ISO 27001 Certificate
SOC 1 Type I Certificate
SOC 2 Type II Certificate
PCI DSS
HIPAA
RGPD
Internal validation & live display
Multiple badges & continuous verification
Faster underwriting decisions

Qantas Company CyberSecurity Posture

qantas.com
ISOSOC2 Type 1SOC2 Type 2PCI DSSHIPAAGDPR

We would like to acknowledge the Traditional Custodians of the local lands and waterways on which we live, work and fly. We pay our respects to Elders past and present.   Spirit is everything to us, and joining the Qantas team means bringing your spirit to ours. We have over 26,000 exceptional employees, and every year we fly millions of customers around Australia and the world – together.    If you hop on board with the team, you'll experience a workplace where creativity, diversity and innovation are encouraged. We aim to give every member of the Qantas Group the support to follow their dreams, face new challenges, and let their future take flight. Ultimately, people are our priority – those who work for us and those who travel with us.  For the latest information on the cyber incident: https://bit.ly/3I7jNfM Member of the oneworld Alliance. Please read the Qantas LinkedIn House Rules at http://bit.ly/QFhouserules

Qantas A.I CyberSecurity Scoring

Qantas

Company Details

Linkedin ID:

qantas

Website:

https://www.qantas.com

Employees number:

17,358

Number of followers:

603,826

NAICS:

481

Industry Type:

Airlines and Aviation

Homepage:

qantas.com

IP Addresses:

0

Company ID:

QAN_1344183

Scan Status:

In-progress

AI scoreQantas Risk Score (AI oriented)

Between 0 and 549

https://images.rankiteo.com/companyimages/qantas.jpeg
Qantas Airlines and Aviation
Updated:
  • Powered by our proprietary A.I cyber incident model
  • Insurance preferes TPRM score to calculate premium
globalscoreQantas Global Score (TPRM)

XXXX

https://images.rankiteo.com/companyimages/qantas.jpeg
Qantas Airlines and Aviation
  • Instant access to detailed risk factors
  • Benchmark vs. industry & size peers
  • Vulnerabilities
  • Findings

Qantas Company CyberSecurity News & History

Past Incidents
12
Attack Types
3
EntityTypeSeverityImpactSeenBlog DetailsIncident DetailsView
Qantas AirwaysBreach8546/2022
QAN2402124101325
Rankiteo Explanation :
Attack with significant impact with customers data leaks

Description: Qantas Airways, Australia’s national carrier, suffered a major cyberattack in early July 2024, where hackers breached a third-party platform (Salesforce) used by its customer contact center. The attack resulted in the theft of sensitive customer data, including **names, email addresses, phone numbers, birthdays, home/business addresses, gender, and meal preferences**—affecting **5.7 million customers**. While no financial data (credit cards, passports) was compromised, the leaked information was later **shared online and held for ransom** by cybercriminals linked to the **Scattered Lapsus$ Hunters** group. The breach occurred via **social engineering**, with hackers impersonating IT staff to trick employees into granting access. Qantas obtained a legal injunction to block further data dissemination, though experts dismissed its effectiveness. The incident is part of a broader attack targeting multiple global firms (Disney, Google, Toyota, etc.) via Salesforce, with hackers demanding ransom by an **October 10 deadline**. This follows prior Qantas cybersecurity failures, including a 2023 app glitch exposing passenger details and a 2022 ransomware attack on Australian ports operator DP World.

QantasBreach8546/2025
QAN0302203101325
Rankiteo Explanation :
Attack with significant impact with customers data leaks

Description: Hackers linked to the group *Scattered Lapsus$ Hunters* breached Qantas’ third-party **Salesforce environment** in mid-2025, exfiltrating and leaking **personal data of 5–5.7 million customers** (part of a broader 1-billion-record haul) on the dark web after a ransom deadline expired. The exposed data included **names, email addresses, phone numbers, dates of birth, and frequent-flyer numbers**, though **payment and passport details remained secure**. The attack exploited **social engineering and credential abuse** via integrated third-party connections rather than a direct Salesforce breach. While Qantas obtained an injunction to limit dissemination and enhanced monitoring, the leak heightens risks of **phishing, account takeovers, and reputational damage**, with regulators scrutinizing vendor controls under Australia’s stricter post-Optus data protection laws. The airline faces **increased customer-service costs, identity-protection expenses, and potential penalties**, alongside eroded passenger trust and commercial impacts like reduced frequent-flyer engagement. Strategic responses include **credential resets, scam-awareness campaigns, and tighter supplier access controls**, though long-term reputational recovery remains uncertain.

QantasBreach8546/1988
QAN1562015101925
Rankiteo Explanation :
Attack with significant impact with customers data leaks

Description: Qantas, Australia’s flagship airline, recently fell victim to a significant cybersecurity breach resulting in the exposure of sensitive customer data on the dark web. The incident impacted up to **5.7 million customers**, with compromised information potentially including personal details such as names, contact information, passport numbers, and frequent flyer data. While Qantas confirmed the breach, the exact method of infiltration—whether through a targeted cyber attack, exploitation of a vulnerability, or an insider threat—remains undisclosed. The exposure of such a vast dataset poses severe risks, including identity theft, phishing scams, and financial fraud for affected individuals.The breach has already triggered reputational damage, with customers expressing concerns over data security and trust in the airline’s digital infrastructure. Regulatory scrutiny is expected, as Australian privacy laws (e.g., the *Privacy Act 1988* and *Notifiable Data Breaches Scheme*) mandate strict reporting and mitigation measures. Qantas has stated it is working with cybersecurity experts and law enforcement to contain the fallout, but the long-term consequences—such as customer churn, legal liabilities, and operational disruptions—could persist for years. The incident underscores the growing threat landscape for high-profile organizations holding vast troves of personal data.

Qantas AirwaysCyber Attack8547/2024
QAN3292432101325
Rankiteo Explanation :
Attack with significant impact with customers data leaks

Description: Qantas Airways, Australia’s flagship airline, suffered a cyber incident in July 2024 where hackers breached a third-party platform used by its customer contact center, exposing data of up to **6 million customers**. The compromised records included **names, email addresses, phone numbers, birth dates, and frequent flyer numbers**, though the airline confirmed that **credit card details, financial data, passports, passwords, and login credentials remained unaffected**. The breach was linked to **social engineering tactics**, with the FBI warning that the cybercriminal group **Scattered Spider**—known for impersonating employees to bypass IT security (including multifactor authentication)—was targeting the airline sector. Qantas secured a **court order to block further dissemination** of the stolen data and implemented **enhanced security measures**, including staff training and system monitoring. While no ransomware was reported, the incident prompted concerns over **identity theft risks** and reputational damage. Customers were offered **specialist identity protection services**, and the airline committed to ongoing updates as investigations continue.

QantasCyber Attack8547/2023
QAN2562025101325
Rankiteo Explanation :
Attack with significant impact with customers data leaks

Description: Hackers from the cybercrime collective **Scattered Lapsus$ Hunters** breached Qantas’ systems via **vishing (voice phishing)**, tricking employees into granting access to customer data stored on a **Salesforce-linked cloud platform**. The attack, first disclosed in **July 2023**, resulted in the theft of **nearly 6 million customer records**, including **names, email addresses, phone numbers, birth dates, frequent flyer numbers, home addresses, and gender details**—though no credit card data was compromised. After Qantas and Salesforce refused to pay a ransom, the hackers **leased the stolen data on the dark web**, exposing affected individuals to **identity theft, phishing scams, and fraudulent account creation**. The breach compounds risks for Australians already impacted by prior incidents (e.g., Medibank, Optus), with authorities warning of **impersonation attempts, fake login prompts, and long-term dark web exploitation** of personal data. Qantas advised customers to enable **two-factor authentication**, avoid suspicious links, and monitor for unauthorized account activity.

Qantas Airways LimitedCyber Attack10057/2025
QAN0192201101325
Rankiteo Explanation :
Attack threatening the organization's existence

Description: On October 10, 2025, Qantas Airways Limited suffered a massive data breach linked to a **Salesforce vulnerability**, where hackers from the group *Scattered Lapsus$ Hunters* leaked **153 GB of customer and internal business data** (5M+ records). The exposed dataset includes **highly sensitive PII**—full names, dates of birth, passport numbers, phone numbers, email addresses, mailing addresses, geolocation data, and **loyalty program details** (frequent flyer numbers, tier status, points balance, and internal CRM metadata like *OwnerId*, *RecordTypeId*, and *Sensitive_Contact* flags). Additionally, **internal business reports** (e.g., *QCC Frequent Flyer Report*, *QCC Lounges Report*) and **customer notes** (e.g., opt-out preferences, account activity timestamps) were compromised. The breach follows a **July 2025 incident** involving a third-party vendor, suggesting systemic vulnerabilities. The leak poses severe risks of **identity theft, financial fraud, and reputational harm**, as threat actors could exploit the data for targeted phishing, account takeovers, or blackmail. The inclusion of **internal Salesforce IDs and CRM fields** further exposes Qantas to operational disruptions and regulatory scrutiny under global data protection laws (e.g., GDPR, Australia’s *Privacy Act*). The hackers’ **ransomware-like ultimatum** (demanding negotiations by October 10) and subsequent public dump escalate the incident’s gravity, signaling potential **long-term trust erosion** among customers and partners.

Qantas AirwaysCyber Attack10056/2024
QAN2733027101325
Rankiteo Explanation :
Attack threatening the organization’s existence

Description: Qantas Airways suffered a major cyber breach in July 2025, where hackers accessed a third-party call center platform containing sensitive customer data. The stolen information included personal details of over **five million customers**: **one million** had phone numbers, birth dates, and home addresses compromised, while **four million** had names and email addresses exposed. Additional leaked data included frequent flyer details, genders, and meal preferences. The breach was linked to the **Scattered Lapsus$ Hunters** hacker group, which published the data after Qantas refused to meet ransom demands. Despite obtaining a court injunction to block further dissemination, cybersecurity experts like **Troy Hunt** dismissed its effectiveness, citing past failures in similar cases. The incident follows a wave of high-profile Australian breaches (Optus, Medibank, MediSecure) and aligns with a **25% surge in reported data breaches** in 2024, per the **Office of the Australian Information Commissioner**. Qantas is collaborating with cybersecurity firms and Australian agencies to mitigate fallout, though the leaked data—including addresses and birth dates—poses long-term risks of identity theft and fraud.

QantasCyber Attack100510/2023
QAN5632856101325
Rankiteo Explanation :
Attack threatening the organization’s existence

Description: A cyberattack targeting **Salesforce**, a third-party platform used by Qantas, exposed the personal data of **5.7 million customers**. The breach, linked to the **Scattered Lapsus$ Hunters** hacking group, involved **social engineering tactics** where attackers posed as IT staff to gain unauthorized access. Compromised data included **names, email addresses, phone numbers, dates of birth, frequent flyer details, and in some cases, home/business addresses, gender, and meal preferences**. While **no credit card, passport, or banking details** were leaked, the attackers are **holding the stolen data for ransom**, demanding payment by October 10, 2023. Qantas secured a **legal injunction in Australia** to prevent further data dissemination, though experts doubt its global effectiveness. The incident is part of a **wider campaign** affecting other major brands like Disney, Google, and Toyota, highlighting vulnerabilities in **shared cloud platforms** and the persistent threat of **ransomware-driven extortion**.

QantasRansomware8544/2024
QAN2562025101125
Rankiteo Explanation :
Attack with significant impact with customers data leaks

Description: Hackers from the **Scattered Lapsus$ Hunters** group leaked the personal records of **5 million Qantas customers** on the dark web after the company failed to meet a ransom demand. The breach, originating from a **Salesforce database cyber-attack in June**, exposed sensitive customer data, including **email addresses, phone numbers, birth dates, and frequent flyer numbers**—though no financial or passport details were compromised. The leaked data was part of a larger global hack affecting **over 40 companies**, with up to **1 billion customer records** stolen between **April 2024 and September 2025**. While Qantas secured a **NSW Supreme Court injunction** to restrict further dissemination, experts warn the exposed information could enable **personalized phishing scams and identity fraud**. The hackers publicly taunted Qantas with the message: *“Don’t be the next headline, should have paid the ransom.”* Salesforce denied platform compromise but acknowledged extortion attempts linked to past incidents. Qantas continues to offer **24/7 support and identity protection advice** to affected customers.

QantasRansomware8545/2025
QAN2502025101425
Rankiteo Explanation :
Attack with significant impact with customers data leaks

Description: Qantas suffered a significant cyber incident where **5.7 million customers' personal data**—including names, addresses, and potentially other personally identifiable information (PII)—was **stolen and leaked on the dark web** by the cybercrime group *Scattered Lapsus$ Hunters* after the airline refused to pay a ransom. The breach originated from a **phishing attack targeting a Qantas call center worker in the Philippines**, who was tricked into granting access to a third-party platform (Salesforce) containing customer records. The exposed data, which cannot be easily changed (e.g., names, dates of birth), heightens risks of **follow-on scams**, such as fraudsters impersonating Qantas to extract banking details under the guise of compensation. Customers reported **poor communication from Qantas**, with many learning of developments via media rather than direct notifications. The breach may result in **hefty financial penalties** under Australia’s Privacy Act, with experts arguing fines must be substantial to deter corporate negligence. The federal government reiterated its stance against negotiating with hackers, while Qantas offered limited support via IDCARE on a case-by-case basis. The incident underscores systemic vulnerabilities in third-party vendor security and corporate accountability.

QantasRansomware10056/2023
QAN3602036101325
Rankiteo Explanation :
Attack threatening the organization's existence

Description: Cybercriminals exploited a third-party call center in June 2023 to gain unauthorized access to Qantas’ customer data. After stealing over **5 million records** (153GB) containing **names, email addresses, phone numbers, birth dates, and Qantas Frequent Flyer numbers**, the hackers demanded a ransom. When Qantas refused to comply—citing legal protections from an injunction—the attackers leaked the data on both the **dark web and open internet** on **October 7, 2023**. Initially sold for **$27** on a hacking forum, the dataset was later distributed for free. While **no credit card details, passports, or login credentials** were compromised, the exposed personal information poses risks of **identity theft, phishing, and fraud**. The breach was confirmed legitimate by cybersecurity expert **Troy Hunt**, who found his own family’s data in the leak. Qantas continues investigations with **Australian Cyber Security Centre (ACSC) and the Australian Federal Police (AFP)**, offering identity protection services to affected customers. The incident is part of a broader campaign by the **Scattered Lapsus$ Hunters (SLSH)** group, which explicitly targeted Australian businesses, declaring a 'war' on the country’s organizations.

Qantas AirwaysRansomware100510/2025
QAN2902229100425
Rankiteo Explanation :
Attack threatening the organization’s existence

Description: The **Trinity of Chaos** ransomware collective (linked to Lapsus$, Scattered Spider, and ShinyHunters) exposed a significant breach of **Qantas Airways**, leaking **substantial PII records** of passengers, including loyalty program details, internal communications, and activity histories. The attack, initially disclosed via extortion emails, resulted in regulatory fines for negligence under GDPR-like frameworks (e.g., Australia’s *Privacy Act*), but the stolen data remains monetized on dark web markets. The breach likely stemmed from **Salesforce instance exploitation** (via vishing/OAuth token theft in Salesloft’s Drift AI chat integration), aligning with the group’s pattern of targeting high-value corporate data. The leaked samples confirm exposure of **millions of customer records**, heightening risks of identity theft, phishing, and reputational damage. Qantas’ failure to fully mitigate the incident—despite prior warnings—exacerbates compliance and operational risks, with cybercriminals leveraging the data for ongoing malicious campaigns, including AI-driven social engineering.

Qantas Airways
Breach
Severity: 85
Impact: 4
Seen: 6/2022
Blog:
QAN2402124101325
Rankiteo Explanation
Attack with significant impact with customers data leaks

Description: Qantas Airways, Australia’s national carrier, suffered a major cyberattack in early July 2024, where hackers breached a third-party platform (Salesforce) used by its customer contact center. The attack resulted in the theft of sensitive customer data, including **names, email addresses, phone numbers, birthdays, home/business addresses, gender, and meal preferences**—affecting **5.7 million customers**. While no financial data (credit cards, passports) was compromised, the leaked information was later **shared online and held for ransom** by cybercriminals linked to the **Scattered Lapsus$ Hunters** group. The breach occurred via **social engineering**, with hackers impersonating IT staff to trick employees into granting access. Qantas obtained a legal injunction to block further data dissemination, though experts dismissed its effectiveness. The incident is part of a broader attack targeting multiple global firms (Disney, Google, Toyota, etc.) via Salesforce, with hackers demanding ransom by an **October 10 deadline**. This follows prior Qantas cybersecurity failures, including a 2023 app glitch exposing passenger details and a 2022 ransomware attack on Australian ports operator DP World.

Qantas
Breach
Severity: 85
Impact: 4
Seen: 6/2025
Blog:
QAN0302203101325
Rankiteo Explanation
Attack with significant impact with customers data leaks

Description: Hackers linked to the group *Scattered Lapsus$ Hunters* breached Qantas’ third-party **Salesforce environment** in mid-2025, exfiltrating and leaking **personal data of 5–5.7 million customers** (part of a broader 1-billion-record haul) on the dark web after a ransom deadline expired. The exposed data included **names, email addresses, phone numbers, dates of birth, and frequent-flyer numbers**, though **payment and passport details remained secure**. The attack exploited **social engineering and credential abuse** via integrated third-party connections rather than a direct Salesforce breach. While Qantas obtained an injunction to limit dissemination and enhanced monitoring, the leak heightens risks of **phishing, account takeovers, and reputational damage**, with regulators scrutinizing vendor controls under Australia’s stricter post-Optus data protection laws. The airline faces **increased customer-service costs, identity-protection expenses, and potential penalties**, alongside eroded passenger trust and commercial impacts like reduced frequent-flyer engagement. Strategic responses include **credential resets, scam-awareness campaigns, and tighter supplier access controls**, though long-term reputational recovery remains uncertain.

Qantas
Breach
Severity: 85
Impact: 4
Seen: 6/1988
Blog:
QAN1562015101925
Rankiteo Explanation
Attack with significant impact with customers data leaks

Description: Qantas, Australia’s flagship airline, recently fell victim to a significant cybersecurity breach resulting in the exposure of sensitive customer data on the dark web. The incident impacted up to **5.7 million customers**, with compromised information potentially including personal details such as names, contact information, passport numbers, and frequent flyer data. While Qantas confirmed the breach, the exact method of infiltration—whether through a targeted cyber attack, exploitation of a vulnerability, or an insider threat—remains undisclosed. The exposure of such a vast dataset poses severe risks, including identity theft, phishing scams, and financial fraud for affected individuals.The breach has already triggered reputational damage, with customers expressing concerns over data security and trust in the airline’s digital infrastructure. Regulatory scrutiny is expected, as Australian privacy laws (e.g., the *Privacy Act 1988* and *Notifiable Data Breaches Scheme*) mandate strict reporting and mitigation measures. Qantas has stated it is working with cybersecurity experts and law enforcement to contain the fallout, but the long-term consequences—such as customer churn, legal liabilities, and operational disruptions—could persist for years. The incident underscores the growing threat landscape for high-profile organizations holding vast troves of personal data.

Qantas Airways
Cyber Attack
Severity: 85
Impact: 4
Seen: 7/2024
Blog:
QAN3292432101325
Rankiteo Explanation
Attack with significant impact with customers data leaks

Description: Qantas Airways, Australia’s flagship airline, suffered a cyber incident in July 2024 where hackers breached a third-party platform used by its customer contact center, exposing data of up to **6 million customers**. The compromised records included **names, email addresses, phone numbers, birth dates, and frequent flyer numbers**, though the airline confirmed that **credit card details, financial data, passports, passwords, and login credentials remained unaffected**. The breach was linked to **social engineering tactics**, with the FBI warning that the cybercriminal group **Scattered Spider**—known for impersonating employees to bypass IT security (including multifactor authentication)—was targeting the airline sector. Qantas secured a **court order to block further dissemination** of the stolen data and implemented **enhanced security measures**, including staff training and system monitoring. While no ransomware was reported, the incident prompted concerns over **identity theft risks** and reputational damage. Customers were offered **specialist identity protection services**, and the airline committed to ongoing updates as investigations continue.

Qantas
Cyber Attack
Severity: 85
Impact: 4
Seen: 7/2023
Blog:
QAN2562025101325
Rankiteo Explanation
Attack with significant impact with customers data leaks

Description: Hackers from the cybercrime collective **Scattered Lapsus$ Hunters** breached Qantas’ systems via **vishing (voice phishing)**, tricking employees into granting access to customer data stored on a **Salesforce-linked cloud platform**. The attack, first disclosed in **July 2023**, resulted in the theft of **nearly 6 million customer records**, including **names, email addresses, phone numbers, birth dates, frequent flyer numbers, home addresses, and gender details**—though no credit card data was compromised. After Qantas and Salesforce refused to pay a ransom, the hackers **leased the stolen data on the dark web**, exposing affected individuals to **identity theft, phishing scams, and fraudulent account creation**. The breach compounds risks for Australians already impacted by prior incidents (e.g., Medibank, Optus), with authorities warning of **impersonation attempts, fake login prompts, and long-term dark web exploitation** of personal data. Qantas advised customers to enable **two-factor authentication**, avoid suspicious links, and monitor for unauthorized account activity.

Qantas Airways Limited
Cyber Attack
Severity: 100
Impact: 5
Seen: 7/2025
Blog:
QAN0192201101325
Rankiteo Explanation
Attack threatening the organization's existence

Description: On October 10, 2025, Qantas Airways Limited suffered a massive data breach linked to a **Salesforce vulnerability**, where hackers from the group *Scattered Lapsus$ Hunters* leaked **153 GB of customer and internal business data** (5M+ records). The exposed dataset includes **highly sensitive PII**—full names, dates of birth, passport numbers, phone numbers, email addresses, mailing addresses, geolocation data, and **loyalty program details** (frequent flyer numbers, tier status, points balance, and internal CRM metadata like *OwnerId*, *RecordTypeId*, and *Sensitive_Contact* flags). Additionally, **internal business reports** (e.g., *QCC Frequent Flyer Report*, *QCC Lounges Report*) and **customer notes** (e.g., opt-out preferences, account activity timestamps) were compromised. The breach follows a **July 2025 incident** involving a third-party vendor, suggesting systemic vulnerabilities. The leak poses severe risks of **identity theft, financial fraud, and reputational harm**, as threat actors could exploit the data for targeted phishing, account takeovers, or blackmail. The inclusion of **internal Salesforce IDs and CRM fields** further exposes Qantas to operational disruptions and regulatory scrutiny under global data protection laws (e.g., GDPR, Australia’s *Privacy Act*). The hackers’ **ransomware-like ultimatum** (demanding negotiations by October 10) and subsequent public dump escalate the incident’s gravity, signaling potential **long-term trust erosion** among customers and partners.

Qantas Airways
Cyber Attack
Severity: 100
Impact: 5
Seen: 6/2024
Blog:
QAN2733027101325
Rankiteo Explanation
Attack threatening the organization’s existence

Description: Qantas Airways suffered a major cyber breach in July 2025, where hackers accessed a third-party call center platform containing sensitive customer data. The stolen information included personal details of over **five million customers**: **one million** had phone numbers, birth dates, and home addresses compromised, while **four million** had names and email addresses exposed. Additional leaked data included frequent flyer details, genders, and meal preferences. The breach was linked to the **Scattered Lapsus$ Hunters** hacker group, which published the data after Qantas refused to meet ransom demands. Despite obtaining a court injunction to block further dissemination, cybersecurity experts like **Troy Hunt** dismissed its effectiveness, citing past failures in similar cases. The incident follows a wave of high-profile Australian breaches (Optus, Medibank, MediSecure) and aligns with a **25% surge in reported data breaches** in 2024, per the **Office of the Australian Information Commissioner**. Qantas is collaborating with cybersecurity firms and Australian agencies to mitigate fallout, though the leaked data—including addresses and birth dates—poses long-term risks of identity theft and fraud.

