Australian airline Qantas says millions of customers’ data leaked online following July cyber breach

SYDNEY - Australian airline Qantas said on Oct 11 that

data from 5.7 million customers stolen in a major cyber attack

had been shared online, part of a leak affecting dozens of firms.

Disney, Google, Ikea, Toyota, McDonalds and fellow airlines Air France and KLM are also reported to have had data stolen in a cyber attack targeting software firm Salesforce, with the information now being held to ransom.

Salesforce said in October that it was “aware of recent extortion attempts by threat actors”.

Qantas confirmed in July that hackers had targeted one of its customer contact centres, breaching a computer system used by a third party now known to have been Salesforce.

They secured access to sensitive information such as customer names, e-mail addresses, phone numbers and birthdays, the blue-chip Australian company said.

No further breaches have taken place since and the company is cooperating with Australian security services.

“Qantas is one of a number of companies globally that has had data released by cyber criminals following the airline’s cyber incident in early July, where customer data was stolen via a third-party platform,” the company said in a statement.

Most of the data leaked was names, e-mail addresses and frequent flier details, the firm said.

But some of the data included customers’ “business or home address, date of birth, phone number, gender and meal preferences”.

“No credit card details, personal financial information or passport details were impacted,” Qantas said.

It also said it had obtained a legal injunction with the Supreme Court of New South Wales, where the firm is headquartered, to prevent the stolen data being “accessed, viewed, released, used, transmitted or published”.

Cyber-security expert Troy Hunt told AFP that would do little to prevent the spread of the data.

“It’s frankly ridiculous,” he said.

“It obviously doesn’t stop criminals at all anywhere, and it also really doesn’t have any effect on people outside of Australia.”

Hackers ‘laying siege’

In response to questions about the leak, tech giant Google pointed AFP to an August statement in which it said one of its corporate Salesforce servers had been targeted. It did not confirm if the data had been leaked.

“Google responded to the activity, performed an impact analysis and has completed e-mail notifications to the potentially affected businesses,” Ms Melanie Lombardi, head of Google Cloud Security Communications, said.

Cyber-security analysts have linked the hack to individuals with ties to an alliance of cyber criminals called Scattered Lapsus$ Hunters.

Research group Unit 42 said in a note the group had “asserted responsibility for laying siege to customer Salesforce tenants as part of a coordinated effort to steal data and hold it for ransom”.

The hackers had reportedly set an Oct 10 deadline for ransom payment.

‘Oldest tricks in the book’

The hackers stole the sensitive data using a social engineering technique, referring to a tactic of manipulating victims by pretending to be a company representative or other trusted person, experts said.

The Federal Bureau of Investigation in September issued a warning about such attacks targeting Salesforce.

The agency said hackers posing as IT workers had tricked customer support employees into granting them access to sensitive data.

“They have been very effective,” Mr Hunt said.

“And it hasn’t been using any sophisticated technical exploits... they have exploited really the oldest tricks in the books.”

The hack of data from Australia’s biggest airline comes as a string of major cyber attacks in the country has raised concerns about the protection of personal data.

Qantas apologised in 2024 after a glitch with its mobile app exposed some passengers’ names and travel details.

Major ports handling 40 per cent of Australia’s freight trade ground to a halt in 2023 after hackers infiltrated computers belonging to operator DP World. AFP