Personal data linked to millions of Qantas customers has appeared on an extortion site after a ransom deadline set by a crime syndicate styling itself “Scattered LAPSUS$ Hunters,” according to Australia’s public broadcaster. Qantas said it is monitoring dark‑web activity and continuing support for affected customers after a July cyber incident, while Salesforce — named by the criminals in their wider campaign — reiterated it will not pay and said it has no indication its platform was compromised. ([abc.net.au](https://www.abc.net.au/news/2025-10-11/hackers-release-qantas-customers-data-on-dark-web/105881266?utm_source=openai))
What is confirmed
Qantas disclosed on July 2 that a third‑party customer service platform used by one of its call centers was accessed, ultimately affecting 5.7 million unique customer records after duplicates were removed. The airline said the exposed fields varied by person, spanning names and emails for most customers and, for smaller cohorts, addresses, dates of birth and phone numbers. Qantas has said no passwords, payment cards, bank details or passport numbers were held in the impacted system. ([qantasnewsroom.com.au](https://www.qantasnewsroom.com.au/media-releases/update-on-qantas-cyber-incident-wednesday-9-july-2025/?utm_source=openai))
Reuters reporting in early July corroborated those figures and noted that more than one million customers had phone numbers, birth dates or home addresses accessed, while roughly four million had only names and email addresses exposed. At the time, Qantas said it had seen no evidence of data release but was actively monitoring with external experts. ([investing.com](https://www.investing.com/news/stock-market-news/qantas-confirms-over-a-million-customers-personal-information-leaked-4127415?utm_source=openai))
Market reaction and governance response
Qantas shares fell around 2% intraday on July 2 following the disclosure of the breach, underperforming the broader Australian market during that session. While the stock subsequently recovered, the initial sell‑off underscored investor sensitivity to cyber‑risk at consumer brands with large data footprints. ([tradingview.com](https://www.tradingview.com/news/reuters.com%2C2025%3Anewsml_L4N3SZ01V%3A0-australia-s-flag-carrier-qantas-falls-on-cybersecurity-incident/?utm_source=openai))
In September, the airline cut short‑term bonuses for its CEO and executive team by 15%, citing accountability for the incident even as investigations continue. The reduction trimmed CEO Vanessa Hudson’s cash bonus by A$250,000 for the year ended June 30, according to the company’s annual report and contemporaneous coverage by Reuters. ([reuters.com](https://www.reuters.com/sustainability/boards-policy-regulation/qantas-trims-executive-bonuses-by-15-fiscal-2025-over-cyber-hack-2025-09-05/?utm_source=openai))
What we know about the attackers
The extortion site used in this campaign claims roughly “~1B+” records stolen from about 39 companies connected to Salesforce environments. Salesforce said in an email to media that it “will not engage, negotiate with, or pay any extortion demand,” adding there is no indication its core platform was compromised and portraying the activity as relating to past or unsubstantiated incidents. Security firm Mandiant has tracked this cluster as UNC6040, noting social‑engineering calls to persuade targets to connect attacker‑controlled apps to corporate portals. ([arstechnica.com](https://arstechnica.com/security/2025/10/salesforce-says-it-wont-pay-extortion-demand-in-1-billion-records-breach/?utm_source=openai))
Trade publications that reviewed the gang’s site list global brands across retail, transport and media among named victims, reinforcing the campaign’s breadth and the attackers’ focus on data‑rich, customer‑facing firms. While naming conventions can blur among Lapsus$, Scattered Spider and ShinyHunters, the operative risk for enterprises is consistent: credential theft and abuse of legitimate integrations across cloud software stacks. ([techcrunch.com](https://techcrunch.com/2025/10/03/hacking-group-claims-theft-of-1-billion-records-from-salesforce-customer-databases/?utm_source=openai))
Regulatory exposure and costs
Australia strengthened its privacy penalty regime in late 2022: for serious or repeated interferences with privacy, the maximum corporate penalty is the greater of A$50 million, three times the benefit obtained, or 30% of adjusted turnover for the breach period. That framework, enforced by the Office of the Australian Information Commissioner (OAIC), raises the stakes for large breaches that expose personal information at scale. ([ministers.ag.gov.au](https://ministers.ag.gov.au/media-centre/parliament-approves-governments-privacy-penalty-bill-28-11-2022?utm_source=openai))
Global cost benchmarks also point to meaningful financial drag from major incidents. IBM’s 2025 Cost of a Data Breach report found the average breach cost at US$4.44 million worldwide, while the United States averaged about US$10.2 million, reflecting higher legal, remediation and customer support costs. For customer‑intensive sectors, post‑incident spending on contact centers, identity protection and fraud monitoring commonly represents a substantial share of outlays in the first year after an attack. ([bnnbloomberg.ca](https://www.bnnbloomberg.ca/business/technology/2025/07/30/costs-of-data-breaches-dropping-globally-but-not-in-canada-ibm-study/?utm_source=openai))
Company and industry actions
Qantas has established round‑the‑clock customer support and secured an injunction from the New South Wales Supreme Court designed to limit the use or publication of stolen data — measures that can mitigate secondary harm and restrict the spread of files in mainstream channels, even if they do not deter criminal forums. The airline continues to coordinate with federal authorities and cyber specialists as it monitors for misuse. ([qantasnewsroom.com.au](https://www.qantasnewsroom.com.au/qantas-responds/update-on-qantas-cyber-incident-thursday-17-july-2025/?utm_source=openai))
Across industries, the current campaign is a reminder that risk increasingly sits in integrations — API connections, OAuth tokens and third‑party applications that extend powerful privileges. Security analysts recommend tightened governance over cloud apps, mandatory hardware‑based multi‑factor authentication for privileged roles, and continuous monitoring for anomalous access between SaaS systems. Salesforce’s public refusal to negotiate, echoed in industry guidance, aligns with a broader shift away from ransom payments as regulators and insurers scrutinize extortion economics. ([arstechnica.com](https://arstechnica.com/security/2025/10/salesforce-says-it-wont-pay-extortion-demand-in-1-billion-records-breach/?utm_source=openai))
Outlook for airlines and investors
Airlines concentrate valuable personal and loyalty data while relying on sprawling vendor ecosystems — from call‑center platforms to CRM and marketing tools — creating a wide attack surface. For investors, the Qantas episode highlights three diligence points: board‑level oversight of third‑party risk, measurable progress on identity and access controls across SaaS, and transparent disclosure that balances customer protection with timely market updates. Share‑price volatility around the July disclosure, followed by governance adjustments in September, illustrates how markets increasingly expect clear accountability alongside operational fixes. ([tradingview.com](https://www.tradingview.com/news/reuters.com%2C2025%3Anewsml_L4N3SZ01V%3A0-australia-s-flag-carrier-qantas-falls-on-cybersecurity-incident/?utm_source=openai))
For a contemporaneous account of the governance steps and executive pay decision, see Reuters’ coverage. ([reuters.com](https://www.reuters.com/sustainability/boards-policy-regulation/qantas-trims-executive-bonuses-by-15-fiscal-2025-over-cyber-hack-2025-09-05/?utm_source=openai))
Read more analysis on corporate risk and market implications at Globally Pulse Business. For background on the Salesforce‑linked extortion campaign and the company’s stance, see Ars Technica’s reporting. ([arstechnica.com](https://arstechnica.com/security/2025/10/salesforce-says-it-wont-pay-extortion-demand-in-1-billion-records-breach/?utm_source=openai))