Qantas
Cyber Attack
Severity: 100
Impact: 5
Seen: 10/2023
Blog:
QAN5632856101325
Rankiteo Explanation
Attack threatening the organization’s existence

Description: A cyberattack targeting **Salesforce**, a third-party platform used by Qantas, exposed the personal data of **5.7 million customers**. The breach, linked to the **Scattered Lapsus$ Hunters** hacking group, involved **social engineering tactics** where attackers posed as IT staff to gain unauthorized access. Compromised data included **names, email addresses, phone numbers, dates of birth, frequent flyer details, and in some cases, home/business addresses, gender, and meal preferences**. While **no credit card, passport, or banking details** were leaked, the attackers are **holding the stolen data for ransom**, demanding payment by October 10, 2023. Qantas secured a **legal injunction in Australia** to prevent further data dissemination, though experts doubt its global effectiveness. The incident is part of a **wider campaign** affecting other major brands like Disney, Google, and Toyota, highlighting vulnerabilities in **shared cloud platforms** and the persistent threat of **ransomware-driven extortion**.

Qantas
Ransomware
Severity: 85
Impact: 4
Seen: 4/2024
Blog:
QAN2562025101125
Rankiteo Explanation
Attack with significant impact with customers data leaks

Description: Hackers from the **Scattered Lapsus$ Hunters** group leaked the personal records of **5 million Qantas customers** on the dark web after the company failed to meet a ransom demand. The breach, originating from a **Salesforce database cyber-attack in June**, exposed sensitive customer data, including **email addresses, phone numbers, birth dates, and frequent flyer numbers**—though no financial or passport details were compromised. The leaked data was part of a larger global hack affecting **over 40 companies**, with up to **1 billion customer records** stolen between **April 2024 and September 2025**. While Qantas secured a **NSW Supreme Court injunction** to restrict further dissemination, experts warn the exposed information could enable **personalized phishing scams and identity fraud**. The hackers publicly taunted Qantas with the message: *“Don’t be the next headline, should have paid the ransom.”* Salesforce denied platform compromise but acknowledged extortion attempts linked to past incidents. Qantas continues to offer **24/7 support and identity protection advice** to affected customers.

Qantas
Ransomware
Severity: 85
Impact: 4
Seen: 5/2025
Blog:
QAN2502025101425
Rankiteo Explanation
Attack with significant impact with customers data leaks

Description: Qantas suffered a significant cyber incident where **5.7 million customers' personal data**—including names, addresses, and potentially other personally identifiable information (PII)—was **stolen and leaked on the dark web** by the cybercrime group *Scattered Lapsus$ Hunters* after the airline refused to pay a ransom. The breach originated from a **phishing attack targeting a Qantas call center worker in the Philippines**, who was tricked into granting access to a third-party platform (Salesforce) containing customer records. The exposed data, which cannot be easily changed (e.g., names, dates of birth), heightens risks of **follow-on scams**, such as fraudsters impersonating Qantas to extract banking details under the guise of compensation. Customers reported **poor communication from Qantas**, with many learning of developments via media rather than direct notifications. The breach may result in **hefty financial penalties** under Australia’s Privacy Act, with experts arguing fines must be substantial to deter corporate negligence. The federal government reiterated its stance against negotiating with hackers, while Qantas offered limited support via IDCARE on a case-by-case basis. The incident underscores systemic vulnerabilities in third-party vendor security and corporate accountability.

Qantas
Ransomware
Severity: 100
Impact: 5
Seen: 6/2023
Blog:
QAN3602036101325
Rankiteo Explanation
Attack threatening the organization's existence

Description: Cybercriminals exploited a third-party call center in June 2023 to gain unauthorized access to Qantas’ customer data. After stealing over **5 million records** (153GB) containing **names, email addresses, phone numbers, birth dates, and Qantas Frequent Flyer numbers**, the hackers demanded a ransom. When Qantas refused to comply—citing legal protections from an injunction—the attackers leaked the data on both the **dark web and open internet** on **October 7, 2023**. Initially sold for **$27** on a hacking forum, the dataset was later distributed for free. While **no credit card details, passports, or login credentials** were compromised, the exposed personal information poses risks of **identity theft, phishing, and fraud**. The breach was confirmed legitimate by cybersecurity expert **Troy Hunt**, who found his own family’s data in the leak. Qantas continues investigations with **Australian Cyber Security Centre (ACSC) and the Australian Federal Police (AFP)**, offering identity protection services to affected customers. The incident is part of a broader campaign by the **Scattered Lapsus$ Hunters (SLSH)** group, which explicitly targeted Australian businesses, declaring a 'war' on the country’s organizations.

Qantas Airways
Ransomware
Severity: 100
Impact: 5
Seen: 10/2025
Blog:
QAN2902229100425
Rankiteo Explanation
Attack threatening the organization’s existence

Description: The **Trinity of Chaos** ransomware collective (linked to Lapsus$, Scattered Spider, and ShinyHunters) exposed a significant breach of **Qantas Airways**, leaking **substantial PII records** of passengers, including loyalty program details, internal communications, and activity histories. The attack, initially disclosed via extortion emails, resulted in regulatory fines for negligence under GDPR-like frameworks (e.g., Australia’s *Privacy Act*), but the stolen data remains monetized on dark web markets. The breach likely stemmed from **Salesforce instance exploitation** (via vishing/OAuth token theft in Salesloft’s Drift AI chat integration), aligning with the group’s pattern of targeting high-value corporate data. The leaked samples confirm exposure of **millions of customer records**, heightening risks of identity theft, phishing, and reputational damage. Qantas’ failure to fully mitigate the incident—despite prior warnings—exacerbates compliance and operational risks, with cybercriminals leveraging the data for ongoing malicious campaigns, including AI-driven social engineering.

Ailogo

Qantas Company Scoring based on AI Models

Cyber Incidents Likelihood 3 - 6 - 9 months

🔒
Incident Predictions locked
Access Monitoring Plan

A.I Risk Score Likelihood 3 - 6 - 9 months

🔒
A.I. Risk Score Predictions locked
Access Monitoring Plan
statics

Underwriter Stats for Qantas

Incidents vs Airlines and Aviation Industry Average (This Year)

Qantas has 525.0% more incidents than the average of same-industry companies with at least one recorded incident.

Incidents vs All-Companies Average (This Year)

Qantas has 412.82% more incidents than the average of all companies with at least one recorded incident.

Incident Types Qantas vs Airlines and Aviation Industry Avg (This Year)

Qantas reported 4 incidents this year: 1 cyber attacks, 2 ransomware, 0 vulnerabilities, 1 data breaches, compared to industry peers with at least 1 incident.

Incident History — Qantas (X = Date, Y = Severity)

Qantas cyber incidents detection timeline including parent company and subsidiaries

Qantas Company Subsidiaries

SubsidiaryImage

We would like to acknowledge the Traditional Custodians of the local lands and waterways on which we live, work and fly. We pay our respects to Elders past and present.   Spirit is everything to us, and joining the Qantas team means bringing your spirit to ours. We have over 26,000 exceptional employees, and every year we fly millions of customers around Australia and the world – together.    If you hop on board with the team, you'll experience a workplace where creativity, diversity and innovation are encouraged. We aim to give every member of the Qantas Group the support to follow their dreams, face new challenges, and let their future take flight. Ultimately, people are our priority – those who work for us and those who travel with us.  For the latest information on the cyber incident: https://bit.ly/3I7jNfM Member of the oneworld Alliance. Please read the Qantas LinkedIn House Rules at http://bit.ly/QFhouserules

similarCompanies

Qantas Similar Companies

Delta Air Lines
delta.com

Delta Air Lines (NYSE: DAL) is the U.S. global airline leader in safety, innovation, reliability and customer experience. Powered by our employees around the world, Delta has for a decade led the airline industry in operational excellence while maintaining our reputation for award-winning customer s

Security Report Compare
JetBlue
jetblue.com

When JetBlue first took flight in February 2000, our founding goal was to bring humanity back to air travel, and over two decades later, we still put our customers, crewmembers and communities at the center of everything we do. Before we even had aircraft to fly, our founders selected five values

Security Report Compare
China Eastern Airlines, North America
ceair.com

As one of the three major air carriers in China, headquartered in Shanghai, China Eastern Airlines operates 111 domestic and overseas branches across the globe. Flying a fleet of 730 aircraft which is one of the youngest fleets in major airlines worldwide. Moreover, it boasts the largest-scale in-fl

Security Report Compare
SpiceJet Limited
http://www.spicejet.com

Red. Hot. Spicy. That’s not just our tagline, it’s how we fly. Red reflects the bold spirit we bring to every journey, energetic, passionate, and full of heart. Hot captures the warmth of our service and the vibrant destinations we connect. Spicy is our drive to keep travel exciting through innovati

Security Report Compare
Air Canada
aircanada.com

Canada's largest airline, the country’s flag carrier and a founding member of Star Alliance, the world's most comprehensive air transportation network celebrating its 25thanniversary in 2022, Air Canada provides scheduled passenger service directly to 51 airports in Canada, 51 in the United States a

Security Report Compare
American Airlines
aa.com

Embark on an adventure with a commitment to service, excellence and humanity. Our team is what powers our airline. We are proudly dedicated to our purpose of caring for people on life’s journey, including connecting our customers to the people and places they love or providing our team members devel

Security Report Compare
AirAsia
airasia.com

It all starts here. 23 years ago, a dream took flight - shaping and forever changing the travel industry in Asia. The idea was simple: Make flying affordable for everyone. We made that dream happen. We started an airline in 2001. Today, we’ve evolved to become something much bigger. We’re now a wo

Security Report Compare
Southwest Airlines
southwest.com

At Southwest®, everything we do—from our smiling People to our policies—is designed to let you go with Heart. No matter what comes up in your travels, we’ve got your back. Because while any airline can fly you, only Southwest lets you go with Heart. Application fees don’t fly. The only way to apply

Security Report Compare
Ryanair - Europe's Favourite Airline
ryanair.com

Ryanair Holdings plc, Europe’s largest airline group, is the parent company of Ryanair DAC, Lauda, Buzz and Ryanair UK. Carrying 160m+ guests p.a. on over 3,000 daily flights to/from 225 airports. Plan to carry 225m+ guests p.a. by 2026. Unfortunately, we are unable to answer customer service que

Security Report Compare
newsone

Qantas CyberSecurity News

November 01, 2025 07:00 AM
Knee-jerk corporate responses to data leaks protect brands like Qantas — but consumers are getting screwed

When courts ban people from accessing leaked data – as happened after the airline's data breach – only hackers and scammers win.

Read Article
October 31, 2025 10:52 AM
Qantas Shuffles Leadership After Cyber Attack Exposes Millions

Recent executive changes at Qantas follow a major data breach, as the airline looks to restore its reputation and tighten digital security.

Read Article
October 31, 2025 07:00 AM
'Change Effective Immediately', says Qantas CEO in memo to employees on resignation of customer head afte

Tech News News: Qantas CEO Vanessa Hudson announced a key executive departure, with Chief Customer and Digital Officer Catriona Larritt...

Read Article
October 31, 2025 07:00 AM
Qantas cyber security boss resigns, prompting executive reshuffle

Qantas cyber security boss resigns, prompting executive reshuffle ... Qantas will reorganise its executive team following the resignation of its...

Read Article
October 30, 2025 02:31 PM
Qantas restructures leadership following cyber breach; chief customer and digital officer to exit

Larritt, who has been with Qantas since 2015, previously held key roles across Jetstar and Freight before assuming her current position in September 2023.

Read Article
October 30, 2025 10:50 AM
Qantas' digital and customer head steps down months after cyber breach, internal memo shows

(Reuters) -Qantas's chief customer and digital officer ‌Catriona Larritt will step down by the end of December, according to an internal memo seen by...

Read Article
October 30, 2025 07:00 AM
Qantas' digital and customer head steps down months after cyber breach, internal memo shows

Qantas's chief customer and digital officer ‌Catriona Larritt will step down by the end of December, according to an internal memo seen by...

Read Article
October 19, 2025 07:00 AM
Envoy Air Joins Qantas, Aeroflot, Vietnam Airlines in Facing Worst Cybersecurity Breach, This is the Biggest Threat to Aviation Sector This Year

The breach was discovered after the hacker group began leaking stolen data on its dark web platform, accusing the airline of poor cybersecurity...

Read Article
October 17, 2025 07:00 AM
Qantas Data Breach Exposes Personal Information Of Over 5 Million Customers

Qantas Airways confirmed that hackers leaked customer data on the dark web after the airline missed the ransom deadline.

Read Article
faq

Frequently Asked Questions

Explore insights on cybersecurity incidents, risk posture, and Rankiteo's assessments.

Qantas CyberSecurity History Information

Official Website of Qantas

The official website of Qantas is https://www.qantas.com.

Qantas’s AI-Generated Cybersecurity Score

According to Rankiteo, Qantas’s AI-generated cybersecurity score is 100, reflecting their Critical security posture.

How many security badges does Qantas’ have ?

According to Rankiteo, Qantas currently holds 0 security badges, indicating that no recognized compliance certifications are currently verified for the organization.

Does Qantas have SOC 2 Type 1 certification ?

According to Rankiteo, Qantas is not certified under SOC 2 Type 1.

Does Qantas have SOC 2 Type 2 certification ?

According to Rankiteo, Qantas does not hold a SOC 2 Type 2 certification.

Does Qantas comply with GDPR ?

According to Rankiteo, Qantas is not listed as GDPR compliant.

Does Qantas have PCI DSS certification ?

According to Rankiteo, Qantas does not currently maintain PCI DSS compliance.

Does Qantas comply with HIPAA ?

According to Rankiteo, Qantas is not compliant with HIPAA regulations.

Does Qantas have ISO 27001 certification ?

According to Rankiteo,Qantas is not certified under ISO 27001, indicating the absence of a formally recognized information security management framework.

Industry Classification of Qantas

Qantas operates primarily in the Airlines and Aviation industry.

Number of Employees at Qantas

Qantas employs approximately 17,358 people worldwide.

Subsidiaries Owned by Qantas

Qantas presently has no subsidiaries across any sectors.

Qantas’s LinkedIn Followers

Qantas’s official LinkedIn profile has approximately 603,826 followers.

NAICS Classification of Qantas

Qantas is classified under the NAICS code 481, which corresponds to Air Transportation.

Qantas’s Presence on Crunchbase

Yes, Qantas has an official profile on Crunchbase, which can be accessed here: https://www.crunchbase.com/organization/qantas.

Qantas’s Presence on LinkedIn

Yes, Qantas maintains an official LinkedIn profile, which is actively utilized for branding and talent engagement, which can be accessed here: https://www.linkedin.com/company/qantas.

Cybersecurity Incidents Involving Qantas

As of December 11, 2025, Rankiteo reports that Qantas has experienced 12 cybersecurity incidents.

Number of Peer and Competitor Companies

Qantas has an estimated 3,516 peer or competitor companies worldwide.

What types of cybersecurity incidents have occurred at Qantas ?

Incident Types: The types of cybersecurity incidents that have occurred include Ransomware, Cyber Attack and Breach.

How does Qantas detect and respond to cybersecurity incidents ?

Detection and Response: The company detects and responds to cybersecurity incidents through an incident response plan activated with likely (e.g., google’s mitigation for unc6040), incident response plan activated with salesforce flash warning (fbi), and third party assistance with resecurity (threat intelligence), third party assistance with fbi (investigation), third party assistance with dark web monitoring firms, and law enforcement notified with fbi (flash warning), law enforcement notified with potential gdpr regulators (eu), law enforcement notified with australian authorities (qantas), and containment measures with salesforce instance isolation, containment measures with oauth token revocation, containment measures with dark web takedown attempts (ddos on dls), and remediation measures with patch management (salesforce), remediation measures with multi-factor authentication (mfa) enforcement, remediation measures with employee training (anti-phishing), and recovery measures with data restoration (backups), recovery measures with customer notification (e.g., stellantis), recovery measures with regulatory filings, and communication strategy with public statements (downplaying impact, e.g., salesforce), communication strategy with customer advisories (deadline: 2025-10-10), communication strategy with media engagement, and network segmentation with likely (to isolate salesforce instances), and enhanced monitoring with fbi indicators of compromise (iocs), enhanced monitoring with dark web threat intelligence, and incident response plan activated with yes (24/7 support line, identity protection advice), and third party assistance with external cybersecurity experts, third party assistance with legal support (nsw supreme court injunction), and law enforcement notified with yes (investigated with authorities), and containment measures with legal injunction to block data access/use, and remediation measures with customer support (identity protection advice), remediation measures with monitoring for suspicious activity, and communication strategy with public statements, communication strategy with customer advisories, and enhanced monitoring with likely (advised customers to monitor accounts), and incident response plan activated with yes (collaboration with acsc, afp, and cybersecurity experts), and third party assistance with australian cyber security centre (acsc), third party assistance with australian federal police (afp), third party assistance with specialist cybersecurity experts (unnamed), and law enforcement notified with yes (afp, fbi involved; nsw supreme court injunction obtained), and containment measures with legal injunction to block data access/release, containment measures with dark web monitoring, and remediation measures with investigation into leaked data scope, remediation measures with identity protection services for affected customers, and recovery measures with 24/7 support line for customers, recovery measures with ongoing updates via qantas website, and communication strategy with public statements (via abc, information age), communication strategy with website updates, communication strategy with direct customer notifications (via email/support line), and enhanced monitoring with likely (given collaboration with acsc/afp), and and third party assistance with australian security services, third party assistance with legal counsel (for injunction), and and containment measures with legal injunction to block data dissemination, containment measures with access revocation for compromised systems, and remediation measures with customer notifications (email), remediation measures with impact analysis (google), and communication strategy with public statements (qantas, google), communication strategy with media engagement, and and third party assistance with salesforce, third party assistance with law enforcement, and and containment measures with credential resets, containment measures with increased monitoring for unusual activity, containment measures with injunction to deter data dissemination, and remediation measures with strengthened monitoring capabilities, remediation measures with supplier access tightening, and recovery measures with customer communications (scam awareness), recovery measures with identity protection support, and communication strategy with public statements, communication strategy with customer advisories on scam prevention, and and incident response plan activated with yes (investigation ongoing since july), and third party assistance with federal government, third party assistance with australian federal police, third party assistance with cybersecurity experts, and law enforcement notified with yes, and containment measures with nsw supreme court injunction to block data access, containment measures with dark web monitoring, and recovery measures with customer notifications (july), recovery measures with advisories on phishing risks, and communication strategy with public statements (july and post-dark web leak), communication strategy with direct emails to affected customers, communication strategy with media interviews (e.g., transport minister catherine king), and enhanced monitoring with dark web channels monitored to confirm leaked data, and and and containment measures with legal injunction to prevent data spread (australia-only), and communication strategy with public disclosure, communication strategy with customer notifications (e.g., google notified affected partners), and incident response plan activated with yes (collaboration with cybersecurity experts), and third party assistance with cybersecurity experts (unnamed), third party assistance with australian security agencies, and law enforcement notified with yes (australian authorities), and containment measures with court injunction to block data access/use, containment measures with third-party platform review, and recovery measures with customer communication, recovery measures with data leak investigation, and communication strategy with public statements (oct 12, 2025), communication strategy with social media updates, communication strategy with customer advisories, and incident response plan activated with likely (given scale, but not publicly confirmed), and third party assistance with cybersecurity firms (e.g., mandiant, crowdstrike) likely engaged, third party assistance with salesforce’s internal security team, and law enforcement notified with probable (fbi, interpol, or national cybercrime units), and containment measures with salesforce likely patched the exploited vulnerability, containment measures with affected companies may have isolated crm systems, containment measures with password resets for exposed accounts, and remediation measures with forensic analysis of breached systems, remediation measures with customer notifications (where legally required), remediation measures with credit monitoring services for affected individuals, and communication strategy with limited public statements (e.g., qantas acknowledged july 2025 third-party breach but did not name vendor), communication strategy with telegram/dark web monitoring for further leaks, and network segmentation with likely implemented post-breach, and enhanced monitoring with expected for salesforce and affected companies, and and third party assistance with cybersecurity experts, and and containment measures with court order to block data access/use, containment measures with third-party platform isolation, and remediation measures with increased team training, remediation measures with strengthened system monitoring/detection, and recovery measures with customer identity protection services, recovery measures with ongoing updates via website/support line, and communication strategy with public statements, communication strategy with customer notifications (specific data impact), communication strategy with website updates, and and third party assistance with idcare (identity support for affected customers), and recovery measures with case-by-case support via idcare, and communication strategy with statement on qantas website, communication strategy with no direct customer notifications (criticized), and communication strategy with public disclosure (confirmed exposure)..

Incident Details

Can you provide details on each incident ?

Incident : Data Breach

measurementExposure impactImpact

Title: Trinity of Chaos Ransomware Collective Data Leak Site (DLS) Disclosure

Description: The Trinity of Chaos, a ransomware collective associated with Lapsus$, Scattered Spider, and ShinyHunters, launched a Data Leak Site (DLS) on the TOR network containing 39 companies impacted by past attacks. The group released previously undisclosed information about successful breaches, including data samples from Salesforce instances exploited via vishing and stolen OAuth tokens (Salesloft’s Drift AI chat integration). Threat actors threatened to report breaches to regulators (e.g., GDPR) and disclosed deadlines (October 10, 2025) for negotiation to prevent further data publication. The leaked data includes PII, internal communications, and records from Fortune 100 companies, airlines, and technology giants like Cisco and Google. The group claims over 1.5 billion records across 760 companies, with potential impacts including lawsuits, regulatory fines, and advanced phishing campaigns.

Date Publicly Disclosed: 2025-10-03

Type: Data Breach

Attack Vector: VishingStolen OAuth TokensSalesforce Instance Exploitation (Salesloft’s Drift AI Chat Integration)Dark Web Data Leak Site (DLS)Social Engineering

Vulnerability Exploited: Salesforce Instance MisconfigurationSalesloft’s Drift AI Chat Integration (OAuth Token Theft)Unpatched Systems (Historical)Human Error (Phishing/Vishing)

Threat Actor: Trinity of ChaosLapsus$Scattered SpiderShinyHuntersUNC6040UNC63951973cn

Motivation: Financial GainData MonetizationReputation DamageRegulatory Pressure (GDPR Fines)Disruption

Incident : Data Breach

measurementExposure impactImpact

Title: Qantas Customer Data Leak by Scattered Lapsus$ Hunters

Description: Hackers leaked the personal records of 5 million Qantas customers on the dark web after a ransom deadline passed. The data, stolen from a Salesforce database in June, included email addresses, phone numbers, birth dates, and frequent flyer numbers. The hacker collective Scattered Lapsus$ Hunters demanded payment to prevent the data from being shared, but Qantas refused to pay. The leak is part of a larger breach affecting over 40 global companies, with up to 1 billion customer records compromised.

Date Detected: 2024-06

Date Publicly Disclosed: 2024-09-21

Type: Data Breach

Attack Vector: Third-Party (Salesforce Database)Data Exfiltration

Threat Actor: Scattered Lapsus$ Hunters

Motivation: Financial Gain (Extortion)Reputation Damage

Incident : Data Breach

measurementExposure impactImpact

Title: Qantas Customer Data Leak via Third-Party Call Center Exploit

Description: Cybercriminals published 153GB of alleged Qantas customer data (5 million records) on the dark web and open internet after the airline refused to comply with ransom demands. The breach originated from a third-party call center exploit in June 2023, with data including names, email addresses, phone numbers, birth dates, and Qantas Frequent Flyer numbers. No financial data, passports, or login credentials were compromised. The leak was part of a broader campaign by the Scattered Lapsus$ Hunters (SLSH) group targeting Salesforce customers, though Qantas was one of only six victims whose data was ultimately released. The group declared a specific focus on Australian businesses, citing retaliation for past incidents like the 2022 Optus breach.

