Breach Alert: 5.7 Million Qantas Customer Records Leaked After Ransom Deadline Expires
Breach Alert: 5.7 Million Qantas Customer Records Leaked After Ransom Deadline Expires
The Breach: What Happened
Hackers from Scattered Lapsus$ Hunters have reportedly leaked the personal information of 5.7 million Qantas customers after a ransom deadline expired on October 11. The group represents an alliance of Scattered Spider, ShinyHunters, and Lapsus$ members—some of the most prolific cybercriminal organizations currently operating.
Scale of the Attack
The group claimed to have stolen data from 39 companies using Salesforce-based systems, affecting over one billion records worldwide. Other victims in this massive supply chain attack include Toyota, Disney, McDonald's, and HBO Max, demonstrating the devastating reach of this campaign.
The Qantas Impact
The Qantas data, believed to come from a July 2025 breach of a Salesforce-hosted customer service platform, includes names, emails, phone numbers, addresses, dates of birth, genders, frequent flyer numbers, status tiers, and points balances. While payment card information was not included, the exposed data provides criminals with everything needed for sophisticated social engineering attacks and identity theft.
Qantas is offering 24/7 support and identity protection services to affected customers, while advising them to remain vigilant against potential scams.
Why This Matters
This breach represents a perfect storm of cybersecurity failures: a supply chain attack exploiting trusted SaaS platforms, targeting multiple high-profile organizations simultaneously, and involving sophisticated threat actors who publicly leak data when ransom demands aren't met.
The Salesforce platform compromise gave attackers access to customer data from dozens of companies in a single operation. This efficiency makes third-party platforms extremely attractive targets—why hack 39 companies individually when you can compromise one shared platform?
For Qantas customers, the exposed frequent flyer data creates unique risks. Points balances and status tiers can be monetized directly through fraudulent bookings or sold to other criminals. The detailed personal information enables persuasive phishing attempts that reference actual flight history and loyalty program details.
Prevention Strategies: How to Avoid This Type of Breach
1. Implement Rigorous SaaS Security Controls
Why It Matters: This incident is part of a wider supply chain attack stemming from Drift (a Salesforce-related platform), which has impacted several major organizations. Organizations must treat SaaS platforms as critical infrastructure requiring dedicated security measures.
Action Steps:
Conduct security assessments before adopting any SaaS platform
Require SOC 2 Type II or ISO 27001 certifications from all SaaS vendors
Review and understand shared responsibility models for each platform
Implement Cloud Access Security Brokers (CASB) to monitor SaaS usage
Enable all available security features within SaaS platforms
Configure restrictive access controls and permissions
Deploy Data Loss Prevention (DLP) controls for SaaS environments
Monitor SaaS platforms for unusual activity patterns
Maintain detailed inventories of all SaaS applications and integrations
Establish processes for rapid response when vendors report security incidents
2. Minimize Data Storage in Third-Party Systems
Why It Matters: You can't lose data you don't store. Organizations often upload excessive customer information to SaaS platforms without carefully evaluating the necessity.
Action Steps:
Conduct data minimization reviews for all SaaS platforms
Question whether each data element must be uploaded to third-party systems
Implement data classification schemes to identify sensitive information
Avoid storing highly sensitive data in SaaS platforms when possible
Use tokenization to replace sensitive data with non-sensitive equivalents
Implement field-level encryption for data that must be stored externally
Establish retention policies and automatically purge old data
Anonymize or pseudonymize data used for analytics and reporting
Create separate customer service systems for less sensitive interactions
Document business justification for every data element stored externally
3. Deploy Multi-Layered Access Controls
Why It Matters: Supply chain attacks often succeed by compromising legitimate credentials. Additional authentication layers can prevent unauthorized access even when credentials are stolen.
