Qantas Faces Data Breach as 153GB of Customer Information Leaked to Dark Web
Cybercriminals have released a staggering 153GB of alleged Qantas customer data after the airline declined to meet ransom demands. This incident marks a significant breach of customer privacy and raises concerns about the security measures in place at major corporations.
In June, hackers exploited vulnerabilities in a third-party call center, gaining unauthorized access to Qantas’ data. Following this breach, the attackers threatened to release over five million records unless the airline complied with their ransom request. The deadline for this ultimatum was set for October 10. Despite Qantas asserting that it had “legal protections in place” through an ongoing injunction to prevent the release of stolen data, the hackers proceeded to publish the records on both the dark web and the open internet on October 7.
Qantas acknowledged the breach, stating, “Qantas is one of a number of companies globally that has had data released by cybercriminals following the airline’s cyber incident in early July, where customer data was stolen via a third-party platform.” The airline had previously informed customers that the compromised data included names, email addresses, phone numbers, birth dates, and Qantas Frequent Flyer numbers. Importantly, Qantas confirmed that no credit card details, passports, personal financial information, or login credentials were part of the stolen data, asserting, “The data that was stolen is not enough to gain access to these frequent flyer accounts.”
When inquiries arose regarding the legitimacy of the leaked data or whether Qantas had paid the ransom, the airline referred to an existing statement and reiterated its collaboration with Australian government agencies, including the Australian Cyber Security Centre and the Australian Federal Police.
Implications of the Data Leak
Troy Hunt, the chief executive of the breach tracking platform Have I Been Pwned, confirmed the authenticity of the leaked data through a trusted overseas source. The initial leak occurred on a clear-web hacking forum, where users could purchase access to the data for approximately $27. Within an hour, the information was made available for free on the dark web, raising alarms about the rapid dissemination of sensitive customer data.
Hunt noted that he was able to verify his own information within the leaked dataset, stating, “They were able to relay my date of birth, my phone number… other things related to Qantas.” He expressed concern for his family, adding, “My kids are in there, and my wife is in there.” Qantas has committed to providing ongoing updates through its website and has established a 24/7 support line for identity protection services.
Broader Context: A Targeted Campaign
Qantas is not the only organization facing threats from cybercriminals. Earlier in October, the hacker collective known as Scattered Lapsus$ Hunters (SLSH) announced plans to leak data from multiple companies as part of a broader cybercriminal campaign. This group indicated that it would target 39 companies that had allegedly suffered breaches related to their use of the customer management platform Salesforce. Among the companies mentioned were major brands such as Toyota, Disney/Hulu, McDonald’s, and KFC.
The Google Threat Intelligence Group (GTIG) had previously warned that a threat actor identified as UNC6040 was specifically targeting Salesforce customers through voice phishing campaigns. Despite the threats, Salesforce maintained that its platform had not been compromised and emphasized that it would not engage with or pay any extortion demands.
When the October 10 deadline arrived, SLSH leaked data for only six of the announced victims, including Qantas, Vietnam Airlines, and Fujifilm. Following the leaks, internal disputes arose within the group, with some members criticizing SLSH for overstating the extent of their data theft.
Law Enforcement Response
As law enforcement agencies intensified their efforts against cybercriminal activities, the Federal Bureau of Investigation (FBI) reportedly seized one of SLSH’s publicly accessible websites. Despite the swift removal of initial download links for the stolen Qantas data, Hunt indicated that the information was likely already in “thousands of hands.” He remarked, “Who knows if we’ll see more stuff or not, but clearly, they do have legitimate data.”
A Declaration of War on Australian Businesses
In a striking message to its followers, SLSH declared a specific focus on Australian businesses, stating, “Our war is only with Australia. Not the Americans, not the British, not anyone else.” The group has previously claimed responsibility for the data breach of the telecommunications provider Optus and has encouraged insider attacks on Australian organizations.
A spokesperson for the Australian Federal Police (AFP) acknowledged awareness of the situation and urged Australians to remain vigilant against potential scams. The AFP advised individuals not to respond to unsolicited contact related to the data breach and encouraged reporting cybersecurity incidents through official channels.
For those affected, the implications of this breach extend beyond immediate concerns about identity theft. The incident underscores the critical need for robust cybersecurity measures and the importance of safeguarding customer data in an increasingly digital landscape.
According to publicly available ia.acs.org.au reporting, Australians are encouraged to report cybersecurity incidents at www.cyber.gov.au/report or call the Australian Cyber Security Hotline on 1300 CYBER1 (1300 292 371).
Follow the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.
