Personal information belonging to five million Qantas travellers has been exposed on the dark web following a ransomware attack, with cybercriminals releasing the data after their payment demands went unmet.
The criminal group Scattered Lapsus$ Hunters published the stolen records on Saturday, labelling them "leaked" and posting a message that read: "Don't be the next headline, should have paid the ransom."
The compromised information includes email addresses, telephone numbers, dates of birth and frequent flyer account numbers from the Australian carrier's customer database.
The breach is part of a wider cyberattack that has impacted 44 organisations worldwide, potentially affecting up to a billion customer records.
The data theft happened when hackers infiltrated a Salesforce database in June, though the broader campaign spanned from April 2024 to September 2025.
Financial details, credit card information and passport numbers were not compromised in the Qantas breach, though other affected companies saw passport data exposed.
Jeremy Kirk from cyber threat intelligence firm Intel 471 identified the perpetrators as an established criminal collective with members operating from nations including America, Britain and Australia.
He said: "This particular group is not a new threat; they've been around for some time."
Personal information belonging to five million Qantas travellers has been exposed on the dark web following a ransomware attack
|GETTY
He added: "But they're very skilled in knowing how companies have connected different systems together."
Major international brands, including Gap, Vietnam Airlines, Toyota, Disney, McDonald's, Ikea and Adidas, were among the organisations targeted in the massive data theft.
Mr Kirk warned that whilst financial information remained secure, criminals could exploit the leaked personal details to fraudulently open credit accounts, and cautioned that sophisticated threat actors increasingly craft personalised phishing messages using stolen data.
He said: "These days, a lot of threat groups are now generating personalised phishing emails."
LATEST DEVELOPMENTS
Financial details, credit card information and passport numbers were not compromised in the Qantas breach
|GETTY
Mr Kirk added: "They're getting better and better at this and these types of breaches help sort of fuel that economy, that underground fraudster economy."
Qantas has established a round-the-clock support service and specialist identity protection guidance for impacted customers.
"We continue to offer a 24/7 support line and specialist identity protection advice to affected customers," a company representative stated.
The airline secured a permanent court order from the NSW Supreme Court in July, prohibiting unauthorised parties from accessing, viewing, distributing or publishing the stolen information.
Cybercriminals released the data after their payment demands went unmet
|GETTY
Salesforce confirmed it would refuse any extortion attempts, with a spokesman declaring: "We will not engage, negotiate with, or pay any extortion demand."
The company maintained that its platform remained uncompromised and that it continues to collaborate with affected clients to assist.
A Qantas spokesman said: “With the help of specialist cyber security experts, we are investigating what data was part of the release.
"We have also put in place additional security measures, increased training across our teams and strengthened system monitoring and detection since the [mid-year] incident occurred."