Action Steps:
Require multi-factor authentication (MFA) for all SaaS platform access
Use hardware tokens or FIDO2 keys for administrative accounts
Implement conditional access policies based on device, location, and behavior
Deploy privileged access management (PAM) for admin credentials
Use separate authentication systems for different business-critical platforms
Implement just-in-time (JIT) access for temporary elevated permissions
Monitor authentication logs for anomalous patterns
Apply the principle of least privilege for all SaaS user accounts
Regularly audit user permissions and remove unnecessary access
Require re-authentication for sensitive operations within SaaS platforms
4. Establish Comprehensive Vendor Risk Management
Why It Matters: The group claimed to have stolen data from 39 companies using Salesforce-based systems, showing how vendor compromises can affect hundreds of downstream customers simultaneously.
Action Steps:
Create formal third-party risk assessment programs
Evaluate vendor security posture before contract signing
Include security requirements in vendor contracts and SLAs
Require vendors to notify you of security incidents within defined timeframes
Mandate regular security audits and penetration testing from vendors
Ask vendors to document their incident response capabilities
Understand the vendor's own third-party dependencies (fourth parties)
Monitor vendor security ratings through third-party services
Participate in vendor security reviews and audits when offered
Establish contingency plans for vendor compromise scenarios
Maintain relationships with vendor account teams for rapid communication
5. Implement Continuous Monitoring and Anomaly Detection
Why It Matters: The Qantas breach stemmed from a July 2025 incident, but data wasn't leaked until October. Early detection could have enabled faster response and mitigation.
Action Steps:
Deploy Cloud Access Security Brokers (CASB) for SaaS activity monitoring
Implement User and Entity Behavior Analytics (UEBA) for SaaS platforms
Monitor for unusual data access patterns (volume, timing, location)
Set alerts for bulk data exports or unusual API activity
Track failed authentication attempts and privilege escalations
Monitor for new integrations or API connections to SaaS platforms
Deploy Security Information and Event Management (SIEM) integration
Establish baselines for normal SaaS platform usage
Create automated responses to suspicious activities
Conduct regular threat hunting in SaaS environments
Review SaaS audit logs at least weekly for anomalies
6. Develop Supply Chain Incident Response Plans
Why It Matters: When vendor breaches occur, organizations need rapid response capabilities to protect customers and operations.
Action Steps:
Create specific incident response playbooks for vendor compromises
Define roles and responsibilities for supply chain incidents
Establish communication protocols with vendors, customers, and regulators
Maintain updated contact lists for emergency coordination
Pre-draft notification templates for various breach scenarios
Conduct tabletop exercises simulating vendor breach scenarios
Define decision criteria for customer notifications
Establish processes for rapid credential rotation when vendors are compromised
Document data flows to understand which systems are affected by vendor breaches
Create legal and regulatory compliance checklists for breach response
Test vendor communication channels before incidents occur
7. Protect Customer Loyalty Programs
Why It Matters: Frequent flyer programs and loyalty accounts contain both valuable points/miles and detailed customer behavior data that criminals can monetize or exploit.
Action Steps:
Implement strong authentication for loyalty program access
Require MFA for all loyalty account logins, especially for redemptions
Monitor loyalty accounts for unusual activity (location changes, redemption patterns)
Set alerts for large point redemptions or suspicious bookings
Implement fraud detection systems specifically for loyalty programs
Allow customers to lock/freeze their loyalty accounts
Create notification systems for all loyalty program transactions
Implement velocity checks on point redemptions
Require additional authentication for high-value redemptions
Educate customers about loyalty program fraud risks
Offer enhanced security options for high-value loyalty members
8. Enhance Customer Communication and Protection
Why It Matters: Qantas is offering 24/7 support and identity protection services to affected customers, while advising them to remain vigilant against potential scams. Rapid, transparent communication helps customers protect themselves.
Action Steps:
Notify affected customers promptly when breaches are discovered
Provide specific details about what data was compromised
Offer complimentary identity monitoring and protection services
Create dedicated support channels for breach-related questions
Provide clear guidance on protective measures customers should take
Warn customers about likely follow-on phishing and social engineering attempts
Establish fraud monitoring for affected customer accounts
Be transparent about the incident timeline and response actions
Avoid minimizing the incident or providing false reassurance
Maintain communication with customers throughout the investigation
Consider compensation for affected customers beyond legal requirements
9. Implement Data Backup and Recovery Capabilities
Why It Matters: While this breach involved data theft rather than destruction, having robust backup and recovery capabilities is essential for all scenarios.