Date Detected: 2023-06

Date Publicly Disclosed: 2023-10-07

Type: Data Breach

Attack Vector: Third-Party Call Center ExploitVoice Phishing (UNC60400)Dark Web Data Dump

Vulnerability Exploited: Unspecified vulnerability in third-party call center platform (linked to Salesforce customer management instances)

Threat Actor: Scattered Lapsus$ Hunters (SLSH)UNC60400

Motivation: Financial Gain (Ransom Extortion)Retaliation Against Australian BusinessesReputation Damage

Incident : Data Breach

measurementExposure impactImpact

Title: Qantas Airways and Multiple Global Firms Data Breach via Salesforce Cyberattack

Description: Australian national carrier Qantas Airways confirmed that data from ~5.7 million customers stolen in a cyberattack was shared online, part of a broader leak affecting dozens of firms (including Disney, Google, IKEA, Toyota, McDonald's, Air France, and KLM). The attack targeted Salesforce, with hackers using social engineering to breach a third-party customer contact center system. Sensitive customer data (names, emails, addresses, birthdays, etc.) was exfiltrated and held for ransom by the Scattered Lapsus$ Hunters group. No financial or passport data was compromised. Qantas obtained a legal injunction to block data dissemination, though experts doubt its effectiveness.

Date Detected: 2023-07-XX

Date Publicly Disclosed: 2023-07-XX (Qantas); 2023-08-XX (Google); 2023-10-XX (public leak)

Type: Data Breach

Attack Vector: Social EngineeringPhishing (IT Impersonation)Third-Party Exploitation (Salesforce)

Vulnerability Exploited: Human error (tricked customer support employees into granting access)

Threat Actor: Scattered Lapsus$ Hunters (cybercriminal alliance)

Motivation: Financial Gain (Ransom)Data Theft for Dark Web Sale

Incident : Data Breach

measurementExposure impactImpact

Title: Qantas Customer Data Breach by Scattered Lapsus$ Hunters

Description: Hackers tied to the group 'Scattered Lapsus$ Hunters' published Qantas customer data on the dark web after a ransom deadline expired. The breach, linked to a compromised third-party Salesforce environment in mid-2025, exposed personal details of 5-5.7 million customers, including names, email addresses, phone numbers, dates of birth, and frequent-flyer numbers. No payment data or passport records were accessed. Qantas obtained an injunction to deter dissemination and has strengthened monitoring capabilities while supporting impacted customers.

Type: Data Breach

Attack Vector: Social EngineeringCredential AbuseThird-Party Vulnerability (Salesforce)

Vulnerability Exploited: Third-party Salesforce tenant misconfiguration/access controls

Threat Actor: Scattered Lapsus$ Hunters

Motivation: Financial Gain (Extortion)Data Theft for Dark Web Sale

Incident : Data Breach

measurementExposure impactImpact

Title: Qantas Customer Data Leak on the Dark Web

Description: Hackers from the cybercrime collective Scattered Lapsus$ Hunters released Qantas customer data onto the dark web after the airline and Salesforce refused to pay a ransom. The breach, initially disclosed in July, involved vishing (voice phishing) attacks to trick employees into granting access to customer data. Nearly 6 million records were compromised, including names, email addresses, phone numbers, birth dates, and frequent flyer numbers. The Australian government and Qantas are investigating the leak, which follows similar high-profile breaches affecting Medibank and Optus.

Date Detected: 2023-07-00

Date Publicly Disclosed: 2023-07-00

Type: Data Breach

Attack Vector: Vishing (Voice Phishing)

Vulnerability Exploited: Human Error (Social Engineering via Phone Calls)

Threat Actor: Scattered Lapsus$ Hunters

Motivation: Financial Gain (Extortion/Ransom)

Incident : Data Breach

measurementExposure impactImpact

Title: Salesforce Breach Exposes Data from 5.7 Million Qantas Customers and Other Global Brands

Description: A cyberattack on Salesforce exposed data from 5.7 million Qantas customers, along with other global brands like Disney, Google, Toyota, IKEA, McDonald’s, Air France, and KLM. The attackers, identified as Scattered Lapsus$ Hunters, used social engineering to gain access to third-party platforms and are holding the stolen data for ransom. Personal details such as names, email addresses, phone numbers, and dates of birth were compromised, though no financial or passport information was exposed. Qantas secured a legal injunction in Australia to limit data spread, but its effectiveness outside the country is questioned.

Date Detected: 2023-07-00

Date Publicly Disclosed: 2023-10-00

Type: Data Breach

Attack Vector: Social Engineering (Impersonation of IT Staff/Trusted Representatives)

Vulnerability Exploited: Human Error (Credential Sharing/System Access Granted via Deception)

Threat Actor: Scattered Lapsus$ Hunters

Motivation: Financial Gain (Ransom Extortion)

Incident : Data Breach

measurementExposure impactImpact

Title: Qantas Airways Customer Data Breach via Third-Party Salesforce Platform

Description: Australia's Qantas Airways confirmed that hackers released stolen customer data months after a cyber breach in July 2025. The breach targeted a third-party call center platform, exposing personal information of over 5 million customers, including names, email addresses, phone numbers, birth dates, home addresses, genders, and meal preferences. The hacker group Scattered Lapsus$ Hunters is believed to be responsible after their ransom deadline passed. Qantas obtained a court injunction to block further data dissemination but faced skepticism about its effectiveness.

Date Detected: 2025-07

Date Publicly Disclosed: 2025-10-12

Type: Data Breach

Attack Vector: Third-Party Platform Exploitation (Salesforce/Call Center)Data ExfiltrationPublic Data Release

Threat Actor: Scattered Lapsus$ Hunters

Motivation: Financial (Ransom)Data Theft for Dark Web SaleReputation Damage

Incident : Data Breach

measurementExposure impactImpact

Title: Massive Data Breach via Salesforce Vulnerability by Scattered Lapsus$ Hunters (2025)

Description: On October 3, 2025, hackers under the collective name 'Scattered Lapsus$ Hunters' (a fusion of Scattered Spider, Lapsus$, and ShinyHunters) claimed to have stolen 989 million records from 39 major global companies by exploiting a Salesforce vulnerability. The group demanded negotiations with Salesforce and the affected firms by October 10, 2025, threatening to release the entire dataset if ignored. On October 10, 2025, they publicly leaked data from 6 of the 39 companies: Qantas Airways, Vietnam Airlines, Albertsons, GAP, Fujifilm, and Engie Resources. The leaked data includes PII, loyalty program details, CRM metadata, and internal business records, posing severe risks of identity theft, fraud, and reputational damage.

Date Detected: 2025-10-03

Date Publicly Disclosed: 2025-10-03

Type: Data Breach

Attack Vector: Exploitation of Salesforce VulnerabilityUnauthorized Data Exfiltration

Vulnerability Exploited: Unspecified Salesforce vulnerability (likely API or authentication flaw)

Threat Actor: Name: Scattered Lapsus$ HuntersAffiliations: ['Scattered Spider', 'Lapsus$', 'ShinyHunters']Type: Hacktivist/Cybercriminal Collective

Motivation: Financial ExtortionReputation DamageData Theft for Dark Web Sales

Incident : Data Breach

measurementExposure impactImpact

Title: Qantas Airways Customer Data Breach via Third-Party Platform

Description: Australia's Qantas Airways confirmed that customer data was posted online following a July 2024 cyber incident impacting a third-party platform used by its contact center. The breach exposed service records for 6 million people, including names, email addresses, phone numbers, birth dates, and frequent flyer numbers. The airline secured a court order to block further dissemination of the stolen data and implemented enhanced security measures, including increased team training and system monitoring. The FBI linked the attack to the 'Scattered Spider' cybercrime group, known for social engineering and MFA bypass techniques targeting large corporations and their IT vendors.

Date Detected: 2024-07

Date Publicly Disclosed: 2024-07

Type: Data Breach

Attack Vector: Social EngineeringMFA BypassThird-Party Platform Exploitation

Vulnerability Exploited: Weak IT Help Desk Authentication ProtocolsInsufficient Third-Party Vendor Security

Threat Actor: Scattered Spider

Motivation: Data TheftExtortion

Incident : Data Breach

measurementExposure impactImpact

Title: Qantas Customer Data Leak on the Dark Web

Description: Frustration is mounting among Qantas customers after their names and addresses were released on the dark web by the cybercrime collective Scattered Lapsus$ Hunters. The stolen data of 5.7 million customers was exposed after Qantas failed to pay the demanded ransom. The breach occurred in July when cybercriminals tricked a Qantas call center worker in the Philippines into handing over access to customer information stored on the third-party platform Salesforce. Affected customers have criticized Qantas for poor communication and lack of support, while experts warn of potential scams and regulatory fines under the Australian Privacy Act.

Date Detected: 2023-07-00

Type: Data Breach

Attack Vector: Social EngineeringThird-Party Compromise (Salesforce)Insider Manipulation (Call Center Worker)

Vulnerability Exploited: Human Error (Tricked Call Center Worker)Third-Party Platform Security (Salesforce)

Threat Actor: Scattered Lapsus$ Hunters

Motivation: Financial Gain (Ransom Demand)Data Theft for Dark Web Sale

Incident : Data Breach

measurementExposure impactImpact

Title: Qantas Customer Data Exposed on Dark Web

Description: Qantas confirmed that the data of up to 5.7 million customers had been exposed on the dark web.

Type: Data Breach

What are the most common types of attacks the company has faced ?

Common Attack Types: The most common types of attacks the company has faced is Cyber Attack.

How does the company identify the attack vectors used in incidents ?

Identification of Attack Vectors: The company identifies the attack vectors used in incidents through Stolen OAuth Tokens (Salesloft Drift)Vishing AttacksCompromised Corporate EmailsExploited Salesforce Misconfigurations, Salesforce Database (compromised between April 2024–September 2025), Third-Party Call Center (linked to Salesforce customer management platform), Customer support employees (tricked via IT impersonation), Compromised Salesforce tenant (third-party), Vishing (voice phishing calls to employees), Salesforce Customer Contact Centre (via Third-Party Platform), Third-Party Call Center Platform (Salesforce-linked), Exploited Salesforce vulnerability (likely API or authentication flaw), Third-Party Contact Center Platform and Qantas Call Center Worker in the Philippines (Tricked via Social Engineering).

Impact of the Incidents

What was the impact of each incident ?

Incident : Data Breach QAN2902229100425

Data Compromised: Pii (passenger info, loyalty points, activity history), Internal communications, Customer-vendor relationships, Employee records (law enforcement, military, federal agencies), Advertising partner data (google adwords), Salesforce records (accounts, contacts, opportunities)

Systems Affected: Salesforce InstancesSalesloft’s Drift AI Chat IntegrationCorporate Email SystemsDark Web Data Leak Site (DLS)Telegram Channels

Operational Impact: Disrupted Retail/Production (e.g., Jaguar Land Rover)Regulatory Investigations (GDPR, Criminal Negligence)Potential LawsuitsGovernment Shutdown Overlap (U.S. Federal Agencies)

Customer Complaints: ['Expected due to PII exposure']

Brand Reputation Impact: High (Fortune 100 companies, global brands)Loss of Trust in Salesforce SecurityMedia Scrutiny

Legal Liabilities: GDPR Fines (EU-based victims)Criminal Negligence Charges (e.g., Qantas)Class-Action Lawsuits

Identity Theft Risk: ['High (1.5B+ records with PII)', 'Targeted Phishing/Social Engineering']

Payment Information Risk: ['Low (Most samples lack passwords but include PII)']

Incident : Data Breach QAN2562025101125

Data Compromised: Email addresses, Phone numbers, Birth dates, Frequent flyer numbers

Systems Affected: Salesforce Database

Operational Impact: Customer Support BurdenLegal Injunctions

Customer Complaints: Expected (due to personal data exposure)

Brand Reputation Impact: High (negative publicity, loss of customer trust)

Legal Liabilities: NSW Supreme Court Injunction to Prevent Data Misuse

Identity Theft Risk: High (personal data exposed, risk of phishing/scams)

Payment Information Risk: Low (no credit card or financial data exposed)

Incident : Data Breach QAN3602036101325

Data Compromised: Customer names, Email addresses, Phone numbers, Birth dates, Qantas frequent flyer numbers

Systems Affected: Third-Party Call Center PlatformCustomer Management System (Salesforce Instance)

Operational Impact: Ongoing investigation and customer support operations; legal injunctions to mitigate data spread

Customer Complaints: Reported concerns from affected customers (e.g., Troy Hunt confirmed personal/family data exposure)

Brand Reputation Impact: High; publicized leak of 5M records, including high-profile individuals (e.g., Troy Hunt), with potential long-term trust erosion

Legal Liabilities: NSW Supreme Court Interim Injunction (July 2023)Potential GDPR/Privacy Act ViolationsAFP/FBI Investigation

Identity Theft Risk: Moderate (PII exposed but no financial/password data)

Payment Information Risk: None (no credit card or financial data compromised)

Incident : Data Breach QAN2402124101325

Systems Affected: Salesforce corporate serversQantas customer contact center system

Operational Impact: Legal injunction filed; customer notifications; reputational damage

Brand Reputation Impact: High (publicized breach of 5.7M records; part of multi-company attack)

Legal Liabilities: Legal injunction obtained (Supreme Court of New South Wales)

Identity Theft Risk: Moderate (PII exposed: names, emails, addresses, birthdays)

Payment Information Risk: None (no credit card or financial data compromised)

Incident : Data Breach QAN0302203101325

Data Compromised: Names, Email addresses, Phone numbers, Dates of birth, Frequent-flyer numbers

Systems Affected: Salesforce Tenant (Third-Party)

Operational Impact: Increased Customer Service LoadsIdentity Protection CostsReputational Damage

Conversion Rate Impact: Potential decline in frequent-flyer engagement and bookings

Customer Complaints: Expected increase due to phishing risks and trust erosion

Brand Reputation Impact: Severe; undermined passenger trust, regulatory scrutiny

Legal Liabilities: Potential fines under Australia's post-Optus regimeEnforceable undertakings

Identity Theft Risk: High (phishing, account takeover attempts)

Payment Information Risk: None (no payment data exposed)

Incident : Data Breach QAN2562025101325

Data Compromised: Names, Email addresses, Phone numbers, Birth dates, Frequent flyer numbers, Home addresses (for some customers), Gender (for some customers)

Systems Affected: Qantas Customer Database (hosted on Salesforce platform)

Operational Impact: Increased customer support demands, reputational damage, legal injunctions to prevent data access

Customer Complaints: Reports of impersonation attempts and unauthorized account access post-breach

Brand Reputation Impact: High (part of a series of major Australian breaches, including Medibank and Optus)

Legal Liabilities: NSW Supreme Court injunction filed to block access to stolen data; potential regulatory scrutiny

Identity Theft Risk: High (phishing attempts reported, including MyGov account access attempts)

Payment Information Risk: None (credit card details reportedly not affected)

Incident : Data Breach QAN5632856101325

Systems Affected: Salesforce Customer Contact Centre Platform

Brand Reputation Impact: High (Global Brands Affected, Public Disclosure of Breach)

Legal Liabilities: Qantas Secured Injunction from Supreme Court of New South Wales to Prevent Data Publication/Sharing

Identity Theft Risk: Moderate (Personal Details Like Names, Emails, Phone Numbers, DOBs Exposed)

Payment Information Risk: None (No Credit Card, Passport, or Banking Information Compromised)

Incident : Data Breach QAN2733027101325

Data Compromised: Names (5m+ customers), Email addresses (5m+ customers), Frequent flyer details (5m+ customers), Home/business addresses (~1m customers), Phone numbers (~1m customers), Birth dates (~1m customers), Genders (~1m customers), Meal preferences (~1m customers)

Systems Affected: Third-Party Call Center Platform (Salesforce-linked)Customer Database

Operational Impact: Customer Trust ErosionLegal Injunction EnforcementCybersecurity Investigation Overhead

Customer Complaints: High (public outcry reported)

Brand Reputation Impact: Severe (one of Australia's largest breaches, trending on social media)

Legal Liabilities: Court Injunction Filed to Block Data DisseminationPotential Regulatory Fines (under Australian cyber resilience laws)

Identity Theft Risk: High (PII including addresses, birth dates, and phone numbers exposed)

Incident : Data Breach QAN0192201101325

Data Compromised: Total Records: 9, 8, 9, 0, 0, 0, 0, 0, 0, Leaked Records: {, ', Q, a, n, t, a, s, , A, i, r, w, a, y, s, ', :, , 5, 0, 0, 0, 0, 0, 0, ,, , ', V, i, e, t, n, a, m, , A, i, r, l, i, n, e, s, ', :, , 2, 3, 0, 0, 0, 0, 0, 0, ,, , ', A, l, b, e, r, t, s, o, n, s, ', :, , 6, 7, 2, 0, 0, 0, ,, , ', G, A, P, ,, , I, N, C, ., ', :, , 2, 2, 4, 0, 0, 0, ,, , ', F, u, j, i, f, i, l, m, ', :, , 2, 2, 4, 0, 0, 0, ,, , ', E, n, g, i, e, , R, e, s, o, u, r, c, e, s, ', :, , 5, 3, 7, 0, 0, 0, ,, , ', t, o, t, a, l, _, l, e, a, k, e, d, ', :, , 2, 9, 7, 3, 3, 0, 0, 0, }, Data Types: [, ', P, e, r, s, o, n, a, l, l, y, , I, d, e, n, t, i, f, i, a, b, l, e, , I, n, f, o, r, m, a, t, i, o, n, , (, P, I, I, ), ', ,, , ', L, o, y, a, l, t, y, , P, r, o, g, r, a, m, , D, a, t, a, ', ,, , ', I, n, t, e, r, n, a, l, , C, R, M, , M, e, t, a, d, a, t, a, ', ,, , ', B, u, s, i, n, e, s, s, , C, o, n, t, a, c, t, , D, e, t, a, i, l, s, ', ,, , ', G, e, o, l, o, c, a, t, i, o, n, , D, a, t, a, ', ,, , ', F, i, n, a, n, c, i, a, l, , T, r, a, n, s, a, c, t, i, o, n, , R, e, c, o, r, d, s, ', ,, , ', C, o, r, p, o, r, a, t, e, , T, a, x, , I, n, f, o, r, m, a, t, i, o, n, ', ,, , ', T, r, a, v, e, l, , H, i, s, t, o, r, y, ', ,, , ', C, u, s, t, o, m, e, r, , P, r, e, f, e, r, e, n, c, e, s, ', ,, , ', I, n, t, e, r, n, a, l, , R, e, p, o, r, t, s, /, L, i, n, k, s, ', ],

Systems Affected: Salesforce CRM PlatformThird-Party Vendor Systems (e.g., Qantas' July 2025 breach)

Operational Impact: Potential disruption to customer service operations (e.g., loyalty programs, CRM)Increased fraud monitoring costsRegulatory scrutiny and compliance burdens

Customer Complaints: ['Expected surge due to PII exposure and identity theft risks']

Brand Reputation Impact: Severe damage to trust in affected companies and SalesforcePotential customer churnNegative media coverage

Legal Liabilities: GDPR violations (for EU customer data)Class-action lawsuitsRegulatory fines (e.g., CCPA, APPI, etc.)

Identity Theft Risk: ['High (due to exposed PII: passports, addresses, DOB, etc.)']

Payment Information Risk: ['Moderate (some datasets include financial metadata but not full payment details)']

Incident : Data Breach QAN3292432101325

Data Compromised: Names, Email addresses, Phone numbers, Birth dates, Frequent flyer numbers

Systems Affected: Third-Party Contact Center Platform

Operational Impact: Increased Security MeasuresLegal Court Order EnforcementCustomer Notification Campaign

Brand Reputation Impact: High (Public Disclosure of 6M Records, Media Coverage)

Legal Liabilities: Court Order to Block Data Dissemination

Identity Theft Risk: Moderate (PII Exposed but No Financial/Passport Data)

Payment Information Risk: None (Credit Card/Payment Details Not Affected)

Incident : Data Breach QAN2502025101425

Data Compromised: Names, Addresses, Personally identifiable information (pii)

Systems Affected: Salesforce (Third-Party Platform)

Operational Impact: Customer Trust ErosionReputational DamagePotential Regulatory Fines

Customer Complaints: ['Poor Communication', 'Lack of Direct Notifications', 'Anxiety Over Identity Theft Risks']

Brand Reputation Impact: Severe Damage Due to Poor HandlingPublic CriticismMedia Scrutiny

Legal Liabilities: Potential Fines Under Australian Privacy ActRegulatory Investigations

Identity Theft Risk: ['High (Due to PII Exposure)']

Incident : Data Breach QAN1562015101925

Data Compromised: Customer data (up to 5.7 million records)

Brand Reputation Impact: Potential reputational damage due to exposure of customer data

Identity Theft Risk: High (customer data exposed on dark web)

What types of data are most commonly compromised in incidents ?

Commonly Compromised Data Types: The types of data most commonly compromised in incidents are Pii (Passenger Records, Loyalty Points), Corporate Emails, Internal Communications, Customer-Vendor Relationships, Employee Data (Law Enforcement/Military), Advertising Partner Data (Google Adwords), Salesforce Records (Accounts, Contacts, Cases), , Personal Identifiable Information (Pii), Contact Information, , Personally Identifiable Information (Pii), Loyalty Program Data, , Personal Identifiable Information (Pii), Customer Records, , Personal Identifiable Information (Pii), Frequent-Flyer Data, , Personally Identifiable Information (Pii), Customer Account Data, , Personal Identifiable Information (Pii), Frequent Flyer Information, Contact Details, Demographic Data (Gender, Meal Preferences), Addresses (Home/Business), , Personally Identifiable Information (Pii), Customer Profiles, Frequent Flyer Data, Preference Data (E.G., Meal Choices), , Personally Identifiable Information (Pii), Loyalty Program Data, Customer Relationship Management (Crm) Metadata, Internal Business Records, Geolocation Data, Corporate Contact Information, Travel History, Financial Metadata (E.G., Currency Used, Points Balance), , Personal Identifiable Information (Pii), Service Records, , Names, Addresses, Personally Identifiable Information (Pii), and Customer data.

Which entities were affected by each incident ?

