Australia's Qantas Airways confirmed on Sunday, October 12, that hackers released stolen customer data months after a cyber breach in July.
The airline revealed that personal information of millions of customers was stolen and later published by cybercriminals.
In July, Qantas disclosed that hackers accessed a database containing sensitive customer details.
Over one million customers had personal data such as phone numbers, birth dates, and home addresses taken.
Another four million had their names and email addresses stolen in what became one of Australia's largest cyber breaches in recent years.
According to Reuters, this breach followed other major attacks in Australia, like the 2022 hacks of telecommunications giant Optus and health insurer Medibank, which led to new cyber resilience laws in the country.
Qantas said in its Sunday statement, "We are one of a number of companies globally that has had data released by cyber criminals following the airline's cyber incident in early July, where customer data was stolen via a third party platform."
The airline is working with cyber security experts to investigate exactly which data was leaked.
The hacker group known as Scattered Lapsus$ Hunters is believed to be behind the release, which came after the group's ransom deadline passed, according to Guardian Australia.
Breaking 🚨 And the Gov see no harm in going Digital..
— JT 🌸🇦🇺👨🍳 🦕 🥥 (@Matkins2021) October 12, 2025
Millions of Qantas customers caught up in massive data breach after Salesforce hack.
‘It’s all over the place’: Hackers posted personal info including names, addresses and meal preferences after ransom demands were… pic.twitter.com/rxMyvIdkkh
Qantas Breach Tied to Third-Party Call Center
Qantas also explained that the breach targeted a call center that used a third-party customer service platform but did not reveal the name of the platform or other affected companies.
Most of the stolen records included names, email addresses, and frequent flyer details. A smaller portion of the data included home or business addresses, birth dates, phone numbers, genders, and meal preferences.
The airline assured customers that no further breaches had occurred and that it was cooperating with Australian security agencies.
It also obtained a court injunction to prevent the stolen data from being "accessed, viewed, released, used, transmitted or published" by anyone, including third parties.
However, cybersecurity expert Troy Hunt expressed doubts about the effectiveness of such injunctions.
He said, "It's completely useless," noting that similar court orders in Australia and the UK had been ignored by criminals, NY Times reported.
This incident adds to a troubling trend of cyberattacks affecting millions of Australians.
In 2022, Optus experienced a breach affecting nearly 9.8 million customers, while Medibank reported a hack exposing 9.7 million policyholders' data, including medical claims. In 2024, another attack hit MediSecure, impacting around 13 million people.
The Office of the Australian Information Commissioner reported 1,113 data breaches in 2024—the highest number since mandatory reporting began in 2018—showing a 25% increase from the previous year.
Join the Conversation