Action Steps:
Maintain offline, immutable backups of critical customer data
Test backup restoration procedures regularly
Store backups separately from production SaaS environments
Encrypt all backup data with strong encryption
Implement versioning to recover from data corruption
Document backup and recovery procedures thoroughly
Establish recovery time objectives (RTO) for critical systems
Maintain the capability to operate without compromised SaaS platforms
Create manual fallback procedures for critical business functions
Test the complete system recovery from backups annually
10. Educate Employees and Customers
Why It Matters: Human awareness and behavior are critical defenses against both initial breaches and follow-on attacks using stolen data.
Action Steps:
Conduct regular security awareness training for all employees
Specifically train staff on supply chain and third-party risks
Educate employees about social engineering tactics
Test employees with simulated phishing attempts
Create security champions within business units
Develop customer education programs about account security
Warn customers about common scams following data breaches
Provide resources on recognizing phishing attempts
Encourage customers to enable all available security features
Create clear channels for reporting suspicious activity
Maintain ongoing security communication, not just during incidents
Special Considerations for Airlines and Travel Companies
Airlines and travel organizations face unique challenges regarding customer data protection:
Regulatory Complexity
Airlines operate globally and must comply with data protection regulations in multiple jurisdictions (GDPR, CCPA, Australian Privacy Act, etc.). Breaches trigger reporting requirements across numerous regulators.
High-Value Loyalty Programs
Frequent flyer points and elite status have real monetary value, making loyalty accounts attractive targets. Enhanced security measures are essential for these programs.
Operational Sensitivity
Travel companies can't afford extended system downtime. Security measures must protect data while maintaining operational efficiency and customer experience.
Booking and Payment Data
While payment card data wasn't exposed in this breach, travel companies routinely handle financial information requiring PCI DSS compliance and enhanced protection.
Third-Party Ecosystem
Airlines rely on numerous partners (booking systems, baggage handlers, catering services, etc.), each representing potential attack vectors requiring vendor risk management.
Key Takeaways
The Qantas breach through the Salesforce platform compromise provides crucial lessons for all organizations using SaaS platforms:
SaaS platforms are shared infrastructure - One compromise affects multiple downstream customers
Sophisticated threat actors target platforms strategically - Why hack one company when you can hack the platform serving hundreds?
Third-party breaches become your crisis - Vendor security failures create customer notification obligations and reputational damage
Loyalty program data has real value - Points, status, and behavior data can be directly monetized by criminals
Supply chain attacks are the new normal - Organizations must implement defenses assuming vendor compromises will occur
The Bottom Line: You cannot outsource security responsibility to SaaS vendors. While platforms like Salesforce invest heavily in security, they are high-value targets facing constant attacks. Organizations must implement their own security controls, minimize data exposure, monitor for anomalies, and maintain incident response capabilities for vendor compromises.
The 5.7 million affected Qantas customers learned this lesson the hard way. The airline's choice to store extensive customer data in a third-party platform created cascading risks when that platform was compromised. Now affected customers face years of elevated fraud risk and identity theft potential.
Immediate Actions Every Organization Should Take:
Audit all SaaS platforms and identify what customer data each stores
Review and minimize data uploaded to third-party systems
Enable MFA on all SaaS administrative accounts immediately
Implement Cloud Access Security Brokers (CASB) for SaaS monitoring
Test your incident response plan for vendor breach scenarios this week
Review vendor contracts to ensure adequate security requirements and breach notification clauses
Don't wait for your vendor's breach to become your crisis. Implement these defenses today—your customers' data depends on it.
When you trust your data to third parties, you're trusting their security too. Make sure that trust is backed by strong contractual requirements, continuous monitoring, and defense-in-depth.