Scale and Details of the Qantas Data Breach
The previous Qantas data breach that took place in July 2025 was a cyber incident that resonated in the industry & this leak confirms what everyone feared about the stolen information. The airline said the dataset affects more than 5 million customers.
The type of data breached differs for each person, but the published information includes email addresses, customer names, and frequent flyer numbers. To make matters worse, for over one million of those customers, their phone numbers, home addresses, and dates of birth were also included.
Qantas said there was no compromise of financial information, identity documents, or account passwords in the breach. This is relevant because there is less risk of direct financial fraud. However, customers are still very vulnerable to targeted phishing and social engineering attacks if bad actors get hold of their other personal information.
Airline’s Response and Criminal Attribution
As a way of response to the leak, Qantas was quick to seek an injunction in the NSW Supreme Court. Its reason for making this move is to prevent the criminals from getting access, sharing the data they stole, or even publicizing it although carrying this out in a successful way may not be that easy on the dark web.
While Qantas refused to comment publicly on attribution, several reports attribute it to the hacking collective Scattered Lapsus$ Hunters. This group involves members of the other notorious hacking groups Scattered Spider, Lapsus$, and ShinyHunters. They reportedly claimed to have released the data after a ransom payment deadline passed without a response.
The breach is reportedly part of a larger wave of attacks on organizations related to Salesforce. These attacks often rely on advanced social engineering tactics such as “voice phishing” (vishing) as well as malicious versions of trusted tools (e.g., Salesforce’s Data Loader). Other large enterprises also reportedly fallen victim to a similar wave of attacks are Google, Cisco, and the Air France-KLM Group.
At this time, Qantas is relying on the help of experts in cybersecurity to understand everything about the data that leaked. The company has created a support hotline that focuses on this matter alone for its customers who fell victim to the breach.
The airline advises its customers to be watchful and be very careful, especially when it comes to how they react to unexpected communication. They are to avoid clicking on any link they receive through messages or emails and not believe that seem suspicious, and not believe everything they hear.
Growing Number of Incidents of Breaches by Third-Party Vendors Globally
The Qantas incident is an example of a worrying trend in which cybercriminals are no longer attacking organizations directly. They are rather targeting their third-party vendors and services that have weaker security. With this method, a single breach can spread across multiple major organizations.
Recent Prominent Third-Party Breaches
A department store in the UK, Harrods, which sells luxury goods, recently opened up to the public that a breach they linked to a third-party vendor revealed 430,000+ records of names & contact details belonging to customers.
A breach in which the ShinyHunters group accessed a third-party platform pushed the data from many high-profile technology companies to the dark web.
The widespread MOVEit file-transfer vulnerability earlier in the year caused harm to more than 10 million individuals in Japan alone. Organizations affected include government agencies and private companies.
These episodes point to a significant risk in present-day digital ecosystems. As firms rely on third-party platforms for consumer management and data processing, the strength of security of one partner can determine how safe the personal information of millions of consumers across the globe will be.