Incident : Data Breach QAN2902229100425

Entity Name: Toyota Motor Corporation

Entity Type: Automotive

Industry: Manufacturing

Location: Global (HQ: Japan)

Size: Large (Fortune 100)

Incident : Data Breach QAN2902229100425

Entity Name: FedEx

Entity Type: Logistics

Industry: Transportation

Location: Global (HQ: USA)

Size: Large (Fortune 100)

Incident : Data Breach QAN2902229100425

Entity Name: Disney/Hulu

Entity Type: Entertainment

Industry: Media

Location: Global (HQ: USA)

Size: Large (Fortune 100)

Incident : Data Breach QAN2902229100425

Entity Name: Republic Services

Entity Type: Waste Management

Industry: Environmental Services

Location: USA

Size: Large

Incident : Data Breach QAN2902229100425

Entity Name: UPS

Entity Type: Logistics

Industry: Transportation

Location: Global (HQ: USA)

Size: Large (Fortune 100)

Incident : Data Breach QAN2902229100425

Entity Name: Aeromexico

Entity Type: Airline

Industry: Aviation

Location: Mexico

Size: Large

Customers Affected: 39M+ records (claimed)

Incident : Data Breach QAN2902229100425

Entity Name: Home Depot

Entity Type: Retail

Industry: Home Improvement

Location: Global (HQ: USA)

Size: Large (Fortune 100)

Incident : Data Breach QAN2902229100425

Entity Name: Marriott

Entity Type: Hospitality

Industry: Hotels

Location: Global (HQ: USA)

Size: Large (Fortune 100)

Incident : Data Breach QAN2902229100425

Entity Name: Vietnam Airlines

Entity Type: Airline

Industry: Aviation

Location: Vietnam

Size: Large

Incident : Data Breach QAN2902229100425

Entity Name: Walgreens

Entity Type: Retail

Industry: Pharmacy

Location: USA

Size: Large (Fortune 100)

Incident : Data Breach QAN2902229100425

Entity Name: Stellantis

Entity Type: Automotive

Industry: Manufacturing

Location: Global (HQ: Netherlands)

Size: Large (Fortune 100)

Customers Affected: North American customers (disclosed 2025-09-21)

Incident : Data Breach QAN2902229100425

Entity Name: McDonald's

Entity Type: Food Service

Industry: Restaurant

Location: Global (HQ: USA)

Size: Large (Fortune 100)

Incident : Data Breach QAN2902229100425

Entity Name: KFC

Entity Type: Food Service

Industry: Restaurant

Location: Global (HQ: USA)

Size: Large

Incident : Data Breach QAN2902229100425

Entity Name: ASICS

Entity Type: Retail

Industry: Apparel

Location: Global (HQ: Japan)

Size: Large

Incident : Data Breach QAN2902229100425

Entity Name: GAP

Entity Type: Retail

Industry: Apparel

Location: Global (HQ: USA)

Size: Large

Incident : Data Breach QAN2902229100425

Entity Name: HMH (Houghton Mifflin Harcourt)

Entity Type: Education

Industry: Publishing

Location: USA

Size: Medium

Incident : Data Breach QAN2902229100425

Entity Name: Fujifilm

Entity Type: Technology

Industry: Imaging

Location: Global (HQ: Japan)

Size: Large

Incident : Data Breach QAN2902229100425

Entity Name: Instructure (Canvas)

Entity Type: Education Technology

Industry: EdTech

Location: USA

Size: Medium

Incident : Data Breach QAN2902229100425

Entity Name: Albertsons

Entity Type: Retail

Industry: Grocery

Location: USA

Size: Large

Incident : Data Breach QAN2902229100425

Entity Name: Engie Resources

Entity Type: Energy

Industry: Utilities

Location: Global (HQ: France)

Size: Large

Incident : Data Breach QAN2902229100425

Entity Name: Instacart

Entity Type: E-Commerce

Industry: Grocery Delivery

Location: USA

Size: Large

Incident : Data Breach QAN2902229100425

Entity Name: Petco

Entity Type: Retail

Industry: Pet Supplies

Location: USA

Size: Large

Incident : Data Breach QAN2902229100425

Entity Name: Kering (Gucci, Balenciaga, Brioni, Alexander McQueen)

Entity Type: Luxury Goods

Industry: Fashion

Location: Global (HQ: France)

Size: Large

Incident : Data Breach QAN2902229100425

Entity Name: Puma

Entity Type: Retail

Industry: Apparel

Location: Global (HQ: Germany)

Size: Large

Incident : Data Breach QAN2902229100425

Entity Name: Cartier

Entity Type: Luxury Goods

Industry: Jewelry

Location: Global (HQ: Switzerland)

Size: Large

Incident : Data Breach QAN2902229100425

Entity Name: Adidas

Entity Type: Retail

Industry: Apparel

Location: Global (HQ: Germany)

Size: Large

Incident : Data Breach QAN2902229100425

Entity Name: TripleA (AAA)

Entity Type: Automotive Services

Industry: Insurance

Location: USA

Size: Large

Incident : Data Breach QAN2902229100425

Entity Name: Qantas Airways

Entity Type: Airline

Industry: Aviation

Location: Australia

Size: Large

Incident : Data Breach QAN2902229100425

Entity Name: CarMax

Entity Type: Automotive Retail

Industry: Used Cars

Location: USA

Size: Large

Incident : Data Breach QAN2902229100425

Entity Name: Saks Fifth Avenue

Entity Type: Retail

Industry: Luxury Department Store

Location: USA

Size: Large

Incident : Data Breach QAN2902229100425

Entity Name: 1-800 Accountant

Entity Type: Financial Services

Industry: Accounting

Location: USA

Size: Small/Medium

Incident : Data Breach QAN2902229100425

Entity Name: Air France & KLM

Entity Type: Airline

Industry: Aviation

Location: Europe (France/Netherlands)

Size: Large

Incident : Data Breach QAN2902229100425

Entity Name: Google (AdSense/AdWords)

Entity Type: Technology

Industry: Advertising

Location: Global (HQ: USA)

Size: Large (Fortune 100)

Incident : Data Breach QAN2902229100425

Entity Name: Cisco

Entity Type: Technology

Industry: Networking

Location: Global (HQ: USA)

Size: Large (Fortune 100)

Incident : Data Breach QAN2902229100425

Entity Name: Pandora.net

Entity Type: E-Commerce

Industry: Jewelry

Location: Global (HQ: USA)

Size: Large

Incident : Data Breach QAN2902229100425

Entity Name: TransUnion

Entity Type: Financial Services

Industry: Credit Reporting

Location: Global (HQ: USA)

Size: Large

Incident : Data Breach QAN2902229100425

Entity Name: Chanel

Entity Type: Luxury Goods

Industry: Fashion

Location: Global (HQ: France)

Size: Large

Incident : Data Breach QAN2902229100425

Entity Name: IKEA

Entity Type: Retail

Industry: Furniture

Location: Global (HQ: Netherlands)

Size: Large

Incident : Data Breach QAN2902229100425

Entity Name: Jaguar Land Rover

Entity Type: Automotive

Industry: Manufacturing

Location: UK

Size: Large

Incident : Data Breach QAN2902229100425

Entity Name: Noi Bai Airport

Entity Type: Transportation

Industry: Aviation

Location: Vietnam

Size: Large

Incident : Data Breach QAN2902229100425

Entity Name: Tan Son Nhat Airport

Entity Type: Transportation

Industry: Aviation

Location: Vietnam

Size: Large

Incident : Data Breach QAN2902229100425

Entity Name: National Credit Information Center (CIC) of Vietnam

Entity Type: Financial Services

Industry: Credit Reporting

Location: Vietnam

Size: Government

Customers Affected: 160M+ records (claimed)

Incident : Data Breach QAN2902229100425

Entity Name: Salesforce (Customer Instances)

Entity Type: Technology

Industry: CRM

Location: Global (HQ: USA)

Size: Large

Incident : Data Breach QAN2562025101125

Entity Name: Qantas

Entity Type: Airline

Industry: Aviation

Location: Australia

Size: Large (5 million customers affected)

Customers Affected: 5,000,000

Incident : Data Breach QAN2562025101125

Entity Name: Salesforce

Entity Type: Cloud Services Provider

Industry: Technology

Location: Global

Size: Large

Incident : Data Breach QAN2562025101125

Entity Name: Gap

Entity Type: Retailer

Industry: Fashion

Location: Global

Incident : Data Breach QAN2562025101125

Entity Name: Vietnam Airlines

Entity Type: Airline

Industry: Aviation

Location: Vietnam

Incident : Data Breach QAN2562025101125

Entity Name: Toyota

Entity Type: Automotive Manufacturer

Industry: Automotive

Location: Global

Incident : Data Breach QAN2562025101125

Entity Name: Disney

Entity Type: Entertainment

Industry: Media

Location: Global

Incident : Data Breach QAN2562025101125

Entity Name: McDonald’s

Entity Type: Fast Food

Industry: Hospitality

Location: Global

Incident : Data Breach QAN2562025101125

Entity Name: Ikea

Entity Type: Retailer

Industry: Furniture

Location: Global

Incident : Data Breach QAN2562025101125

Entity Name: Adidas

Entity Type: Retailer

Industry: Sportswear

Location: Global

Incident : Data Breach QAN3602036101325

Entity Name: Qantas Airways

Entity Type: Airline

Industry: Aviation/Transportation

Location: Australia (Headquarters: Sydney, NSW)

Size: Large (29,000+ employees, ASX-listed)

Customers Affected: 5,000,000

Incident : Data Breach QAN2402124101325

Entity Name: Qantas Airways

Entity Type: Airline

Industry: Aviation

Location: Australia

Size: Large (national carrier)

Customers Affected: 5.7 million

Incident : Data Breach QAN2402124101325

Entity Name: Salesforce

Entity Type: Software Provider

Industry: Technology (CRM)

Location: Global (HQ: USA)

Size: Large

Incident : Data Breach QAN2402124101325

Entity Name: Disney

Entity Type: Entertainment Conglomerate

Industry: Media/Entertainment

Location: Global (HQ: USA)

Size: Large

Incident : Data Breach QAN2402124101325

Entity Name: Google

Entity Type: Technology Company

Industry: Tech/Cloud Services

Location: Global (HQ: USA)

Size: Large

Incident : Data Breach QAN2402124101325

Entity Name: IKEA

Entity Type: Retailer

Industry: Furniture/Retail

Location: Global (HQ: Netherlands)

Size: Large

Incident : Data Breach QAN2402124101325

Entity Name: Toyota

Entity Type: Automaker

Industry: Automotive

Location: Global (HQ: Japan)

Size: Large

Incident : Data Breach QAN2402124101325

Entity Name: McDonald's

Entity Type: Fast Food Chain

Industry: Food Service

Location: Global (HQ: USA)

Size: Large

Incident : Data Breach QAN2402124101325

Entity Name: Air France

Entity Type: Airline

Industry: Aviation

Location: France

Size: Large

Incident : Data Breach QAN2402124101325

Entity Name: KLM

Entity Type: Airline

Industry: Aviation

Location: Netherlands

Size: Large

Incident : Data Breach QAN0302203101325

Entity Name: Qantas

Entity Type: Airline

Industry: Aviation

Location: Australia

Size: Large (millions of customers)

Customers Affected: 5-5.7 million

Incident : Data Breach QAN2562025101325

Entity Name: Qantas

Entity Type: Airline

Industry: Aviation/Transportation

Location: Australia

Size: Large (nearly 6 million customer records compromised)

Customers Affected: 5,900,000 (approx.)

Incident : Data Breach QAN2562025101325

Entity Name: Salesforce

Entity Type: Cloud Software Provider

Industry: Technology

Location: Global (HQ: USA)

Size: Enterprise

Incident : Data Breach QAN5632856101325

Entity Name: Qantas

Entity Type: Airline

Industry: Aviation

Location: Australia

Size: Large

Customers Affected: 5.7 million

Incident : Data Breach QAN5632856101325

Entity Name: Disney

Entity Type: Corporation

Industry: Entertainment

Location: Global

Size: Large

Incident : Data Breach QAN5632856101325

Entity Name: Google

Entity Type: Corporation

Industry: Technology

Location: Global

Size: Large

Incident : Data Breach QAN5632856101325

Entity Name: Toyota

Entity Type: Corporation

Industry: Automotive

Location: Global

Size: Large

Incident : Data Breach QAN5632856101325

Entity Name: IKEA

Entity Type: Corporation

Industry: Retail

Location: Global

Size: Large

Incident : Data Breach QAN5632856101325

Entity Name: McDonald’s

Entity Type: Corporation

Industry: Food Service

Location: Global

Size: Large

Incident : Data Breach QAN5632856101325

Entity Name: Air France

Entity Type: Airline

Industry: Aviation

Location: France

Size: Large

Incident : Data Breach QAN5632856101325

Entity Name: KLM

Entity Type: Airline

Industry: Aviation

Location: Netherlands

Size: Large

Incident : Data Breach QAN2733027101325

Entity Name: Qantas Airways

Entity Type: Airline

Industry: Aviation/Transportation

Location: Australia

Size: Large (Fortune 500 equivalent)

Customers Affected: 5,000,000+

Incident : Data Breach QAN0192201101325

Entity Name: Qantas Airways Limited

Entity Type: Airline

Industry: Aviation/Transportation

Location: Australia

Size: Large (10,000+ employees)

Customers Affected: 5000000

Incident : Data Breach QAN0192201101325

Entity Name: Vietnam Airlines

Entity Type: Airline

Industry: Aviation/Transportation

Location: Vietnam

Size: Large (10,000+ employees)

Customers Affected: 23000000

Incident : Data Breach QAN0192201101325

Entity Name: Albertsons Companies, Inc.

Entity Type: Retailer

Industry: Grocery/Retail

Location: USA

Size: Large (250,000+ employees)

Customers Affected: 672000

Incident : Data Breach QAN0192201101325

Entity Name: GAP, INC.

Entity Type: Retailer

Industry: Fashion/Retail

Location: USA

Size: Large (100,000+ employees)

Customers Affected: 224000

Incident : Data Breach QAN0192201101325

Entity Name: Fujifilm

Entity Type: Manufacturer

Industry: Technology/Imaging

Location: Japan

Size: Large (80,000+ employees)

Customers Affected: 224000

Incident : Data Breach QAN0192201101325

Entity Name: Engie Resources

Entity Type: Energy Provider

Industry: Utilities/Energy

Location: USA/France

Size: Large (100,000+ employees)

Customers Affected: 537000

Incident : Data Breach QAN0192201101325

Entity Name: Salesforce

Entity Type: Cloud Provider

Industry: Technology/CRM

Location: USA

Size: Large (70,000+ employees)

Incident : Data Breach QAN0192201101325

Entity Name: KFC

Entity Type: Retailer

Industry: Food/Beverage

Location: Global

Size: Large

Incident : Data Breach QAN0192201101325

Entity Name: ASICS

Entity Type: Retailer

Industry: Sportswear

Location: Japan

Size: Large

Incident : Data Breach QAN0192201101325

Entity Name: UPS

Entity Type: Logistics

Industry: Transportation

Location: USA

Size: Large

Incident : Data Breach QAN0192201101325

Entity Name: IKEA

Entity Type: Retailer

Industry: Furniture

Location: Sweden

Size: Large

Incident : Data Breach QAN0192201101325

Entity Name: Petco

Entity Type: Retailer

Industry: Pet Supplies

Location: USA

Size: Large

Incident : Data Breach QAN0192201101325

Entity Name: Cisco

Entity Type: Technology

Industry: Networking

Location: USA

Size: Large

Incident : Data Breach QAN0192201101325

Entity Name: McDonald’s

Entity Type: Retailer

Industry: Food/Beverage

Location: USA

Size: Large

Incident : Data Breach QAN0192201101325

Entity Name: Cartier

Entity Type: Retailer

Industry: Luxury Goods

Location: France

Size: Large

Incident : Data Breach QAN0192201101325

Entity Name: Adidas

Entity Type: Retailer

Industry: Sportswear

Location: Germany

Size: Large

Incident : Data Breach QAN0192201101325

Entity Name: Instacart

Entity Type: Technology

Industry: E-Commerce

Location: USA

Size: Large

Incident : Data Breach QAN0192201101325

Entity Name: Marriott

Entity Type: Hospitality

Industry: Hotels

Location: USA

Size: Large

Incident : Data Breach QAN0192201101325

Entity Name: Walgreens

Entity Type: Retailer

Industry: Pharmacy

Location: USA

Size: Large

Incident : Data Breach QAN0192201101325

Entity Name: Pandora

Entity Type: Retailer

Industry: Jewelry

Location: Denmark

Size: Large

Incident : Data Breach QAN0192201101325

Entity Name: Chanel

Entity Type: Retailer

Industry: Luxury Goods

Location: France

Size: Large

Incident : Data Breach QAN0192201101325

Entity Name: CarMax

Entity Type: Retailer

Industry: Automotive

Location: USA

Size: Large

Incident : Data Breach QAN0192201101325

Entity Name: Disney/Hulu

Entity Type: Entertainment

Industry: Media

Location: USA

Size: Large

Incident : Data Breach QAN0192201101325

Entity Name: TransUnion

Entity Type: Financial Services

Industry: Credit Reporting

Location: USA

Size: Large

Incident : Data Breach QAN0192201101325

Entity Name: Aeroméxico

Entity Type: Airline

Industry: Aviation

Location: Mexico

Size: Large

Incident : Data Breach QAN0192201101325

Entity Name: Toyota Motor Corporation

Entity Type: Manufacturer

Industry: Automotive

Location: Japan

Size: Large

Incident : Data Breach QAN0192201101325

Entity Name: Stellantis

Entity Type: Manufacturer

Industry: Automotive

Location: Netherlands

Size: Large

Incident : Data Breach QAN0192201101325

Entity Name: Republic Services

Entity Type: Waste Management

Industry: Utilities

Location: USA

Size: Large

Incident : Data Breach QAN0192201101325

Entity Name: TripleA (AAA)

Entity Type: Insurance

Industry: Automotive Services

Location: USA

Size: Large

Incident : Data Breach QAN0192201101325

Entity Name: Saks Fifth Avenue

Entity Type: Retailer

Industry: Luxury Goods

Location: USA

Size: Large

Incident : Data Breach QAN0192201101325

Entity Name: 1-800Accountant

Entity Type: Financial Services

Industry: Accounting

Location: USA

Size: Medium

Incident : Data Breach QAN0192201101325

Entity Name: Houghton Mifflin Harcourt (HMH)

Entity Type: Education

Industry: Publishing

Location: USA

Size: Large

Incident : Data Breach QAN0192201101325

Entity Name: Instructure (Canvas)

Entity Type: Technology

Industry: EdTech

Location: USA

Size: Medium

Incident : Data Breach QAN0192201101325

Entity Name: Google AdSense

Entity Type: Technology

Industry: Advertising

Location: USA

Size: Large

Incident : Data Breach QAN0192201101325

Entity Name: HBO Max

Entity Type: Entertainment

Industry: Media

Location: USA

Size: Large

Incident : Data Breach QAN0192201101325

Entity Name: FedEx

Entity Type: Logistics

Industry: Transportation

Location: USA

Size: Large

Incident : Data Breach QAN0192201101325

Entity Name: Air France & KLM

Entity Type: Airline

Industry: Aviation

Location: France/Netherlands

Size: Large

Incident : Data Breach QAN0192201101325

Entity Name: Home Depot

Entity Type: Retailer

Industry: Home Improvement

Location: USA

Size: Large

Incident : Data Breach QAN0192201101325

Entity Name: Kering (Gucci, Balenciaga, etc.)

Entity Type: Retailer

Industry: Luxury Goods

Location: France

Size: Large

Incident : Data Breach QAN3292432101325

Entity Name: Qantas Airways

Entity Type: Airline

Industry: Aviation

Location: Australia

Size: Large (6M+ Customer Records Exposed)

Customers Affected: 6,000,000

Incident : Data Breach QAN2502025101425

Entity Name: Qantas

Entity Type: Airline

Industry: Aviation

Location: Australia

Size: Large (5.7 million customers affected)

Customers Affected: 5.7 million

Incident : Data Breach QAN1562015101925

Entity Name: Qantas

Entity Type: Corporation

Industry: Aviation

Location: Australia

Customers Affected: Up to 5.7 million

Response to the Incidents

What measures were taken in response to each incident ?

Incident : Data Breach QAN2902229100425

Incident Response Plan Activated: ['Likely (e.g., Google’s mitigation for UNC6040)', 'Salesforce Flash Warning (FBI)']

Third Party Assistance: Resecurity (Threat Intelligence), Fbi (Investigation), Dark Web Monitoring Firms.

Law Enforcement Notified: FBI (Flash Warning), Potential GDPR Regulators (EU), Australian Authorities (Qantas),

Containment Measures: Salesforce Instance IsolationOAuth Token RevocationDark Web Takedown Attempts (DDoS on DLS)

Remediation Measures: Patch Management (Salesforce)Multi-Factor Authentication (MFA) EnforcementEmployee Training (Anti-Phishing)

Recovery Measures: Data Restoration (Backups)Customer Notification (e.g., Stellantis)Regulatory Filings

Communication Strategy: Public Statements (Downplaying Impact, e.g., Salesforce)Customer Advisories (Deadline: 2025-10-10)Media Engagement

Network Segmentation: ['Likely (to isolate Salesforce instances)']

Enhanced Monitoring: FBI Indicators of Compromise (IoCs)Dark Web Threat Intelligence

Incident : Data Breach QAN2562025101125

Incident Response Plan Activated: Yes (24/7 support line, identity protection advice)

Third Party Assistance: External Cybersecurity Experts, Legal Support (Nsw Supreme Court Injunction).

Law Enforcement Notified: Yes (investigated with authorities)

Containment Measures: Legal Injunction to Block Data Access/Use

Remediation Measures: Customer Support (Identity Protection Advice)Monitoring for Suspicious Activity

Communication Strategy: Public StatementsCustomer Advisories

Enhanced Monitoring: Likely (advised customers to monitor accounts)

Incident : Data Breach QAN3602036101325

Incident Response Plan Activated: Yes (collaboration with ACSC, AFP, and cybersecurity experts)

Third Party Assistance: Australian Cyber Security Centre (Acsc), Australian Federal Police (Afp), Specialist Cybersecurity Experts (Unnamed).

Law Enforcement Notified: Yes (AFP, FBI involved; NSW Supreme Court injunction obtained)

Containment Measures: Legal Injunction to Block Data Access/ReleaseDark Web Monitoring

Remediation Measures: Investigation into leaked data scopeIdentity protection services for affected customers

Recovery Measures: 24/7 Support Line for CustomersOngoing Updates via Qantas Website

Communication Strategy: Public Statements (via ABC, Information Age)Website UpdatesDirect Customer Notifications (via email/support line)

Enhanced Monitoring: Likely (given collaboration with ACSC/AFP)

Incident : Data Breach QAN2402124101325

Incident Response Plan Activated: True

Third Party Assistance: Australian Security Services, Legal Counsel (For Injunction).

Containment Measures: Legal injunction to block data disseminationAccess revocation for compromised systems

Remediation Measures: Customer notifications (email)Impact analysis (Google)

Communication Strategy: Public statements (Qantas, Google)Media engagement

Incident : Data Breach QAN0302203101325

Incident Response Plan Activated: True

Third Party Assistance: Salesforce, Law Enforcement.

Containment Measures: Credential ResetsIncreased Monitoring for Unusual ActivityInjunction to Deter Data Dissemination

Remediation Measures: Strengthened Monitoring CapabilitiesSupplier Access Tightening

Recovery Measures: Customer Communications (Scam Awareness)Identity Protection Support

Communication Strategy: Public StatementsCustomer Advisories on Scam Prevention

Incident : Data Breach QAN2562025101325

Incident Response Plan Activated: Yes (investigation ongoing since July)

Third Party Assistance: Federal Government, Australian Federal Police, Cybersecurity Experts.

Law Enforcement Notified: Yes

Containment Measures: NSW Supreme Court injunction to block data accessDark web monitoring

Recovery Measures: Customer notifications (July)Advisories on phishing risks

Communication Strategy: Public statements (July and post-dark web leak)Direct emails to affected customersMedia interviews (e.g., Transport Minister Catherine King)

Enhanced Monitoring: Dark web channels monitored to confirm leaked data

Incident : Data Breach QAN5632856101325

Incident Response Plan Activated: True

Containment Measures: Legal Injunction to Prevent Data Spread (Australia-Only)

Communication Strategy: Public DisclosureCustomer Notifications (e.g., Google Notified Affected Partners)

Incident : Data Breach QAN2733027101325

Incident Response Plan Activated: Yes (collaboration with cybersecurity experts)

Third Party Assistance: Cybersecurity Experts (Unnamed), Australian Security Agencies.

Law Enforcement Notified: Yes (Australian authorities)

Containment Measures: Court Injunction to Block Data Access/UseThird-Party Platform Review

Recovery Measures: Customer CommunicationData Leak Investigation

Communication Strategy: Public Statements (Oct 12, 2025)Social Media UpdatesCustomer Advisories

Incident : Data Breach QAN0192201101325

Incident Response Plan Activated: ['Likely (given scale, but not publicly confirmed)']

Third Party Assistance: Cybersecurity Firms (E.G., Mandiant, Crowdstrike) Likely Engaged, Salesforce’S Internal Security Team.

