Australian airline Qantas confirmed that sensitive data from 5.7 million customers stolen in a July cyberattack has been leaked online, marking one of the most significant supply chain breaches of 2025. The attack, which targeted software giant Salesforce's customer relationship management platform, has affected dozens of high-profile companies including Disney, Google, IKEA, Toyota, McDonald's, Air France, and KLM.
The breach originated when hackers successfully infiltrated Salesforce systems using sophisticated social engineering techniques, posing as IT support personnel to manipulate customer service employees into granting unauthorized access. This human-centric attack vector bypassed technical security controls entirely, exploiting trust relationships rather than software vulnerabilities.
Cybersecurity research group Unit 42 has linked the attack to Scattered Lapsus$ Hunters, an alliance of cybercriminals known for coordinated data theft and ransomware operations. The group reportedly set an October 10 deadline for ransom payment before publicly releasing the stolen data, demonstrating their evolving extortion tactics that combine data exfiltration with public exposure threats.
Qantas disclosed that the breach compromised multiple categories of customer information stored in third-party Salesforce systems. The majority of exposed data includes customer names, email addresses, phone numbers, and frequent flyer program details. However, a subset of records also contained more sensitive information such as home and business addresses, dates of birth, gender preferences, and meal selections.
The airline emphasized that no credit card details, financial information, or passport data was compromised. The company has since obtained a legal injunction from the Supreme Court of New South Wales to prevent further distribution of the stolen data, though cybersecurity experts question the practical effectiveness of such measures.
“It's frankly ridiculous,” said cybersecurity expert Troy Hunt. “It obviously doesn't stop criminals at all anywhere, and it also really doesn't have any effect on people outside of Australia.” His assessment highlights the jurisdictional limitations of legal remedies when dealing with transnational cybercrime.
The FBI issued warnings last month specifically addressing the social engineering techniques employed in these Salesforce attacks. Threat actors successfully impersonated company representatives to deceive customer support staff, gaining access to backend systems without exploiting any technical vulnerabilities.
“They have been very effective,” Hunt noted. “And it hasn't been using any sophisticated technical exploits... they have exploited really the oldest tricks in the books.” This observation underscores a persistent security challenge: even organizations with robust technical defenses remain vulnerable to human manipulation.
The attack methodology involves threat actors conducting reconnaissance on target organizations, identifying appropriate personnel to contact, and crafting convincing pretexts that leverage social norms and organizational trust. By exploiting help desk protocols designed for customer assistance, attackers turned legitimate support channels into security vulnerabilities.
While Qantas represents the most significant confirmed data exposure, the breach's scope extends across multiple industries and geographic regions. Tech giant Google acknowledged in August that one of its corporate Salesforce servers had been targeted, though the company has not confirmed whether data was ultimately leaked. Google completed impact analysis and notified potentially affected business customers following the incident.
Salesforce confirmed awareness of “recent extortion attempts by threat actors” but provided limited details about the breach's technical specifics or the number of affected clients. The company's measured response reflects the delicate balance between transparency obligations and protecting ongoing security investigations.
The Qantas breach represents the latest in a series of high-profile cyberattacks affecting Australian critical infrastructure and major corporations. In 2023, major ports handling 40 percent of Australia's freight trade were paralyzed after hackers infiltrated DP World's computer systems. Qantas itself faced a separate security incident when a mobile app glitch exposed passenger names and travel details to unauthorized users.
These recurring incidents have intensified scrutiny of data protection practices across Australian industry sectors, prompting calls for stronger regulatory frameworks and enhanced security requirements for organizations handling sensitive customer information.
The Salesforce supply chain attack demonstrates several critical security principles that organizations must prioritize. First, third-party vendor relationships create expanded attack surfaces that require continuous monitoring and assessment. Second, social engineering remains a persistent threat vector that cannot be addressed through technical controls alone, demanding comprehensive security awareness training.
Third, the interconnected nature of modern business systems means a single compromise can cascade across multiple organizations, amplifying impact exponentially. Organizations must implement zero-trust architectures that verify every access request regardless of apparent legitimacy.
As Scattered Lapsus$ Hunters and similar threat groups continue refining their tactics, the incident serves as a stark reminder that cybersecurity's weakest link often remains the human element—and that even the “oldest tricks in the book” can prove devastatingly effective when executed skillfully.