Hackers leak data of millions of Qantas customers after refusing to pay ransom

Cybercriminals behind the attack on the airline Qantas have published data of nearly six million customers on the dark web after the company allegedly refused to pay the ransom. Among the leaked information are names, dates of birth, phone numbers, email addresses, and frequent flyer card numbers. The incident occurred in early July 2025 due to a compromise of a Salesforce system connected to airline networks.

After the Scattered Lapsus$ Hunters group failed to receive payment, they released the stolen data, claiming responsibility for the breach that affected over 40 companies, including Disney, Google, IKEA, and Toyota.

• Qantas confirmed the negotiation attempts but stated that it “would not engage with criminal actors.”

• The hackers claim to have published Qantas data along with other companies on their leak site.

• The stolen information includes PII, financial records, and travel documents of frequent flyers.

• Cybersecurity experts warn that such leaks often lead to phishing and social engineering campaigns, disguised as airline support or reward program messages.

Qantas has reportedly obtained a court injunction from the Supreme Court of New South Wales (NSW) prohibiting anyone from sharing or reposting the compromised data.

However, the hackers mocked the company. On their leak site, they wrote:

> “Don’t be the next headline — should have paid the ransom.”

Cybersecurity expert Troy Hunt, founder of *Have I Been Pwned*, confirmed the authenticity of the leaked data.

According to Hunt, while only six companies’ data have been released so far, the real scope of the attacks might be significantly larger. He noted that the ongoing campaign targeting Salesforce partners appears to be coordinated and well-planned, likely aimed not just at financial gain but also at demonstrating power and exploiting trust in third-party vendors. The Qantas case highlights that even major enterprises with advanced infrastructure remain vulnerable to supply-chain attacks. Where ransom demands used to be negotiated privately, threat actors now increasingly engage in public pressure campaigns, using exposure as leverage.