Law Enforcement Notified: Probable (FBI, Interpol, or national cybercrime units),

Containment Measures: Salesforce likely patched the exploited vulnerabilityAffected companies may have isolated CRM systemsPassword resets for exposed accounts

Remediation Measures: Forensic analysis of breached systemsCustomer notifications (where legally required)Credit monitoring services for affected individuals

Communication Strategy: Limited public statements (e.g., Qantas acknowledged July 2025 third-party breach but did not name vendor)Telegram/Dark Web monitoring for further leaks

Network Segmentation: ['Likely implemented post-breach']

Enhanced Monitoring: Expected for Salesforce and affected companies

Incident : Data Breach QAN3292432101325

Incident Response Plan Activated: True

Third Party Assistance: Cybersecurity Experts.

Containment Measures: Court Order to Block Data Access/UseThird-Party Platform Isolation

Remediation Measures: Increased Team TrainingStrengthened System Monitoring/Detection

Recovery Measures: Customer Identity Protection ServicesOngoing Updates via Website/Support Line

Communication Strategy: Public StatementsCustomer Notifications (Specific Data Impact)Website Updates

Incident : Data Breach QAN2502025101425

Third Party Assistance: Idcare (Identity Support For Affected Customers).

Recovery Measures: Case-by-Case Support via IDCARE

Communication Strategy: Statement on Qantas WebsiteNo Direct Customer Notifications (Criticized)

Incident : Data Breach QAN1562015101925

Communication Strategy: Public disclosure (confirmed exposure)

What is the company's incident response plan?

Incident Response Plan: The company's incident response plan is described as Likely (e.g., Google’s mitigation for UNC6040), Salesforce Flash Warning (FBI), , Yes (24/7 support line, identity protection advice), Yes (collaboration with ACSC, AFP, and cybersecurity experts), , , Yes (investigation ongoing since July), , Yes (collaboration with cybersecurity experts), Likely (given scale, but not publicly confirmed), , .

How does the company involve third-party assistance in incident response ?

Third-Party Assistance: The company involves third-party assistance in incident response through Resecurity (Threat Intelligence), FBI (Investigation), Dark Web Monitoring Firms, , External Cybersecurity Experts, Legal Support (NSW Supreme Court Injunction), , Australian Cyber Security Centre (ACSC), Australian Federal Police (AFP), Specialist Cybersecurity Experts (unnamed), , Australian security services, Legal counsel (for injunction), , Salesforce, Law Enforcement, , Federal Government, Australian Federal Police, Cybersecurity Experts, , Cybersecurity Experts (unnamed), Australian Security Agencies, , Cybersecurity firms (e.g., Mandiant, CrowdStrike) likely engaged, Salesforce’s internal security team, , Cybersecurity Experts, , IDCARE (Identity Support for Affected Customers), .

Data Breach Information

What type of data was compromised in each breach ?

Incident : Data Breach QAN2902229100425

Type of Data Compromised: Pii (passenger records, loyalty points), Corporate emails, Internal communications, Customer-vendor relationships, Employee data (law enforcement/military), Advertising partner data (google adwords), Salesforce records (accounts, contacts, cases)

Number of Records Exposed: 1,563,633,235 (claimed total); 39M+ (Aeromexico); 160M+ (Vietnam CIC)

Sensitivity of Data: High (PII, Government/Military Personnel)Medium (Corporate Communications)

Data Exfiltration: Confirmed (Samples shared on DLS)Ongoing (Dark Web Monetization)

Data Encryption: ['Partial (Ransomware Threats, but no widespread encryption reported)']

File Types Exposed: CSV/Excel (Customer Records)EmailsPDFs (Internal Documents)Database Dumps

Personally Identifiable Information: NamesContact DetailsLoyalty Program DataTravel HistoryEmployee IDsGovernment Affiliation Records

Incident : Data Breach QAN2562025101125

Type of Data Compromised: Personal identifiable information (pii), Contact information

Number of Records Exposed: 5,000,000 (Qantas); up to 1,000,000,000 (global)

Sensitivity of Data: High (includes dates of birth, purchase histories, passport numbers for some victims)

Data Exfiltration: Yes (leaked on dark web)

Personally Identifiable Information: Email AddressesPhone NumbersBirth DatesFrequent Flyer NumbersPassport Numbers (for some global victims)

Incident : Data Breach QAN3602036101325

Type of Data Compromised: Personally identifiable information (pii), Loyalty program data

Number of Records Exposed: 5,000,000

Sensitivity of Data: Moderate (no financial/password data, but PII + family links exposed)

Data Exfiltration: Yes (153GB dumped to dark web and clear-web forums)

Data Encryption: No (data published in raw format)

Personally Identifiable Information: Full NamesEmail AddressesPhone NumbersDates of BirthFrequent Flyer Numbers

Incident : Data Breach QAN2402124101325

Type of Data Compromised: Personal identifiable information (pii), Customer records

Number of Records Exposed: 5.7 million (Qantas); unspecified for other firms

Sensitivity of Data: Moderate (no financial/passport data; includes addresses, birthdays, meal preferences)

Personally Identifiable Information: NamesEmail addressesPhone numbersHome/business addressesDates of birthGenderMeal preferencesFrequent flyer details

Incident : Data Breach QAN0302203101325

Type of Data Compromised: Personal identifiable information (pii), Frequent-flyer data

Number of Records Exposed: 5-5.7 million

Sensitivity of Data: High (sufficient for phishing/account takeover)

Incident : Data Breach QAN2562025101325

Type of Data Compromised: Personally identifiable information (pii), Customer account data

Number of Records Exposed: 5,900,000 (approx.)

Sensitivity of Data: Moderate to High (includes home addresses, birth dates, and frequent flyer details)

Data Exfiltration: Confirmed (data released on dark web)

Personally Identifiable Information: NamesEmail AddressesPhone NumbersBirth DatesHome Addresses (partial)Frequent Flyer Numbers

Incident : Data Breach QAN5632856101325

Type of Data Compromised: Personal identifiable information (pii), Frequent flyer information, Contact details, Demographic data (gender, meal preferences), Addresses (home/business)

Number of Records Exposed: 5.7 million (Qantas only; others unspecified)

Sensitivity of Data: Moderate (No Financial/Passport Data, but PII Exposed)

Incident : Data Breach QAN2733027101325

Type of Data Compromised: Personally identifiable information (pii), Customer profiles, Frequent flyer data, Preference data (e.g., meal choices)

Number of Records Exposed: 5,000,000+

Sensitivity of Data: High (includes addresses, birth dates, and contact details)

Data Exfiltration: Confirmed (data published by hackers post-ransom deadline)

Personally Identifiable Information: Full NamesEmail AddressesPhone NumbersHome/Business AddressesBirth DatesGenders

Incident : Data Breach QAN0192201101325

Type of Data Compromised: Personally identifiable information (pii), Loyalty program data, Customer relationship management (crm) metadata, Internal business records, Geolocation data, Corporate contact information, Travel history, Financial metadata (e.g., currency used, points balance)

Number of Records Exposed: {'total_claimed': 989000000, 'leaked_so_far': 29733000, 'unreleased': 959267000}

Sensitivity of Data: High (PII, passport numbers, internal CRM fields)

Data Exfiltration: Method: Likely via exploited Salesforce API or authentication flaw, Timeline: Prior to October 3, 2025 (discovery date), Storage: JSON/CSV files hosted on hacker-controlled leak portal,

Data Encryption: ['Unencrypted (data was in plaintext JSON/CSV formats)']

File Types Exposed: JSON (primary)CSV (Fujifilm)

Personally Identifiable Information: Full NamesDates of BirthPassport NumbersPhone NumbersEmail AddressesMailing Addresses (with geolocation)Frequent Flyer NumbersInternal Account IDsGenderAgeCorporate RolesTax Information (partial)

Incident : Data Breach QAN3292432101325

Type of Data Compromised: Personal identifiable information (pii), Service records

Number of Records Exposed: 6,000,000

Sensitivity of Data: Moderate (No Financial/Passport Data)

File Types Exposed: Customer Service Records

Personally Identifiable Information: NamesEmail AddressesPhone NumbersBirth DatesFrequent Flyer Numbers

Incident : Data Breach QAN2502025101425

Type of Data Compromised: Names, Addresses, Personally identifiable information (pii)

Number of Records Exposed: 5.7 million

Sensitivity of Data: High (PII cannot be changed, e.g., date of birth)

Data Exfiltration: Yes (Released on Dark Web)

Personally Identifiable Information: NamesAddressesPotentially Dates of Birth

Incident : Data Breach QAN1562015101925

Type of Data Compromised: Customer data

Number of Records Exposed: Up to 5.7 million

Sensitivity of Data: High (exposed on dark web)

What measures does the company take to prevent data exfiltration ?

Prevention of Data Exfiltration: The company takes the following measures to prevent data exfiltration: Patch Management (Salesforce), Multi-Factor Authentication (MFA) Enforcement, Employee Training (Anti-Phishing), , Customer Support (Identity Protection Advice), Monitoring for Suspicious Activity, , Investigation into leaked data scope, Identity protection services for affected customers, , Customer notifications (email), Impact analysis (Google), , Strengthened Monitoring Capabilities, Supplier Access Tightening, , Forensic analysis of breached systems, Customer notifications (where legally required), Credit monitoring services for affected individuals, , Increased Team Training, Strengthened System Monitoring/Detection, .

How does the company handle incidents involving personally identifiable information (PII) ?

Handling of PII Incidents: The company handles incidents involving personally identifiable information (PII) through by salesforce instance isolation, oauth token revocation, dark web takedown attempts (ddos on dls), , legal injunction to block data access/use, , legal injunction to block data access/release, dark web monitoring, , legal injunction to block data dissemination, access revocation for compromised systems, , credential resets, increased monitoring for unusual activity, injunction to deter data dissemination, , nsw supreme court injunction to block data access, dark web monitoring, , legal injunction to prevent data spread (australia-only), , court injunction to block data access/use, third-party platform review, , salesforce likely patched the exploited vulnerability, affected companies may have isolated crm systems, password resets for exposed accounts, , court order to block data access/use, third-party platform isolation and .

Ransomware Information

Was ransomware involved in any of the incidents ?

Incident : Data Breach QAN2902229100425

Ransom Demanded: ['Undisclosed (Negotiation Deadline: 2025-10-10)', 'Threats of Regulatory Reporting (GDPR)']

Ransomware Strain: Custom (Trinity of Chaos)Associated with Lapsus$/Scattered Spider TTPs

Data Encryption: ['Limited (Focus on Exfiltration + Extortion)']

Data Exfiltration: ['Massive (1.5B+ records claimed)']

Incident : Data Breach QAN2562025101125

Ransom Demanded: Yes (unspecified amount)

Ransom Paid: No

Data Encryption: No (data stolen but not encrypted)

Data Exfiltration: Yes

Incident : Data Breach QAN3602036101325

Ransom Demanded: Yes (amount undisclosed; deadline: 2023-10-10)

Ransom Paid: No

Data Encryption: No (data exfiltrated but not encrypted on Qantas systems)

Data Exfiltration: Yes (153GB)

Incident : Data Breach QAN2402124101325

Ransom Demanded: True

Data Exfiltration: True

Incident : Data Breach QAN0302203101325

Ransom Demanded: True

Data Exfiltration: True

Incident : Data Breach QAN2562025101325

Ransom Demanded: Yes (by Scattered Lapsus$ Hunters; amount undisclosed)

Ransom Paid: No (Qantas and Salesforce refused to negotiate)

Data Exfiltration: Yes

Incident : Data Breach QAN5632856101325

Ransom Demanded: True

Data Exfiltration: True

Incident : Data Breach QAN2733027101325

Ransom Demanded: Yes (by Scattered Lapsus$ Hunters; deadline passed)

Ransom Paid: No (ransom deadline ignored; data released)

Data Exfiltration: Yes

Incident : Data Breach QAN0192201101325

Ransom Demanded: ['Negotiation demanded (no specific amount disclosed)']

Ransom Paid: Unknown (no reports of payments)

Data Encryption: ['No (data was exfiltrated, not encrypted)']

Data Exfiltration: ['Yes (989M records claimed, 29.7M leaked)']

Incident : Data Breach QAN3292432101325

Data Exfiltration: True

Incident : Data Breach QAN2502025101425

Ransom Demanded: Yes (Unspecified Amount)

Ransom Paid: No

Data Exfiltration: Yes (Released on Dark Web)

How does the company recover data encrypted by ransomware ?

Data Recovery from Ransomware: The company recovers data encrypted by ransomware through Data Restoration (Backups), Customer Notification (e.g., Stellantis), Regulatory Filings, , 24/7 Support Line for Customers, Ongoing Updates via Qantas Website, , Customer Communications (Scam Awareness), Identity Protection Support, , Customer notifications (July), Advisories on phishing risks, , Customer Communication, Data Leak Investigation, , Customer Identity Protection Services, Ongoing Updates via Website/Support Line, , Case-by-Case Support via IDCARE, .

Regulatory Compliance

Were there any regulatory violations and fines imposed for each incident ?

Incident : Data Breach QAN2902229100425

Regulations Violated: GDPR (EU-based victims), Vietnam Data Protection Laws, Australian Privacy Act (Qantas), U.S. State Breach Laws,

Fines Imposed: ['Potential (e.g., Qantas previously fined for negligence)', 'GDPR Penalties (Up to 4% of global revenue)']

Legal Actions: Class-Action Lawsuits (Expected), Criminal Negligence Charges (Threatened), Regulatory Investigations (Ongoing),

Regulatory Notifications: GDPR Authorities (EU)FBI (USA)Vietnamese CERTAustralian OAIC

Incident : Data Breach QAN2562025101125

Legal Actions: NSW Supreme Court Injunction (to block data misuse),

Incident : Data Breach QAN3602036101325

Regulations Violated: Potential: Australian Privacy Act 1988, Potential: GDPR (for EU customers),

Legal Actions: NSW Supreme Court Interim Injunction (July 2023), AFP/FBI Investigation,

Regulatory Notifications: Australian Cyber Security Centre (ACSC)Australian Federal Police (AFP)

Incident : Data Breach QAN2402124101325

Legal Actions: Legal injunction (Qantas vs. data dissemination),

Incident : Data Breach QAN0302203101325

Regulations Violated: Australia's Privacy Act (post-Optus regime),

Legal Actions: Regulatory Scrutiny, Potential Enforceable Undertakings,

Incident : Data Breach QAN2562025101325

Legal Actions: NSW Supreme Court injunction to prevent data access,

Regulatory Notifications: Federal GovernmentAustralian Federal Police

Incident : Data Breach QAN5632856101325

Legal Actions: Qantas Secured Injunction from Supreme Court of New South Wales,

Incident : Data Breach QAN2733027101325

Regulations Violated: Australian Privacy Act (Mandatory Data Breach Notification), Potential GDPR (if EU customers affected),

Legal Actions: Court Injunction Filed (to block data dissemination),

Regulatory Notifications: Office of the Australian Information Commissioner (OAIC)

Incident : Data Breach QAN0192201101325

Regulations Violated: GDPR (for EU customer data), CCPA (California Consumer Privacy Act), APPI (Japan’s Act on the Protection of Personal Information), Australia’s Privacy Act 1988, Other regional data protection laws,

Legal Actions: Potential class-action lawsuits, Regulatory investigations (e.g., by ICO, FTC),

Regulatory Notifications: Likely required for GDPR (within 72 hours of discovery)State-level notifications in the U.S. (e.g., California Attorney General)

Incident : Data Breach QAN3292432101325

Legal Actions: Court Order to Prevent Data Dissemination,

Incident : Data Breach QAN2502025101425

Regulations Violated: Potential Violation of Australian Privacy Act (Australian Privacy Principles),

Fines Imposed: ['Speculated to be in Billions (Under Investigation)']

Legal Actions: Regulatory Investigation by Office of the Australian Information Commissioner,

How does the company ensure compliance with regulatory requirements ?

Ensuring Regulatory Compliance: The company ensures compliance with regulatory requirements through Class-Action Lawsuits (Expected), Criminal Negligence Charges (Threatened), Regulatory Investigations (Ongoing), , NSW Supreme Court Injunction (to block data misuse), , NSW Supreme Court Interim Injunction (July 2023), AFP/FBI Investigation, , Legal injunction (Qantas vs. data dissemination), , Regulatory Scrutiny, Potential Enforceable Undertakings, , NSW Supreme Court injunction to prevent data access, , Qantas Secured Injunction from Supreme Court of New South Wales, , Court Injunction Filed (to block data dissemination), , Potential class-action lawsuits, Regulatory investigations (e.g., by ICO, FTC), , Court Order to Prevent Data Dissemination, , Regulatory Investigation by Office of the Australian Information Commissioner, .

Lessons Learned and Recommendations

What lessons were learned from each incident ?

Incident : Data Breach QAN2902229100425

Lessons Learned: OAuth token security requires stricter monitoring (Salesloft Drift integration)., Dark Web monitoring is critical for early detection of leaked data., Regulatory threats (e.g., GDPR reporting) are increasingly used as leverage by ransomware groups., Supply chain risks (e.g., Salesforce instances) can amplify breach impacts across industries., Proactive communication with threat actors may prevent public disclosure (failed in this case)., Government shutdowns can hinder cybersecurity response capabilities.

Incident : Data Breach QAN2562025101125

Lessons Learned: Third-party vendor risks (Salesforce database targeted), Importance of refusing ransom payments to avoid encouraging cybercrime, Need for proactive customer support (identity protection advice) post-breach, Legal measures (injunctions) can mitigate damage but not prevent initial leaks

Incident : Data Breach QAN2402124101325

Lessons Learned: Social engineering remains a highly effective attack vector, exploiting human trust rather than technical vulnerabilities., Third-party vendor risks (e.g., Salesforce) can amplify breach impact across multiple organizations., Legal injunctions have limited efficacy in preventing dark web data dissemination.

Incident : Data Breach QAN0302203101325

Lessons Learned: Third-party vendor risks require stricter access controls and monitoring., Data minimization practices must be enforced to limit exposure., Proactive customer communication is critical to mitigate reputational harm., Incident response coordination with third parties (e.g., Salesforce) is essential.

Incident : Data Breach QAN5632856101325

Lessons Learned: The incident highlights the vulnerability of third-party platforms (e.g., Salesforce) as single points of failure for multiple organizations. Social engineering remains a highly effective attack vector, exploiting human error rather than technical flaws. Legal injunctions may have limited efficacy in cross-border cybercrime cases.

Incident : Data Breach QAN2733027101325

Lessons Learned: Third-party vendor risks require stricter oversight (e.g., call center platforms)., Court injunctions may be ineffective against cybercriminals (per Troy Hunt)., Need for proactive dark web monitoring to detect leaked data early., Customer data minimization (e.g., meal preferences) could reduce exposure.

Incident : Data Breach QAN0192201101325

Lessons Learned: Third-party vendor risks remain a critical attack vector, especially for cloud-based CRM platforms like Salesforce., Multi-factor authentication (MFA) and API security controls are essential for protecting customer data at scale., Proactive threat intelligence monitoring can help detect reconnaissance by groups like Scattered Lapsus$ Hunters., Transparency in breach disclosures (e.g., naming third-party vendors) can help customers assess their risk., Legacy data retention policies may exacerbate breaches (e.g., storing passport numbers or decades-old loyalty data).

Incident : Data Breach QAN2502025101425

Lessons Learned: Prioritize security over profit maximization for shareholders., Ensure timely and transparent communication with affected customers., Third-party platform security must be rigorously vetted and monitored., Proactive measures are needed to prevent social engineering attacks.

What recommendations were made to prevent future incidents ?

Incident : Data Breach QAN2902229100425

Recommendations: Implement Zero Trust Architecture for cloud services (e.g., Salesforce)., Enforce MFA and conditional access policies for all OAuth integrations., Conduct third-party risk assessments for SaaS providers (e.g., Drift, Salesloft)., Establish a Dark Web monitoring program to detect leaked credentials/data., Develop a pre-emptive regulatory engagement strategy (e.g., GDPR breach notifications)., Train employees on vishing/social engineering tactics used by groups like Lapsus$., Isolate high-value systems (e.g., airline passenger databases) with network segmentation., Prepare for DDoS attacks on leak sites (e.g., Trinity of Chaos DLS)., Coordinate with law enforcement (FBI, INTERPOL) for threat actor disruption., Review incident response plans for ransomware extortion + data leak scenarios.Implement Zero Trust Architecture for cloud services (e.g., Salesforce)., Enforce MFA and conditional access policies for all OAuth integrations., Conduct third-party risk assessments for SaaS providers (e.g., Drift, Salesloft)., Establish a Dark Web monitoring program to detect leaked credentials/data., Develop a pre-emptive regulatory engagement strategy (e.g., GDPR breach notifications)., Train employees on vishing/social engineering tactics used by groups like Lapsus$., Isolate high-value systems (e.g., airline passenger databases) with network segmentation., Prepare for DDoS attacks on leak sites (e.g., Trinity of Chaos DLS)., Coordinate with law enforcement (FBI, INTERPOL) for threat actor disruption., Review incident response plans for ransomware extortion + data leak scenarios.Implement Zero Trust Architecture for cloud services (e.g., Salesforce)., Enforce MFA and conditional access policies for all OAuth integrations., Conduct third-party risk assessments for SaaS providers (e.g., Drift, Salesloft)., Establish a Dark Web monitoring program to detect leaked credentials/data., Develop a pre-emptive regulatory engagement strategy (e.g., GDPR breach notifications)., Train employees on vishing/social engineering tactics used by groups like Lapsus$., Isolate high-value systems (e.g., airline passenger databases) with network segmentation., Prepare for DDoS attacks on leak sites (e.g., Trinity of Chaos DLS)., Coordinate with law enforcement (FBI, INTERPOL) for threat actor disruption., Review incident response plans for ransomware extortion + data leak scenarios.Implement Zero Trust Architecture for cloud services (e.g., Salesforce)., Enforce MFA and conditional access policies for all OAuth integrations., Conduct third-party risk assessments for SaaS providers (e.g., Drift, Salesloft)., Establish a Dark Web monitoring program to detect leaked credentials/data., Develop a pre-emptive regulatory engagement strategy (e.g., GDPR breach notifications)., Train employees on vishing/social engineering tactics used by groups like Lapsus$., Isolate high-value systems (e.g., airline passenger databases) with network segmentation., Prepare for DDoS attacks on leak sites (e.g., Trinity of Chaos DLS)., Coordinate with law enforcement (FBI, INTERPOL) for threat actor disruption., Review incident response plans for ransomware extortion + data leak scenarios.Implement Zero Trust Architecture for cloud services (e.g., Salesforce)., Enforce MFA and conditional access policies for all OAuth integrations., Conduct third-party risk assessments for SaaS providers (e.g., Drift, Salesloft)., Establish a Dark Web monitoring program to detect leaked credentials/data., Develop a pre-emptive regulatory engagement strategy (e.g., GDPR breach notifications)., Train employees on vishing/social engineering tactics used by groups like Lapsus$., Isolate high-value systems (e.g., airline passenger databases) with network segmentation., Prepare for DDoS attacks on leak sites (e.g., Trinity of Chaos DLS)., Coordinate with law enforcement (FBI, INTERPOL) for threat actor disruption., Review incident response plans for ransomware extortion + data leak scenarios.Implement Zero Trust Architecture for cloud services (e.g., Salesforce)., Enforce MFA and conditional access policies for all OAuth integrations., Conduct third-party risk assessments for SaaS providers (e.g., Drift, Salesloft)., Establish a Dark Web monitoring program to detect leaked credentials/data., Develop a pre-emptive regulatory engagement strategy (e.g., GDPR breach notifications)., Train employees on vishing/social engineering tactics used by groups like Lapsus$., Isolate high-value systems (e.g., airline passenger databases) with network segmentation., Prepare for DDoS attacks on leak sites (e.g., Trinity of Chaos DLS)., Coordinate with law enforcement (FBI, INTERPOL) for threat actor disruption., Review incident response plans for ransomware extortion + data leak scenarios.Implement Zero Trust Architecture for cloud services (e.g., Salesforce)., Enforce MFA and conditional access policies for all OAuth integrations., Conduct third-party risk assessments for SaaS providers (e.g., Drift, Salesloft)., Establish a Dark Web monitoring program to detect leaked credentials/data., Develop a pre-emptive regulatory engagement strategy (e.g., GDPR breach notifications)., Train employees on vishing/social engineering tactics used by groups like Lapsus$., Isolate high-value systems (e.g., airline passenger databases) with network segmentation., Prepare for DDoS attacks on leak sites (e.g., Trinity of Chaos DLS)., Coordinate with law enforcement (FBI, INTERPOL) for threat actor disruption., Review incident response plans for ransomware extortion + data leak scenarios.Implement Zero Trust Architecture for cloud services (e.g., Salesforce)., Enforce MFA and conditional access policies for all OAuth integrations., Conduct third-party risk assessments for SaaS providers (e.g., Drift, Salesloft)., Establish a Dark Web monitoring program to detect leaked credentials/data., Develop a pre-emptive regulatory engagement strategy (e.g., GDPR breach notifications)., Train employees on vishing/social engineering tactics used by groups like Lapsus$., Isolate high-value systems (e.g., airline passenger databases) with network segmentation., Prepare for DDoS attacks on leak sites (e.g., Trinity of Chaos DLS)., Coordinate with law enforcement (FBI, INTERPOL) for threat actor disruption., Review incident response plans for ransomware extortion + data leak scenarios.Implement Zero Trust Architecture for cloud services (e.g., Salesforce)., Enforce MFA and conditional access policies for all OAuth integrations., Conduct third-party risk assessments for SaaS providers (e.g., Drift, Salesloft)., Establish a Dark Web monitoring program to detect leaked credentials/data., Develop a pre-emptive regulatory engagement strategy (e.g., GDPR breach notifications)., Train employees on vishing/social engineering tactics used by groups like Lapsus$., Isolate high-value systems (e.g., airline passenger databases) with network segmentation., Prepare for DDoS attacks on leak sites (e.g., Trinity of Chaos DLS)., Coordinate with law enforcement (FBI, INTERPOL) for threat actor disruption., Review incident response plans for ransomware extortion + data leak scenarios.Implement Zero Trust Architecture for cloud services (e.g., Salesforce)., Enforce MFA and conditional access policies for all OAuth integrations., Conduct third-party risk assessments for SaaS providers (e.g., Drift, Salesloft)., Establish a Dark Web monitoring program to detect leaked credentials/data., Develop a pre-emptive regulatory engagement strategy (e.g., GDPR breach notifications)., Train employees on vishing/social engineering tactics used by groups like Lapsus$., Isolate high-value systems (e.g., airline passenger databases) with network segmentation., Prepare for DDoS attacks on leak sites (e.g., Trinity of Chaos DLS)., Coordinate with law enforcement (FBI, INTERPOL) for threat actor disruption., Review incident response plans for ransomware extortion + data leak scenarios.

