Qantas is once again battling the fallout from the major cyber attack it suffered in June, as hackers behind the incident threaten to publish millions of customer records unless their ransom demands are met, a development now drawing scrutiny from insurers and corporate risk managers alike.
A collective calling itself Scattered Lapsus$ Hunters has posted samples of the stolen data on the dark web, warning it will release the full cache this Friday unless software giant Salesforce, whose systems were involved, pays a ransom. The airline’s breach has exposed personal information of roughly 5.7 million customers, taken from a database used by its Manila call centre.
While financial information was not compromised, the leaked details including names, dates of birth, contact information and frequent flyer numbers have triggered a wave of phishing attempts and refund scams targeting Qantas customers.
The airline, which secured a Supreme Court injunction in New South Wales to block publication or sharing of the data, continues to coordinate its response with the Australian Cyber Security Centre and other government agencies.
“Ensuring continued vigilance and providing ongoing support for our customers remain our top priorities,” a Qantas spokeswoman said. “We continue to offer a 24/7 support line and specialist identity protection advice to affected customers. We have also put in place additional security measures, increased training across our teams, and strengthened system monitoring and detection since the incident occurred.”
Salesforce, whose cloud platform underpins Qantas’s customer database, confirmed it had been the target of recent extortion attempts but said it would not yield to the hackers’ demands.
“The company would not engage, negotiate with, or pay any extortion demand,” a Salesforce spokesman said. “Our findings indicate these attempts relate to past or unsubstantiated incidents, and we remain engaged with affected customers to provide support.”
Cyber researchers remain cautious about verifying the group’s claims.
Aiden Sinnott, from Sophos Counter Threat Unit, told The Australian much of the material released by the group could not yet be authenticated.
“It is hard to predict what will happen on the 10th,” Mr Sinnott said. “They aren’t averse to leaking huge amounts of data, so if they do have Qantas data I wouldn’t be surprised if they leaked it.”
The Qantas breach has also become a governance test case for corporate Australia.
In an acknowledgment of the breach’s gravity, the airline’s board imposed a 15 per cent reduction in short-term bonuses for senior executives in the 2025 financial year, a cut that cost chief executive Vanessa Hudson about $250,000, bringing her total remuneration to $6.3 million.
The move aligns with a broader shift among listed companies to link executive incentives to cyber resilience, a development underwriters and brokers are watching closely.
For insurers, the combination of reputational damage, privacy exposure and potential regulatory scrutiny reinforces the growing intersection between cyber governance and directors’ liability.
Legal consequences are also building. Class action firm Maurice Blackburn has lodged a complaint with the Office of the Australian Information Commissioner, the first step toward a possible privacy-related suit against Qantas.
Read more: Cyber claim costs rising for SMEs in ANZ
While Qantas has not offered direct compensation, it granted frequent flyers 40 status credits in August following its $2.39 billion annual profit announcement, a gesture seen as an attempt to restore goodwill among its most loyal customers.
The case underscores a widening threat landscape for Australian corporates.
As hackers increasingly target cloud-based vendors like Salesforce, insurers are warning that aggregation risk, where multiple clients are exposed through a single technology provider, may become a defining challenge for the cyber market.
Read more: We’ve lost 40,000 cars somewhere - Jaguar
For Qantas, the immediate focus remains on containment. But for insurers, brokers and corporate risk teams, the breach serves as another reminder that cyber resilience is no longer just an IT concern; it is a boardroom imperative.