Incident : Data Breach QAN2562025101125

Recommendations: Enhance third-party risk assessments (e.g., Salesforce security audits), Implement stricter data access controls and monitoring for high-value databases, Educate customers on phishing risks post-breach (personalized scams likely), Collaborate with law enforcement and cybersecurity firms for threat intelligence sharing, Consider proactive dark web monitoring for leaked dataEnhance third-party risk assessments (e.g., Salesforce security audits), Implement stricter data access controls and monitoring for high-value databases, Educate customers on phishing risks post-breach (personalized scams likely), Collaborate with law enforcement and cybersecurity firms for threat intelligence sharing, Consider proactive dark web monitoring for leaked dataEnhance third-party risk assessments (e.g., Salesforce security audits), Implement stricter data access controls and monitoring for high-value databases, Educate customers on phishing risks post-breach (personalized scams likely), Collaborate with law enforcement and cybersecurity firms for threat intelligence sharing, Consider proactive dark web monitoring for leaked dataEnhance third-party risk assessments (e.g., Salesforce security audits), Implement stricter data access controls and monitoring for high-value databases, Educate customers on phishing risks post-breach (personalized scams likely), Collaborate with law enforcement and cybersecurity firms for threat intelligence sharing, Consider proactive dark web monitoring for leaked dataEnhance third-party risk assessments (e.g., Salesforce security audits), Implement stricter data access controls and monitoring for high-value databases, Educate customers on phishing risks post-breach (personalized scams likely), Collaborate with law enforcement and cybersecurity firms for threat intelligence sharing, Consider proactive dark web monitoring for leaked data

Incident : Data Breach QAN2402124101325

Recommendations: Enhance employee training on social engineering and phishing (especially for customer support teams)., Implement multi-factor authentication (MFA) for third-party platform access., Conduct regular third-party risk assessments for vendors handling sensitive data., Develop cross-organizational incident response protocols for supply chain attacks.Enhance employee training on social engineering and phishing (especially for customer support teams)., Implement multi-factor authentication (MFA) for third-party platform access., Conduct regular third-party risk assessments for vendors handling sensitive data., Develop cross-organizational incident response protocols for supply chain attacks.Enhance employee training on social engineering and phishing (especially for customer support teams)., Implement multi-factor authentication (MFA) for third-party platform access., Conduct regular third-party risk assessments for vendors handling sensitive data., Develop cross-organizational incident response protocols for supply chain attacks.Enhance employee training on social engineering and phishing (especially for customer support teams)., Implement multi-factor authentication (MFA) for third-party platform access., Conduct regular third-party risk assessments for vendors handling sensitive data., Develop cross-organizational incident response protocols for supply chain attacks.

Incident : Data Breach QAN0302203101325

Recommendations: Implement stricter supplier access controls and audit trails., Enhance data minimization strategies to reduce exposure in third-party systems., Invest in advanced threat detection for credential abuse and social engineering., Develop a robust customer support framework for post-breach identity protection., Conduct regular third-party security assessments and penetration testing.Implement stricter supplier access controls and audit trails., Enhance data minimization strategies to reduce exposure in third-party systems., Invest in advanced threat detection for credential abuse and social engineering., Develop a robust customer support framework for post-breach identity protection., Conduct regular third-party security assessments and penetration testing.Implement stricter supplier access controls and audit trails., Enhance data minimization strategies to reduce exposure in third-party systems., Invest in advanced threat detection for credential abuse and social engineering., Develop a robust customer support framework for post-breach identity protection., Conduct regular third-party security assessments and penetration testing.Implement stricter supplier access controls and audit trails., Enhance data minimization strategies to reduce exposure in third-party systems., Invest in advanced threat detection for credential abuse and social engineering., Develop a robust customer support framework for post-breach identity protection., Conduct regular third-party security assessments and penetration testing.Implement stricter supplier access controls and audit trails., Enhance data minimization strategies to reduce exposure in third-party systems., Invest in advanced threat detection for credential abuse and social engineering., Develop a robust customer support framework for post-breach identity protection., Conduct regular third-party security assessments and penetration testing.

Incident : Data Breach QAN2562025101325

Recommendations: Enable two-step authentication for online accounts, Avoid clicking links in unsolicited emails/texts, Verify caller identities via official channels, Monitor credit reports for fraudulent activity, Use resources like IDCare, Australian Cyber Security Centre, and ScamwatchEnable two-step authentication for online accounts, Avoid clicking links in unsolicited emails/texts, Verify caller identities via official channels, Monitor credit reports for fraudulent activity, Use resources like IDCare, Australian Cyber Security Centre, and ScamwatchEnable two-step authentication for online accounts, Avoid clicking links in unsolicited emails/texts, Verify caller identities via official channels, Monitor credit reports for fraudulent activity, Use resources like IDCare, Australian Cyber Security Centre, and ScamwatchEnable two-step authentication for online accounts, Avoid clicking links in unsolicited emails/texts, Verify caller identities via official channels, Monitor credit reports for fraudulent activity, Use resources like IDCare, Australian Cyber Security Centre, and ScamwatchEnable two-step authentication for online accounts, Avoid clicking links in unsolicited emails/texts, Verify caller identities via official channels, Monitor credit reports for fraudulent activity, Use resources like IDCare, Australian Cyber Security Centre, and Scamwatch

Incident : Data Breach QAN5632856101325

Recommendations: Enhance employee training to recognize social engineering tactics (e.g., impersonation scams)., Implement multi-factor authentication (MFA) and stricter access controls for third-party platforms., Conduct regular audits of third-party vendors’ security practices., Develop cross-border legal strategies to address data breaches with global implications., Improve incident response coordination among affected entities in supply-chain attacks.Enhance employee training to recognize social engineering tactics (e.g., impersonation scams)., Implement multi-factor authentication (MFA) and stricter access controls for third-party platforms., Conduct regular audits of third-party vendors’ security practices., Develop cross-border legal strategies to address data breaches with global implications., Improve incident response coordination among affected entities in supply-chain attacks.Enhance employee training to recognize social engineering tactics (e.g., impersonation scams)., Implement multi-factor authentication (MFA) and stricter access controls for third-party platforms., Conduct regular audits of third-party vendors’ security practices., Develop cross-border legal strategies to address data breaches with global implications., Improve incident response coordination among affected entities in supply-chain attacks.Enhance employee training to recognize social engineering tactics (e.g., impersonation scams)., Implement multi-factor authentication (MFA) and stricter access controls for third-party platforms., Conduct regular audits of third-party vendors’ security practices., Develop cross-border legal strategies to address data breaches with global implications., Improve incident response coordination among affected entities in supply-chain attacks.Enhance employee training to recognize social engineering tactics (e.g., impersonation scams)., Implement multi-factor authentication (MFA) and stricter access controls for third-party platforms., Conduct regular audits of third-party vendors’ security practices., Develop cross-border legal strategies to address data breaches with global implications., Improve incident response coordination among affected entities in supply-chain attacks.

Incident : Data Breach QAN2733027101325

Recommendations: Implement zero-trust architecture for third-party integrations., Enhance incident response plans for ransomware/data extortion scenarios., Conduct regular third-party security audits (especially for customer-facing platforms)., Explore data anonymization for non-critical customer preferences., Advocate for stronger international cybercrime enforcement collaboration.Implement zero-trust architecture for third-party integrations., Enhance incident response plans for ransomware/data extortion scenarios., Conduct regular third-party security audits (especially for customer-facing platforms)., Explore data anonymization for non-critical customer preferences., Advocate for stronger international cybercrime enforcement collaboration.Implement zero-trust architecture for third-party integrations., Enhance incident response plans for ransomware/data extortion scenarios., Conduct regular third-party security audits (especially for customer-facing platforms)., Explore data anonymization for non-critical customer preferences., Advocate for stronger international cybercrime enforcement collaboration.Implement zero-trust architecture for third-party integrations., Enhance incident response plans for ransomware/data extortion scenarios., Conduct regular third-party security audits (especially for customer-facing platforms)., Explore data anonymization for non-critical customer preferences., Advocate for stronger international cybercrime enforcement collaboration.Implement zero-trust architecture for third-party integrations., Enhance incident response plans for ransomware/data extortion scenarios., Conduct regular third-party security audits (especially for customer-facing platforms)., Explore data anonymization for non-critical customer preferences., Advocate for stronger international cybercrime enforcement collaboration.

Incident : Data Breach QAN0192201101325

Recommendations: For Industry: Advocate for standardized third-party risk management frameworks., Push for stronger enforcement of data minimization principles in cloud services., Invest in dark web monitoring to detect leaked credentials early., For Industry: Advocate for standardized third-party risk management frameworks., Push for stronger enforcement of data minimization principles in cloud services., Invest in dark web monitoring to detect leaked credentials early., For Industry: Advocate for standardized third-party risk management frameworks., Push for stronger enforcement of data minimization principles in cloud services., Invest in dark web monitoring to detect leaked credentials early., For Industry: Advocate for standardized third-party risk management frameworks., Push for stronger enforcement of data minimization principles in cloud services., Invest in dark web monitoring to detect leaked credentials early..

Incident : Data Breach QAN2502025101425

Recommendations: Implement stricter access controls and multi-factor authentication for third-party platforms., Provide free identity monitoring services to affected customers., Enhance employee training to prevent social engineering attacks., Establish a clear, proactive communication plan for data breaches., Conduct regular security audits of third-party vendors.Implement stricter access controls and multi-factor authentication for third-party platforms., Provide free identity monitoring services to affected customers., Enhance employee training to prevent social engineering attacks., Establish a clear, proactive communication plan for data breaches., Conduct regular security audits of third-party vendors.Implement stricter access controls and multi-factor authentication for third-party platforms., Provide free identity monitoring services to affected customers., Enhance employee training to prevent social engineering attacks., Establish a clear, proactive communication plan for data breaches., Conduct regular security audits of third-party vendors.Implement stricter access controls and multi-factor authentication for third-party platforms., Provide free identity monitoring services to affected customers., Enhance employee training to prevent social engineering attacks., Establish a clear, proactive communication plan for data breaches., Conduct regular security audits of third-party vendors.Implement stricter access controls and multi-factor authentication for third-party platforms., Provide free identity monitoring services to affected customers., Enhance employee training to prevent social engineering attacks., Establish a clear, proactive communication plan for data breaches., Conduct regular security audits of third-party vendors.

What are the key lessons learned from past incidents ?

Key Lessons Learned: The key lessons learned from past incidents are OAuth token security requires stricter monitoring (Salesloft Drift integration).,Dark Web monitoring is critical for early detection of leaked data.,Regulatory threats (e.g., GDPR reporting) are increasingly used as leverage by ransomware groups.,Supply chain risks (e.g., Salesforce instances) can amplify breach impacts across industries.,Proactive communication with threat actors may prevent public disclosure (failed in this case).,Government shutdowns can hinder cybersecurity response capabilities.Third-party vendor risks (Salesforce database targeted),Importance of refusing ransom payments to avoid encouraging cybercrime,Need for proactive customer support (identity protection advice) post-breach,Legal measures (injunctions) can mitigate damage but not prevent initial leaksSocial engineering remains a highly effective attack vector, exploiting human trust rather than technical vulnerabilities.,Third-party vendor risks (e.g., Salesforce) can amplify breach impact across multiple organizations.,Legal injunctions have limited efficacy in preventing dark web data dissemination.Third-party vendor risks require stricter access controls and monitoring.,Data minimization practices must be enforced to limit exposure.,Proactive customer communication is critical to mitigate reputational harm.,Incident response coordination with third parties (e.g., Salesforce) is essential.The incident highlights the vulnerability of third-party platforms (e.g., Salesforce) as single points of failure for multiple organizations. Social engineering remains a highly effective attack vector, exploiting human error rather than technical flaws. Legal injunctions may have limited efficacy in cross-border cybercrime cases.Third-party vendor risks require stricter oversight (e.g., call center platforms).,Court injunctions may be ineffective against cybercriminals (per Troy Hunt).,Need for proactive dark web monitoring to detect leaked data early.,Customer data minimization (e.g., meal preferences) could reduce exposure.Third-party vendor risks remain a critical attack vector, especially for cloud-based CRM platforms like Salesforce.,Multi-factor authentication (MFA) and API security controls are essential for protecting customer data at scale.,Proactive threat intelligence monitoring can help detect reconnaissance by groups like Scattered Lapsus$ Hunters.,Transparency in breach disclosures (e.g., naming third-party vendors) can help customers assess their risk.,Legacy data retention policies may exacerbate breaches (e.g., storing passport numbers or decades-old loyalty data).Prioritize security over profit maximization for shareholders.,Ensure timely and transparent communication with affected customers.,Third-party platform security must be rigorously vetted and monitored.,Proactive measures are needed to prevent social engineering attacks.

What recommendations has the company implemented to improve cybersecurity ?

Implemented Recommendations: The company has implemented the following recommendations to improve cybersecurity: Consider proactive dark web monitoring for leaked data, Collaborate with law enforcement and cybersecurity firms for threat intelligence sharing, Enhance third-party risk assessments (e.g., Salesforce security audits), Monitor credit reports for fraudulent activity, Educate customers on phishing risks post-breach (personalized scams likely), Avoid clicking links in unsolicited emails/texts, Verify caller identities via official channels, Enable two-step authentication for online accounts, Implement stricter data access controls and monitoring for high-value databases, Use resources like IDCare, Australian Cyber Security Centre and and Scamwatch.

References

Where can I find more information about each incident ?

Incident : Data Breach QAN2902229100425

Source: Resecurity Threat Intelligence Report

Incident : Data Breach QAN2902229100425

Source: FBI Flash Warning (Salesforce Exploitation)

Incident : Data Breach QAN2902229100425

Source: Trinity of Chaos Data Leak Site (TOR)

Date Accessed: 2025-10-03

Incident : Data Breach QAN2902229100425

Source: Telegram Channel (SLSH 6.0 Part 3)

Date Accessed: 2025-10-03

Incident : Data Breach QAN2902229100425

Source: Google Security Blog (UNC6040 Incident)

Date Accessed: 2025-06-04

Incident : Data Breach QAN2902229100425

Source: Stellantis Breach Disclosure

Date Accessed: 2025-09-21

Incident : Data Breach QAN2902229100425

Source: Qantas GDPR Fine Announcement

Incident : Data Breach QAN2562025101125

Source: The Guardian Australia

URL: https://www.theguardian.com/australia-news

Date Accessed: 2024-09-21

Incident : Data Breach QAN2562025101125

Source: Cyber Threat Intelligence (Jeremy Kirk, Executive Editor)

Date Accessed: 2024-09-21

Incident : Data Breach QAN3602036101325

Source: ABC News Australia

Date Accessed: 2023-10

Incident : Data Breach QAN3602036101325

Source: Information Age

Date Accessed: 2023-10-09

Incident : Data Breach QAN3602036101325

Source: Have I Been Pwned (Troy Hunt)

URL: https://haveibeenpwned.com

Date Accessed: 2023-10-07

Incident : Data Breach QAN3602036101325

Source: Scattered Lapsus$ Hunters (SLSH) Telegram Channel

Date Accessed: 2023-10-10

Incident : Data Breach QAN3602036101325

Source: Australian Federal Police (AFP) Advisory

URL: https://www.cyber.gov.au/report

Date Accessed: 2023-10-09

Incident : Data Breach QAN2402124101325

Source: Agence France-Presse (AFP)

Incident : Data Breach QAN2402124101325

Source: Qantas Airways Statement (2023-07)

Incident : Data Breach QAN2402124101325

Source: Google Cloud Security Communications (2023-08)

Incident : Data Breach QAN2402124101325

Source: Unit 42 Research Note (Scattered Lapsus$ Hunters)

Incident : Data Breach QAN2402124101325

Source: FBI Warning on Salesforce Attacks

Incident : Data Breach QAN0302203101325

Source: The Guardian

Incident : Data Breach QAN0302203101325

Source: Shutterstock (reported imagery)

Incident : Data Breach QAN2562025101325

Source: ABC News

URL: https://www.abc.net.au/news

Date Accessed: 2023-10-00

Incident : Data Breach QAN2562025101325

Source: University of New South Wales (Professor Richard Buckland)

Date Accessed: 2023-10-00

Incident : Data Breach QAN5632856101325

Source: AFP (Agence France-Presse)

Incident : Data Breach QAN5632856101325

Source: Troy Hunt (Cybersecurity Researcher)

Incident : Data Breach QAN5632856101325

Source: Unit 42 (Cybersecurity Research Team)

Incident : Data Breach QAN5632856101325

Source: FBI Warning on Salesforce Client Scams

Incident : Data Breach QAN5632856101325

Source: CloudTech News (TechForge Media)

URL: https://www.cloudcomputing-news.net/

Incident : Data Breach QAN2733027101325

Source: Reuters

Date Accessed: 2025-10-12

Incident : Data Breach QAN2733027101325

Source: The Guardian Australia

Date Accessed: 2025-10-12

Incident : Data Breach QAN2733027101325

Source: New York Times (via Troy Hunt interview)

Date Accessed: 2025-10-12

Incident : Data Breach QAN2733027101325

Source: vcpost.com (original article)

Date Accessed: 2025-10-12

Incident : Data Breach QAN2733027101325

Source: Twitter (JT @Matkins2021)

URL: https://twitter.com/Matkins2021/status/xxxxxx

Date Accessed: 2025-10-12

Incident : Data Breach QAN0192201101325

Source: Hackread.com

URL: https://www.hackread.com/salesforce-data-breach-scattered-lapsus-hunters/

Date Accessed: 2025-10-10

Incident : Data Breach QAN0192201101325

Source: Telegram (Threat Actor Communication)

Date Accessed: 2025-10-10

Incident : Data Breach QAN0192201101325

Source: Qantas Airways (July 2025 Breach Acknowledgment)

Date Accessed: 2025-07-01

Incident : Data Breach QAN3292432101325

Source: Qantas Airways Public Statement

Incident : Data Breach QAN3292432101325

Source: FBI Alert on Scattered Spider (X/Twitter)

Incident : Data Breach QAN3292432101325

Source: FOX Business Article

Incident : Data Breach QAN2502025101425

Source: ABC News

URL: https://www.abc.net.au/news

Incident : Data Breach QAN2502025101425

Source: AAP (Bianca De Marchi)

Incident : Data Breach QAN2502025101425

Source: Reuters (Hollie Adams)

Where can stakeholders find additional resources on cybersecurity best practices ?

Additional Resources: Stakeholders can find additional resources on cybersecurity best practices at and Source: Resecurity Threat Intelligence Report, and Source: FBI Flash Warning (Salesforce Exploitation), and Source: Trinity of Chaos Data Leak Site (TOR)Date Accessed: 2025-10-03, and Source: Telegram Channel (SLSH 6.0 Part 3)Date Accessed: 2025-10-03, and Source: Google Security Blog (UNC6040 Incident)Date Accessed: 2025-06-04, and Source: Stellantis Breach DisclosureDate Accessed: 2025-09-21, and Source: Qantas GDPR Fine Announcement, and Source: The Guardian AustraliaUrl: https://www.theguardian.com/australia-newsDate Accessed: 2024-09-21, and Source: Cyber Threat Intelligence (Jeremy Kirk, Executive Editor)Date Accessed: 2024-09-21, and Source: ABC News AustraliaDate Accessed: 2023-10, and Source: Information AgeDate Accessed: 2023-10-09, and Source: Have I Been Pwned (Troy Hunt)Url: https://haveibeenpwned.comDate Accessed: 2023-10-07, and Source: Scattered Lapsus$ Hunters (SLSH) Telegram ChannelDate Accessed: 2023-10-10, and Source: Australian Federal Police (AFP) AdvisoryUrl: https://www.cyber.gov.au/reportDate Accessed: 2023-10-09, and Source: Agence France-Presse (AFP), and Source: Qantas Airways Statement (2023-07), and Source: Google Cloud Security Communications (2023-08), and Source: Unit 42 Research Note (Scattered Lapsus$ Hunters), and Source: FBI Warning on Salesforce Attacks, and Source: The Guardian, and Source: Shutterstock (reported imagery), and Source: ABC NewsUrl: https://www.abc.net.au/newsDate Accessed: 2023-10-00, and Source: University of New South Wales (Professor Richard Buckland)Date Accessed: 2023-10-00, and Source: AFP (Agence France-Presse), and Source: Troy Hunt (Cybersecurity Researcher), and Source: Unit 42 (Cybersecurity Research Team), and Source: FBI Warning on Salesforce Client Scams, and Source: CloudTech News (TechForge Media)Url: https://www.cloudcomputing-news.net/, and Source: ReutersDate Accessed: 2025-10-12, and Source: The Guardian AustraliaDate Accessed: 2025-10-12, and Source: New York Times (via Troy Hunt interview)Date Accessed: 2025-10-12, and Source: vcpost.com (original article)Date Accessed: 2025-10-12, and Source: Twitter (JT @Matkins2021)Url: https://twitter.com/Matkins2021/status/xxxxxxDate Accessed: 2025-10-12, and Source: Hackread.comUrl: https://www.hackread.com/salesforce-data-breach-scattered-lapsus-hunters/Date Accessed: 2025-10-10, and Source: Telegram (Threat Actor Communication)Date Accessed: 2025-10-10, and Source: Qantas Airways (July 2025 Breach Acknowledgment)Date Accessed: 2025-07-01, and Source: Qantas Airways Public Statement, and Source: FBI Alert on Scattered Spider (X/Twitter), and Source: FOX Business Article, and Source: ABC NewsUrl: https://www.abc.net.au/news, and Source: AAP (Bianca De Marchi), and Source: Reuters (Hollie Adams).

Investigation Status

What is the current status of the investigation for each incident ?

Incident : Data Breach QAN2902229100425

Investigation Status: Ongoing (Multi-agency: FBI, GDPR authorities, private firms like Resecurity)

Incident : Data Breach QAN2562025101125

Investigation Status: Ongoing (in collaboration with authorities and external experts)

Incident : Data Breach QAN3602036101325

Investigation Status: Ongoing (Qantas collaborating with ACSC/AFP; data legitimacy confirmed by third parties)

Incident : Data Breach QAN2402124101325

Investigation Status: Ongoing (cooperation with Australian security services)

Incident : Data Breach QAN0302203101325

Investigation Status: Ongoing (authorities investigating)

Incident : Data Breach QAN2562025101325

Investigation Status: Ongoing (Qantas, federal government, and police involved)

Incident : Data Breach QAN5632856101325

Investigation Status: Ongoing (Cooperation with Australian Authorities; Salesforce Aware of Extortion Attempts)

Incident : Data Breach QAN2733027101325

Investigation Status: Ongoing (collaboration with cybersecurity experts and authorities)

Incident : Data Breach QAN0192201101325

Investigation Status: Ongoing (as of October 2025)

Incident : Data Breach QAN3292432101325

Investigation Status: Ongoing (Collaboration with Cybersecurity Experts)

Incident : Data Breach QAN2502025101425

Investigation Status: Ongoing (Regulatory and Internal)

Incident : Data Breach QAN1562015101925

Investigation Status: Confirmed (data exposed on dark web)

How does the company communicate the status of incident investigations to stakeholders ?

Communication of Investigation Status: The company communicates the status of incident investigations to stakeholders through Public Statements (Downplaying Impact, E.G., Salesforce), Customer Advisories (Deadline: 2025-10-10), Media Engagement, Public Statements, Customer Advisories, Public Statements (Via Abc, Information Age), Website Updates, Direct Customer Notifications (Via Email/Support Line), Public Statements (Qantas, Google), Media Engagement, Public Statements, Customer Advisories On Scam Prevention, Public Statements (July And Post-Dark Web Leak), Direct Emails To Affected Customers, Media Interviews (E.G., Transport Minister Catherine King), Public Disclosure, Customer Notifications (E.G., Google Notified Affected Partners), Public Statements (Oct 12, 2025), Social Media Updates, Customer Advisories, Limited Public Statements (E.G., Qantas Acknowledged July 2025 Third-Party Breach But Did Not Name Vendor), Telegram/Dark Web Monitoring For Further Leaks, Public Statements, Customer Notifications (Specific Data Impact), Website Updates, Statement On Qantas Website, No Direct Customer Notifications (Criticized) and Public disclosure (confirmed exposure).

Stakeholder and Customer Advisories

Were there any advisories issued to stakeholders or customers for each incident ?

Incident : Data Breach QAN2902229100425

Stakeholder Advisories: Fortune 100 Companies: Prepare For Potential Lawsuits And Regulatory Inquiries., Salesforce Customers: Audit Oauth Integrations (E.G., Drift) And Monitor For Iocs., Airlines: Expect Gdpr Fines And Customer Compensation Claims (E.G., Air France/Klm, Qantas)., Government Agencies: Assess Exposure Of Employee Data (E.G., Fbi, Dhs Records In Cisco Breach)., Advertising Partners: Review Google Adwords Account Security For Compromised Credentials..

Customer Advisories: Monitor financial accounts for fraud (PII exposure).Reset passwords for any services linked to breached companies (e.g., loyalty programs).Beware of phishing emails referencing the breach (e.g., fake 'compensation' offers).Freeze credit reports if SSNs or financial data were exposed (e.g., TransUnion customers).Contact affected companies for clarity on exposed data (e.g., Aeromexico’s 39M records).

Incident : Data Breach QAN2562025101125

Stakeholder Advisories: 24/7 Support Line For Affected Customers, Identity Protection Guidance.

Customer Advisories: Monitor accounts for suspicious activityBeware of personalized phishing emailsContact Qantas support for identity protection advice

Incident : Data Breach QAN3602036101325

Stakeholder Advisories: Qantas website updates; ACSC/AFP public warnings about scams

Customer Advisories: 24/7 Support LineIdentity Protection ServicesEncouragement to Monitor for Scams

Incident : Data Breach QAN2402124101325

Stakeholder Advisories: Public Statements By Qantas, Google; Media Briefings.

Customer Advisories: Email notifications to affected customers (Qantas, Google)

Incident : Data Breach QAN0302203101325

Stakeholder Advisories: Customer Communications On Scam Awareness, Regulatory Updates.

Customer Advisories: Guidance on spotting phishing attemptsIdentity protection resources

Incident : Data Breach QAN2562025101325

Stakeholder Advisories: Federal Government (Transport Minister Catherine King), Australian Federal Police, Cybersecurity Experts (E.G., Professor Richard Buckland).

Customer Advisories: Remain alert for phishing attempts (email, text, calls)Use two-step authenticationNever share passwords or sensitive login detailsCheck credit reports for fraudContact IDCare or Scamwatch if suspicious activity occurs

Incident : Data Breach QAN5632856101325

Customer Advisories: Qantas and Google Notified Affected Customers/Partners

Incident : Data Breach QAN2733027101325

Stakeholder Advisories: Australian Government (Cyber Resilience Laws), Office Of The Australian Information Commissioner (Oaic).

Customer Advisories: Public statement on Qantas website (Oct 12, 2025).Recommendations for customers to monitor for identity theft.Assurance that no further breaches detected.

Incident : Data Breach QAN0192201101325

Stakeholder Advisories: Salesforce: Likely Issued Private Advisories To Customers About The Vulnerability And Patching., Affected Companies: Internal Communications To Employees And Possibly Regulators., Cybersecurity Agencies: Alerts About The Threat Actor Group’S Tactics (E.G., Cisa, Ncsc, Acsc)..

Customer Advisories: Qantas: Previous advisory in July 2025 about a third-party breach (likely linked).Other Companies: Most have not issued public statements as of October 10, 2025.

Incident : Data Breach QAN3292432101325

Stakeholder Advisories: Public Updates Via Website, Customer Support Line.

Customer Advisories: Identity Protection Services OfferedSpecific Data Impact Notifications

Incident : Data Breach QAN2502025101425

Stakeholder Advisories: Statement On Qantas Website.

Customer Advisories: IDCARE Support Offered on Case-by-Case Basis

What advisories does the company provide to stakeholders and customers following an incident ?

Advisories Provided: The company provides the following advisories to stakeholders and customers following an incident: were Fortune 100 Companies: Prepare For Potential Lawsuits And Regulatory Inquiries., Salesforce Customers: Audit Oauth Integrations (E.G., Drift) And Monitor For Iocs., Airlines: Expect Gdpr Fines And Customer Compensation Claims (E.G., Air France/Klm, Qantas)., Government Agencies: Assess Exposure Of Employee Data (E.G., Fbi, Dhs Records In Cisco Breach)., Advertising Partners: Review Google Adwords Account Security For Compromised Credentials., Monitor Financial Accounts For Fraud (Pii Exposure)., Reset Passwords For Any Services Linked To Breached Companies (E.G., Loyalty Programs)., Beware Of Phishing Emails Referencing The Breach (E.G., Fake 'Compensation' Offers)., Freeze Credit Reports If Ssns Or Financial Data Were Exposed (E.G., Transunion Customers)., Contact Affected Companies For Clarity On Exposed Data (E.G., Aeromexico’S 39M Records)., , 24/7 Support Line For Affected Customers, Identity Protection Guidance, Monitor Accounts For Suspicious Activity, Beware Of Personalized Phishing Emails, Contact Qantas Support For Identity Protection Advice, , Qantas website updates; ACSC/AFP public warnings about scams, 24/7 Support Line, Identity Protection Services, Encouragement To Monitor For Scams, , Public Statements By Qantas, Google; Media Briefings, Email Notifications To Affected Customers (Qantas, Google), , Customer Communications On Scam Awareness, Regulatory Updates, Guidance On Spotting Phishing Attempts, Identity Protection Resources, , Federal Government (Transport Minister Catherine King), Australian Federal Police, Cybersecurity Experts (E.G., Professor Richard Buckland), Remain Alert For Phishing Attempts (Email, Text, Calls), Use Two-Step Authentication, Never Share Passwords Or Sensitive Login Details, Check Credit Reports For Fraud, Contact Idcare Or Scamwatch If Suspicious Activity Occurs, , Qantas And Google Notified Affected Customers/Partners, , Australian Government (Cyber Resilience Laws), Office Of The Australian Information Commissioner (Oaic), Public Statement On Qantas Website (Oct 12, 2025)., Recommendations For Customers To Monitor For Identity Theft., Assurance That No Further Breaches Detected., , Salesforce: Likely Issued Private Advisories To Customers About The Vulnerability And Patching., Affected Companies: Internal Communications To Employees And Possibly Regulators., Cybersecurity Agencies: Alerts About The Threat Actor Group’S Tactics (E.G., Cisa, Ncsc, Acsc)., Qantas: Previous Advisory In July 2025 About A Third-Party Breach (Likely Linked)., Other Companies: Most Have Not Issued Public Statements As Of October 10, 2025., , Public Updates Via Website, Customer Support Line, Identity Protection Services Offered, Specific Data Impact Notifications, , Statement On Qantas Website, Idcare Support Offered On Case-By-Case Basis and .

Initial Access Broker

How did the initial access broker gain entry for each incident ?

Incident : Data Breach QAN2902229100425

Entry Point: Stolen Oauth Tokens (Salesloft Drift), Vishing Attacks, Compromised Corporate Emails, Exploited Salesforce Misconfigurations,

Reconnaissance Period: ['Up to 3 years (e.g., Vietnam Airlines)', 'Historical access since 2019 (claimed)']

Backdoors Established: ['Persistent access via Salesforce instances', 'Dark Web data monetization channels']

High Value Targets: Fortune 100 Companies, Airlines (Pii-Rich Databases), Government/Military Personnel Data, Advertising Platforms (Google Adwords),

Data Sold on Dark Web: Fortune 100 Companies, Airlines (Pii-Rich Databases), Government/Military Personnel Data, Advertising Platforms (Google Adwords),

Incident : Data Breach QAN2562025101125

Entry Point: Salesforce Database (compromised between April 2024–September 2025)

High Value Targets: Customer Databases (Pii), Frequent Flyer Programs,

Data Sold on Dark Web: Customer Databases (Pii), Frequent Flyer Programs,

Incident : Data Breach QAN3602036101325

Entry Point: Third-Party Call Center (linked to Salesforce customer management platform)

Reconnaissance Period: Likely months (UNC60400 voice phishing campaigns targeted Salesforce customers for 'several months' per Google GTIG)

High Value Targets: Qantas Frequent Flyer Program Data, Customer Pii,

Data Sold on Dark Web: Qantas Frequent Flyer Program Data, Customer Pii,

Incident : Data Breach QAN2402124101325

Entry Point: Customer support employees (tricked via IT impersonation)

High Value Targets: Salesforce Corporate Servers, Customer Contact Center Systems,

Data Sold on Dark Web: Salesforce Corporate Servers, Customer Contact Center Systems,

Incident : Data Breach QAN0302203101325

Entry Point: Compromised Salesforce tenant (third-party)

High Value Targets: Customer Pii, Frequent-Flyer Data,

Data Sold on Dark Web: Customer Pii, Frequent-Flyer Data,

Incident : Data Breach QAN2562025101325

Entry Point: Vishing (voice phishing calls to employees)

High Value Targets: Salesforce-Linked Global Corporations (E.G., Disney, Google, Ikea, Toyota, Qantas),

Data Sold on Dark Web: Salesforce-Linked Global Corporations (E.G., Disney, Google, Ikea, Toyota, Qantas),

Incident : Data Breach QAN5632856101325

Entry Point: Salesforce Customer Contact Centre (via Third-Party Platform)

High Value Targets: Customer Databases (Pii), Frequent Flyer Programs,

Data Sold on Dark Web: Customer Databases (Pii), Frequent Flyer Programs,

Incident : Data Breach QAN2733027101325

Entry Point: Third-Party Call Center Platform (Salesforce-linked)

High Value Targets: Customer Pii, Frequent Flyer Data,

Data Sold on Dark Web: Customer Pii, Frequent Flyer Data,

Incident : Data Breach QAN0192201101325

Entry Point: Exploited Salesforce Vulnerability (Likely Api Or Authentication Flaw),

Reconnaissance Period: ['Unknown (likely weeks/months prior to October 3 disclosure)']

Backdoors Established: ['Possible (to maintain persistence for data exfiltration)']

High Value Targets: Airlines (Qantas, Vietnam Airlines, Air France/Klm) For Pii And Loyalty Data, Retailers (Gap, Albertsons) For Customer Purchase Histories, Luxury Brands (Cartier, Chanel) For High-Net-Worth Individual Data,

Data Sold on Dark Web: Airlines (Qantas, Vietnam Airlines, Air France/Klm) For Pii And Loyalty Data, Retailers (Gap, Albertsons) For Customer Purchase Histories, Luxury Brands (Cartier, Chanel) For High-Net-Worth Individual Data,

Incident : Data Breach QAN3292432101325

Entry Point: Third-Party Contact Center Platform

High Value Targets: Customer Service Records (6M Profiles),

Data Sold on Dark Web: Customer Service Records (6M Profiles),

Incident : Data Breach QAN2502025101425

Entry Point: Qantas Call Center Worker in the Philippines (Tricked via Social Engineering)

High Value Targets: Customer Pii Data On Salesforce,

Data Sold on Dark Web: Customer Pii Data On Salesforce,

Post-Incident Analysis

What were the root causes and corrective actions taken for each incident ?

Incident : Data Breach QAN2902229100425

Root Causes: Insecure Oauth Token Management In Salesforce Integrations (Drift)., Lack Of Dark Web Monitoring For Early Leak Detection., Delayed Patching Of Known Salesforce Vulnerabilities (Unc6040/Unc6395)., Insufficient Segmentation Of High-Value Data (E.G., Airline Passenger Records)., Failure To Engage With Threat Actors Preemptively (E.G., Salesforce’S Dismissed Claims)., Regulatory Gaps In Cross-Border Data Breach Notifications (E.G., Vietnam Cic).,

Corrective Actions: Salesforce: Enforce Token Expiration And Anomaly Detection For Oauth Integrations., Companies: Implement Dark Web Monitoring For Brand/Employee Data., Airlines: Encrypt Pii And Limit Access To Loyalty Program Databases., Government: Mandate Breach Disclosure Timelines (E.G., 72 Hours Under Gdpr)., Advertising Platforms: Audit Third-Party Access To Customer Data (E.G., Google Adwords Partners)., Law Enforcement: Prioritize Disruption Of Ransomware Leak Sites (E.G., Ddos Mitigation).,

Incident : Data Breach QAN2562025101125

Root Causes: Third-Party Vulnerability (Salesforce Database Breach), Likely Insufficient Access Controls Or Monitoring For Exfiltration, Threat Actor Sophistication (Scattered Lapsus$ Hunters' Expertise In System Connections),

Corrective Actions: Strengthen Third-Party Security Requirements, Enhance Data Encryption And Access Logging, Improve Incident Response Coordination With Vendors, Expand Customer Notification And Protection Programs,

Incident : Data Breach QAN3602036101325

Root Causes: Third-Party Vendor Security Weaknesses, Voice Phishing Vulnerabilities (Unc60400), Inadequate Data Segmentation (Pii Accessible Via Call Center),

Incident : Data Breach QAN2402124101325

Root Causes: Successful Social Engineering (It Impersonation) Targeting Customer Support Staff., Inadequate Access Controls For Third-Party Platforms (Salesforce)., Lack Of Mfa Or Behavioral Authentication For High-Risk Systems.,

Incident : Data Breach QAN0302203101325

Root Causes: Inadequate Third-Party Access Controls In Salesforce Environment., Social Engineering/Credential Abuse Vulnerabilities., Lack Of Data Minimization In Third-Party Integrations.,

Corrective Actions: Strengthened Monitoring And Credential Reset Policies., Tighter Supplier Access Controls., Enhanced Incident Response Coordination With Vendors., Customer-Facing Scam Prevention Campaigns.,

Incident : Data Breach QAN2562025101325

Root Causes: Successful Vishing Attack Exploiting Human Error, Inadequate Verification Of Caller Identities,

Incident : Data Breach QAN5632856101325

Root Causes: Social Engineering Exploits (Impersonation Of It Staff), Inadequate Access Controls For Third-Party Platforms, Human Error (Employees Tricked Into Sharing Credentials),

Incident : Data Breach QAN2733027101325

Root Causes: Inadequate Third-Party Vendor Security Controls., Lack Of Real-Time Data Exfiltration Detection., Over-Reliance On Legal Measures (E.G., Injunctions) To Mitigate Cyber Threats.,

Corrective Actions: Termination/Remediation Of Vulnerable Third-Party Contracts., Deployment Of Dark Web Monitoring Tools., Review Of Data Retention Policies (E.G., Necessity Of Storing Meal Preferences).,

Incident : Data Breach QAN0192201101325

Root Causes: Inadequate Security Controls In Salesforce’S Api/Authentication Systems., Over-Reliance On Third-Party Vendors Without Robust Oversight (E.G., Qantas’ July 2025 Breach)., Excessive Data Collection/Retention (E.G., Storing Passport Numbers In Crm Systems)., Delayed Patching Or Lack Of Detection For The Exploited Vulnerability.,

Corrective Actions: Salesforce: Emergency Patches, Enhanced Logging, And Customer Notifications., Affected Companies: Data Minimization Efforts, Crm Access Reviews, And Incident Response Drills., Industry: Push For Stricter Third-Party Risk Management Standards In Cloud Services.,

Incident : Data Breach QAN3292432101325

Root Causes: Third-Party Vendor Vulnerabilities, Social Engineering Exploits (Mfa Bypass),

Corrective Actions: Enhanced Training, System Monitoring Upgrades, Third-Party Security Audits (Implied),

Incident : Data Breach QAN2502025101425

Root Causes: Social Engineering Attack On Call Center Worker, Inadequate Third-Party Security (Salesforce Access Controls), Poor Incident Communication And Customer Support,

What is the company's process for conducting post-incident analysis ?

Post-Incident Analysis Process: The company's process for conducting post-incident analysis is described as Resecurity (Threat Intelligence), Fbi (Investigation), Dark Web Monitoring Firms, , Fbi Indicators Of Compromise (Iocs), Dark Web Threat Intelligence, , External Cybersecurity Experts, Legal Support (Nsw Supreme Court Injunction), , Likely (advised customers to monitor accounts), Australian Cyber Security Centre (Acsc), Australian Federal Police (Afp), Specialist Cybersecurity Experts (Unnamed), , Likely (given collaboration with ACSC/AFP), Australian Security Services, Legal Counsel (For Injunction), , Salesforce, Law Enforcement, , , Federal Government, Australian Federal Police, Cybersecurity Experts, , Dark web channels monitored to confirm leaked data, Cybersecurity Experts (Unnamed), Australian Security Agencies, , Cybersecurity Firms (E.G., Mandiant, Crowdstrike) Likely Engaged, Salesforce’S Internal Security Team, , Expected For Salesforce And Affected Companies, , Cybersecurity Experts, , , Idcare (Identity Support For Affected Customers), .

What corrective actions has the company taken based on post-incident analysis ?

Corrective Actions Taken: The company has taken the following corrective actions based on post-incident analysis: Salesforce: Enforce Token Expiration And Anomaly Detection For Oauth Integrations., Companies: Implement Dark Web Monitoring For Brand/Employee Data., Airlines: Encrypt Pii And Limit Access To Loyalty Program Databases., Government: Mandate Breach Disclosure Timelines (E.G., 72 Hours Under Gdpr)., Advertising Platforms: Audit Third-Party Access To Customer Data (E.G., Google Adwords Partners)., Law Enforcement: Prioritize Disruption Of Ransomware Leak Sites (E.G., Ddos Mitigation)., , Strengthen Third-Party Security Requirements, Enhance Data Encryption And Access Logging, Improve Incident Response Coordination With Vendors, Expand Customer Notification And Protection Programs, , Strengthened Monitoring And Credential Reset Policies., Tighter Supplier Access Controls., Enhanced Incident Response Coordination With Vendors., Customer-Facing Scam Prevention Campaigns., , Termination/Remediation Of Vulnerable Third-Party Contracts., Deployment Of Dark Web Monitoring Tools., Review Of Data Retention Policies (E.G., Necessity Of Storing Meal Preferences)., , Salesforce: Emergency Patches, Enhanced Logging, And Customer Notifications., Affected Companies: Data Minimization Efforts, Crm Access Reviews, And Incident Response Drills., Industry: Push For Stricter Third-Party Risk Management Standards In Cloud Services., , Enhanced Training, System Monitoring Upgrades, Third-Party Security Audits (Implied), .

Additional Questions

General Information

Has the company ever paid ransoms ?

Ransom Payment History: The company has Paid ransoms in the past.

What was the amount of the last ransom demanded ?

Last Ransom Demanded: The amount of the last ransom demanded was ['Undisclosed (Negotiation Deadline: 2025-10-10)', 'Threats of Regulatory Reporting (GDPR)'].

Who was the attacking group in the last incident ?

Last Attacking Group: The attacking group in the last incident were an Trinity of ChaosLapsus$Scattered SpiderShinyHuntersUNC6040UNC63951973cn, Scattered Lapsus$ Hunters, Scattered Lapsus$ Hunters (SLSH)UNC60400, Scattered Lapsus$ Hunters (cybercriminal alliance), Scattered Lapsus$ Hunters, Scattered Lapsus$ Hunters, Scattered Lapsus$ Hunters, Scattered Lapsus$ Hunters, Name: Scattered Lapsus$ HuntersAffiliations: ['Scattered Spider', 'Lapsus$', 'ShinyHunters']Type: Hacktivist/Cybercriminal Collective, Scattered Spider and Scattered Lapsus$ Hunters.

Incident Details

What was the most recent incident detected ?

Most Recent Incident Detected: The most recent incident detected was on 2024-06.

What was the most recent incident publicly disclosed ?

Most Recent Incident Publicly Disclosed: The most recent incident publicly disclosed was on 2024-07.

Impact of the Incidents

What was the most significant data compromised in an incident ?

Most Significant Data Compromised: The most significant data compromised in an incident were PII (Passenger Info, Loyalty Points, Activity History), Internal Communications, Customer-Vendor Relationships, Employee Records (Law Enforcement, Military, Federal Agencies), Advertising Partner Data (Google AdWords), Salesforce Records (Accounts, Contacts, Opportunities), , Email Addresses, Phone Numbers, Birth Dates, Frequent Flyer Numbers, , Customer Names, Email Addresses, Phone Numbers, Birth Dates, Qantas Frequent Flyer Numbers, , , Names, Email Addresses, Phone Numbers, Dates of Birth, Frequent-Flyer Numbers, , Names, Email Addresses, Phone Numbers, Birth Dates, Frequent Flyer Numbers, Home Addresses (for some customers), Gender (for some customers), , , Names (5M+ customers), Email addresses (5M+ customers), Frequent flyer details (5M+ customers), Home/Business addresses (~1M customers), Phone numbers (~1M customers), Birth dates (~1M customers), Genders (~1M customers), Meal preferences (~1M customers), Total Records: 989000000, Leaked Records: {'Qantas Airways': 5000000, 'Vietnam Airlines': 23000000, 'Albertsons': 672000, 'GAP, INC.': 224000, 'Fujifilm': 224000, 'Engie Resources': 537000, 'total_leaked': 29733000}, Data Types: ['Personally Identifiable Information (PII)', 'Loyalty Program Data', 'Internal CRM Metadata', 'Business Contact Details', 'Geolocation Data', 'Financial Transaction Records', 'Corporate Tax Information', 'Travel History', 'Customer Preferences', 'Internal Reports/Links'], , Total Records: 989000000, Leaked Records: {'Qantas Airways': 5000000, 'Vietnam Airlines': 23000000, 'Albertsons': 672000, 'GAP, INC.': 224000, 'Fujifilm': 224000, 'Engie Resources': 537000, 'total_leaked': 29733000}, Data Types: ['Personally Identifiable Information (PII)', 'Loyalty Program Data', 'Internal CRM Metadata', 'Business Contact Details', 'Geolocation Data', 'Financial Transaction Records', 'Corporate Tax Information', 'Travel History', 'Customer Preferences', 'Internal Reports/Links'], , Names, Email Addresses, Phone Numbers, Birth Dates, Frequent Flyer Numbers, , Names, Addresses, Personally Identifiable Information (PII), and Customer data (up to 5.7 million records).

What was the most significant system affected in an incident ?

Most Significant System Affected: The most significant system affected in an incident were Salesforce InstancesSalesloft’s Drift AI Chat IntegrationCorporate Email SystemsDark Web Data Leak Site (DLS)Telegram Channels and Salesforce Database and Third-Party Call Center PlatformCustomer Management System (Salesforce Instance) and Salesforce corporate serversQantas customer contact center system and Salesforce Tenant (Third-Party) and Qantas Customer Database (hosted on Salesforce platform) and Salesforce Customer Contact Centre Platform and Third-Party Call Center Platform (Salesforce-linked)Customer Database and Salesforce CRM PlatformThird-Party Vendor Systems (e.g., Qantas' July 2025 breach) and Third-Party Contact Center Platform and Salesforce (Third-Party Platform).

Response to the Incidents

What third-party assistance was involved in the most recent incident ?

Third-Party Assistance in Most Recent Incident: The third-party assistance involved in the most recent incident was resecurity (threat intelligence), fbi (investigation), dark web monitoring firms, , external cybersecurity experts, legal support (nsw supreme court injunction), , australian cyber security centre (acsc), australian federal police (afp), specialist cybersecurity experts (unnamed), , australian security services, legal counsel (for injunction), , salesforce, law enforcement, , federal government, australian federal police, cybersecurity experts, , cybersecurity experts (unnamed), australian security agencies, , cybersecurity firms (e.g., mandiant, crowdstrike) likely engaged, salesforce’s internal security team, , cybersecurity experts, , idcare (identity support for affected customers), .

What containment measures were taken in the most recent incident ?

Containment Measures in Most Recent Incident: The containment measures taken in the most recent incident were Salesforce Instance IsolationOAuth Token RevocationDark Web Takedown Attempts (DDoS on DLS), Legal Injunction to Block Data Access/Use, Legal Injunction to Block Data Access/ReleaseDark Web Monitoring, Legal injunction to block data disseminationAccess revocation for compromised systems, Credential ResetsIncreased Monitoring for Unusual ActivityInjunction to Deter Data Dissemination, NSW Supreme Court injunction to block data accessDark web monitoring, Legal Injunction to Prevent Data Spread (Australia-Only), Court Injunction to Block Data Access/UseThird-Party Platform Review, Salesforce likely patched the exploited vulnerabilityAffected companies may have isolated CRM systemsPassword resets for exposed accounts and Court Order to Block Data Access/UseThird-Party Platform Isolation.

Data Breach Information

What was the most sensitive data compromised in a breach ?

Most Sensitive Data Compromised: The most sensitive data compromised in a breach were Salesforce Records (Accounts, Contacts, Opportunities), PII (Passenger Info, Loyalty Points, Activity History), Home/Business addresses (~1M customers), Addresses, Names, Phone Numbers, Customer data (up to 5.7 million records), Frequent-Flyer Numbers, Gender (for some customers), Personally Identifiable Information (PII), Phone numbers (~1M customers), Birth dates (~1M customers), Customer-Vendor Relationships, Dates of Birth, Email Addresses, Customer Names, Birth Dates, Genders (~1M customers), Qantas Frequent Flyer Numbers, Email addresses (5M+ customers), Employee Records (Law Enforcement, Military, Federal Agencies), Meal preferences (~1M customers), Frequent Flyer Numbers, Internal Communications, Frequent flyer details (5M+ customers), Home Addresses (for some customers), Advertising Partner Data (Google AdWords) and Names (5M+ customers).

What was the number of records exposed in the most significant breach ?

Number of Records Exposed in Most Significant Breach: The number of records exposed in the most significant breach was 2.6B.

Ransomware Information

Regulatory Compliance

What was the highest fine imposed for a regulatory violation ?

Highest Fine Imposed: The highest fine imposed for a regulatory violation was Potential (e.g., Qantas previously fined for negligence), GDPR Penalties (Up to 4% of global revenue), , Speculated to be in Billions (Under Investigation), .

What was the most significant legal action taken for a regulatory violation ?

Most Significant Legal Action: The most significant legal action taken for a regulatory violation was Class-Action Lawsuits (Expected), Criminal Negligence Charges (Threatened), Regulatory Investigations (Ongoing), , NSW Supreme Court Injunction (to block data misuse), , NSW Supreme Court Interim Injunction (July 2023), AFP/FBI Investigation, , Legal injunction (Qantas vs. data dissemination), , Regulatory Scrutiny, Potential Enforceable Undertakings, , NSW Supreme Court injunction to prevent data access, , Qantas Secured Injunction from Supreme Court of New South Wales, , Court Injunction Filed (to block data dissemination), , Potential class-action lawsuits, Regulatory investigations (e.g., by ICO, FTC), , Court Order to Prevent Data Dissemination, , Regulatory Investigation by Office of the Australian Information Commissioner, .

Lessons Learned and Recommendations

What was the most significant lesson learned from past incidents ?

Most Significant Lesson Learned: The most significant lesson learned from past incidents was Proactive measures are needed to prevent social engineering attacks.

What was the most significant recommendation implemented to improve cybersecurity ?

Most Significant Recommendation Implemented: The most significant recommendation implemented to improve cybersecurity was Conduct regular third-party risk assessments for vendors handling sensitive data., Educate customers on phishing risks post-breach (personalized scams likely), Explore data anonymization for non-critical customer preferences., Invest in advanced threat detection for credential abuse and social engineering., Enhance employee training on social engineering and phishing (especially for customer support teams)., Enhance employee training to prevent social engineering attacks., Collaborate with law enforcement and cybersecurity firms for threat intelligence sharing, Conduct regular security audits of third-party vendors., Provide free identity monitoring services to affected customers., Implement zero-trust architecture for third-party integrations., Advocate for stronger international cybercrime enforcement collaboration., Enhance employee training to recognize social engineering tactics (e.g., impersonation scams)., Improve incident response coordination among affected entities in supply-chain attacks., Implement stricter access controls and multi-factor authentication for third-party platforms., Implement stricter data access controls and monitoring for high-value databases, Train employees on vishing/social engineering tactics used by groups like Lapsus$., Enhance data minimization strategies to reduce exposure in third-party systems., Consider proactive dark web monitoring for leaked data, Implement multi-factor authentication (MFA) and stricter access controls for third-party platforms., Review incident response plans for ransomware extortion + data leak scenarios., Develop a robust customer support framework for post-breach identity protection., Monitor credit reports for fraudulent activity, Conduct regular audits of third-party vendors’ security practices., Implement stricter supplier access controls and audit trails., Develop cross-border legal strategies to address data breaches with global implications., Establish a clear, proactive communication plan for data breaches., Establish a Dark Web monitoring program to detect leaked credentials/data., Enforce MFA and conditional access policies for all OAuth integrations., Prepare for DDoS attacks on leak sites (e.g., Trinity of Chaos DLS)., Conduct regular third-party security audits (especially for customer-facing platforms)., Enable two-step authentication for online accounts, Implement multi-factor authentication (MFA) for third-party platform access., Implement Zero Trust Architecture for cloud services (e.g., Salesforce)., Develop a pre-emptive regulatory engagement strategy (e.g., GDPR breach notifications)., Use resources like IDCare, Australian Cyber Security Centre, and Scamwatch, Conduct third-party risk assessments for SaaS providers (e.g., Drift, Salesloft)., Enhance third-party risk assessments (e.g., Salesforce security audits), Avoid clicking links in unsolicited emails/texts, Isolate high-value systems (e.g., airline passenger databases) with network segmentation., Coordinate with law enforcement (FBI, INTERPOL) for threat actor disruption., Verify caller identities via official channels, Develop cross-organizational incident response protocols for supply chain attacks., Enhance incident response plans for ransomware/data extortion scenarios. and Conduct regular third-party security assessments and penetration testing..

References

What is the most recent source of information about an incident ?

Most Recent Source: The most recent source of information about an incident are vcpost.com (original article), Information Age, Hackread.com, ABC News, FBI Flash Warning (Salesforce Exploitation), Troy Hunt (Cybersecurity Researcher), Australian Federal Police (AFP) Advisory, University of New South Wales (Professor Richard Buckland), Resecurity Threat Intelligence Report, Qantas GDPR Fine Announcement, Qantas Airways Statement (2023-07), Unit 42 (Cybersecurity Research Team), Unit 42 Research Note (Scattered Lapsus$ Hunters), The Guardian Australia, New York Times (via Troy Hunt interview), Google Security Blog (UNC6040 Incident), Reuters, Reuters (Hollie Adams), Scattered Lapsus$ Hunters (SLSH) Telegram Channel, FBI Warning on Salesforce Client Scams, AAP (Bianca De Marchi), AFP (Agence France-Presse), Qantas Airways (July 2025 Breach Acknowledgment), Cyber Threat Intelligence (Jeremy Kirk, Executive Editor), Telegram Channel (SLSH 6.0 Part 3), Agence France-Presse (AFP), The Guardian, Stellantis Breach Disclosure, FBI Warning on Salesforce Attacks, Google Cloud Security Communications (2023-08), CloudTech News (TechForge Media), Have I Been Pwned (Troy Hunt), FBI Alert on Scattered Spider (X/Twitter), Trinity of Chaos Data Leak Site (TOR), Qantas Airways Public Statement, Shutterstock (reported imagery), Twitter (JT @Matkins2021), Telegram (Threat Actor Communication), FOX Business Article and ABC News Australia.

What is the most recent URL for additional resources on cybersecurity best practices ?

Most Recent URL for Additional Resources: The most recent URL for additional resources on cybersecurity best practices is https://www.theguardian.com/australia-news, https://haveibeenpwned.com, https://www.cyber.gov.au/report, https://www.abc.net.au/news, https://www.cloudcomputing-news.net/, https://twitter.com/Matkins2021/status/xxxxxx, https://www.hackread.com/salesforce-data-breach-scattered-lapsus-hunters/, https://www.abc.net.au/news .

Investigation Status

What is the current status of the most recent investigation ?

Current Status of Most Recent Investigation: The current status of the most recent investigation is Ongoing (Multi-agency: FBI, GDPR authorities, private firms like Resecurity).

Stakeholder and Customer Advisories

What was the most recent stakeholder advisory issued ?

Most Recent Stakeholder Advisory: The most recent stakeholder advisory issued was Fortune 100 companies: Prepare for potential lawsuits and regulatory inquiries., Salesforce customers: Audit OAuth integrations (e.g., Drift) and monitor for IoCs., Airlines: Expect GDPR fines and customer compensation claims (e.g., Air France/KLM, Qantas)., Government agencies: Assess exposure of employee data (e.g., FBI, DHS records in Cisco breach)., Advertising partners: Review Google AdWords account security for compromised credentials., 24/7 support line for affected customers, Identity protection guidance, Qantas website updates; ACSC/AFP public warnings about scams, Public statements by Qantas, Google; media briefings, Customer communications on scam awareness, Regulatory updates, Federal Government (Transport Minister Catherine King), Australian Federal Police, Cybersecurity Experts (e.g., Professor Richard Buckland), Australian Government (cyber resilience laws), Office of the Australian Information Commissioner (OAIC), Salesforce: Likely issued private advisories to customers about the vulnerability and patching., Affected Companies: Internal communications to employees and possibly regulators., Cybersecurity Agencies: Alerts about the threat actor group’s tactics (e.g., CISA, NCSC, ACSC)., Public Updates via Website, Customer Support Line, Statement on Qantas Website, .

What was the most recent customer advisory issued ?

Most Recent Customer Advisory: The most recent customer advisory issued were an Monitor financial accounts for fraud (PII exposure).Reset passwords for any services linked to breached companies (e.g., loyalty programs).Beware of phishing emails referencing the breach (e.g., fake 'compensation' offers).Freeze credit reports if SSNs or financial data were exposed (e.g., TransUnion customers).Contact affected companies for clarity on exposed data (e.g., Aeromexico’s 39M records)., Monitor accounts for suspicious activityBeware of personalized phishing emailsContact Qantas support for identity protection advice, 24/7 Support LineIdentity Protection ServicesEncouragement to Monitor for Scams, Email notifications to affected customers (Qantas, Google), Guidance on spotting phishing attemptsIdentity protection resources, Remain alert for phishing attempts (email, text, calls)Use two-step authenticationNever share passwords or sensitive login detailsCheck credit reports for fraudContact IDCare or Scamwatch if suspicious activity occurs, Qantas and Google Notified Affected Customers/Partners, Public statement on Qantas website (Oct 12, 2025).Recommendations for customers to monitor for identity theft.Assurance that no further breaches detected., Qantas: Previous advisory in July 2025 about a third-party breach (likely linked).Other Companies: Most have not issued public statements as of October 10, 2025., Identity Protection Services OfferedSpecific Data Impact Notifications and IDCARE Support Offered on Case-by-Case Basis.

Initial Access Broker

What was the most recent entry point used by an initial access broker ?

Most Recent Entry Point: The most recent entry point used by an initial access broker were an Compromised Salesforce tenant (third-party), Third-Party Contact Center Platform, Third-Party Call Center (linked to Salesforce customer management platform), Vishing (voice phishing calls to employees), Third-Party Call Center Platform (Salesforce-linked), Salesforce Database (compromised between April 2024–September 2025), Salesforce Customer Contact Centre (via Third-Party Platform), Customer support employees (tricked via IT impersonation) and Qantas Call Center Worker in the Philippines (Tricked via Social Engineering).

What was the most recent reconnaissance period for an incident ?

Most Recent Reconnaissance Period: The most recent reconnaissance period for an incident was Up to 3 years (e.g., Vietnam Airlines)Historical access since 2019 (claimed), Likely months (UNC60400 voice phishing campaigns targeted Salesforce customers for 'several months' per Google GTIG), Unknown (likely weeks/months prior to October 3 disclosure).

Post-Incident Analysis

What was the most significant root cause identified in post-incident analysis ?

Most Significant Root Cause: The most significant root cause identified in post-incident analysis was Insecure OAuth token management in Salesforce integrations (Drift).Lack of Dark Web monitoring for early leak detection.Delayed patching of known Salesforce vulnerabilities (UNC6040/UNC6395).Insufficient segmentation of high-value data (e.g., airline passenger records).Failure to engage with threat actors preemptively (e.g., Salesforce’s dismissed claims).Regulatory gaps in cross-border data breach notifications (e.g., Vietnam CIC)., Third-party vulnerability (Salesforce database breach)Likely insufficient access controls or monitoring for exfiltrationThreat actor sophistication (Scattered Lapsus$ Hunters' expertise in system connections), Third-Party Vendor Security WeaknessesVoice Phishing Vulnerabilities (UNC60400)Inadequate Data Segmentation (PII accessible via call center), Successful social engineering (IT impersonation) targeting customer support staff.Inadequate access controls for third-party platforms (Salesforce).Lack of MFA or behavioral authentication for high-risk systems., Inadequate third-party access controls in Salesforce environment.Social engineering/credential abuse vulnerabilities.Lack of data minimization in third-party integrations., Successful vishing attack exploiting human errorInadequate verification of caller identities, Social Engineering Exploits (Impersonation of IT Staff)Inadequate Access Controls for Third-Party PlatformsHuman Error (Employees Tricked into Sharing Credentials), Inadequate third-party vendor security controls.Lack of real-time data exfiltration detection.Over-reliance on legal measures (e.g., injunctions) to mitigate cyber threats., Inadequate security controls in Salesforce’s API/authentication systems.Over-reliance on third-party vendors without robust oversight (e.g., Qantas’ July 2025 breach).Excessive data collection/retention (e.g., storing passport numbers in CRM systems).Delayed patching or lack of detection for the exploited vulnerability., Third-Party Vendor VulnerabilitiesSocial Engineering Exploits (MFA Bypass), Social Engineering Attack on Call Center WorkerInadequate Third-Party Security (Salesforce Access Controls)Poor Incident Communication and Customer Support.

What was the most significant corrective action taken based on post-incident analysis ?

Most Significant Corrective Action: The most significant corrective action taken based on post-incident analysis was Salesforce: Enforce token expiration and anomaly detection for OAuth integrations.Companies: Implement Dark Web monitoring for brand/employee data.Airlines: Encrypt PII and limit access to loyalty program databases.Government: Mandate breach disclosure timelines (e.g., 72 hours under GDPR).Advertising platforms: Audit third-party access to customer data (e.g., Google AdWords partners).Law enforcement: Prioritize disruption of ransomware leak sites (e.g., DDoS mitigation)., Strengthen third-party security requirementsEnhance data encryption and access loggingImprove incident response coordination with vendorsExpand customer notification and protection programs, Strengthened monitoring and credential reset policies.Tighter supplier access controls.Enhanced incident response coordination with vendors.Customer-facing scam prevention campaigns., Termination/remediation of vulnerable third-party contracts.Deployment of dark web monitoring tools.Review of data retention policies (e.g., necessity of storing meal preferences)., Salesforce: Emergency patches, enhanced logging, and customer notifications.Affected Companies: Data minimization efforts, CRM access reviews, and incident response drills.Industry: Push for stricter third-party risk management standards in cloud services., Enhanced TrainingSystem Monitoring UpgradesThird-Party Security Audits (Implied).

cve

Latest Global CVEs (Not Company-Specific)

Description

FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. Versions prior to 16.0.96 and 17.0.1 through 17.0.9 have a weak default password. By default, this is a 6 digit numeric value which can be brute forced. (This is the app_password parameter). Depending on local configuration, this password could be the extension, voicemail, user manager, DPMA or EPM phone admin password. This issue is fixed in versions 16.0.96 and 17.0.10.

Published
Date
2025-12-10
Updated
Date
2025-12-10
Risk Information
cvss4
Base: 6.9
Severity: LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
References
Description

Neuron is a PHP framework for creating and orchestrating AI Agents. In versions 2.8.11 and below, the MySQLWriteTool executes arbitrary SQL provided by the caller using PDO::prepare() + execute() without semantic restrictions. This is consistent with the name (“write tool”), but in an LLM/agent context it becomes a high-risk capability: prompt injection or indirect prompt manipulation can cause execution of destructive queries such as DROP TABLE, TRUNCATE, DELETE, ALTER, or privilege-related statements (subject to DB permissions). Deployments that expose an agent with MySQLWriteTool enabled to untrusted input and/or run the tool with a DB user that has broad privileges are impacted. This issue is fixed in version 2.8.12.

Published
Date
2025-12-10
Updated
Date
2025-12-10
Risk Information
cvss3
Base: 9.4
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H
References
Description

Neuron is a PHP framework for creating and orchestrating AI Agents. Versions 2.8.11 and below use MySQLSelectTool, which is vulnerable to Read-Only Bypass. MySQLSelectTool is intended to be a read-only SQL tool (e.g., for LLM agent querying, however, validation based on the first keyword (e.g., SELECT) and a forbidden-keyword list does not block file-writing constructs such as INTO OUTFILE / INTO DUMPFILE. As a result, an attacker who can influence the tool input (e.g., via prompt injection through a public agent endpoint) may write arbitrary files to the DB server if the MySQL/MariaDB account has the FILE privilege and server configuration permits writes to a useful location (e.g., a web-accessible directory). This issue is fixed in version 2.8.12.

Published
Date
2025-12-10
Updated
Date
2025-12-10
Risk Information
cvss3
Base: 8.2
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
References
Description

Okta Java Management SDK facilitates interactions with the Okta management API. In versions 11.0.0 through 20.0.0, race conditions may arise from concurrent requests using the ApiClient class. This could cause a status code or response header from one request’s response to influence another request’s response. This issue is fixed in version 20.0.1.

Published
Date
2025-12-10
Updated
Date
2025-12-10
Risk Information
cvss3
Base: 8.4
Severity: HIGH
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L
References
Description

The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. When using versions 4.11.0 through 4.11.2 and 4.12.0, simultaneous requests on the same client may result in improper lookups in the TokenRequestCache for the request results. This issue is fixed in versions 4.11.2 and 4.12.1.

Published
Date
2025-12-10
Updated
Date
2025-12-10
Risk Information
cvss3
Base: 5.4
Severity: HIGH
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N
References

Access Data Using Our API

SubsidiaryImage

Get company history

curl -i -X GET 'https://api.rankiteo.com/underwriter-getcompany-history?linkedin_id=qantas' -H 'apikey: YOUR_API_KEY_HERE'
Try It API Documentation rapidRapid

What Do We Measure ?

revertimgrevertimgrevertimgrevertimg
Incident
revertimgrevertimgrevertimgrevertimg
Finding
revertimgrevertimgrevertimgrevertimg
Grade
revertimgrevertimgrevertimgrevertimg
Digital Assets

Every week, Rankiteo analyzes billions of signals to give organizations a sharper, faster view of emerging risks. With deeper, more actionable intelligence at their fingertips, security teams can outpace threat actors, respond instantly to Zero-Day attacks, and dramatically shrink their risk exposure window.

These are some of the factors we use to calculate the overall score:

Network Security

Identify exposed access points, detect misconfigured SSL certificates, and uncover vulnerabilities across the network infrastructure.

SBOM (Software Bill of Materials)

Gain visibility into the software components used within an organization to detect vulnerabilities, manage risk, and ensure supply chain security.

CMDB (Configuration Management Database)

Monitor and manage all IT assets and their configurations to ensure accurate, real-time visibility across the company's technology environment.

Threat Intelligence

Leverage real-time insights on active threats, malware campaigns, and emerging vulnerabilities to proactively defend against evolving cyberattacks.

Top LeftTop RightBottom LeftBottom Right
Rankiteo
By Rankiteo
View on G2.com
Rankiteo is a unified scoring and risk platform that analyzes billions of signals weekly to help organizations gain faster, more actionable insights into emerging threats. Empowering teams to outpace adversaries and reduce exposure.
View latest reports → View all security reports →
Users Love Us Badge