On 8 October 2025, reports surfaced that Qantas was among nearly 40 global companies targeted in a major extortion campaign by hacker collective Scattered Lapsus$ Hunters. The attackers claimed to have stolen up to 1 billion records from customers and employees of companies using the cloud‑software firm Salesforce.
In this blog we’ll explore the key lessons from this incident, and map out how ANP Technology’s cybersecurity services can help organisations avoid becoming the next target.
What happened?
Here are the key facts from the incident:
- The hacker group claimed to have stolen vast amounts of customer and employee data from about 40 major firms between April 2024 and September 2025.
- Qantas publicly confirmed it was on the list of affected companies, and had obtained a court injunction to prevent the release of stolen data.
- In Qantas’s case the breach appears to have stemmed from a compromised third‑party contact centre in Manila, exploited via social engineering (“vishing”) rather than a direct software vulnerability in Salesforce.
- The data reportedly included names, email addresses, phone numbers, dates of birth, frequent flyer numbers — though not (in Qantas’s case) credit card or passport numbers.
- The hackers demanded a ransom, threatening to publish the data unless payment negotiations began by a set deadline.
- Organisations affected still face serious risk: even without direct financial data stolen, the value of personal data for phishing, identity fraud, impersonation is high.
Key take‑aways for businesses
1. It’s not just about the software vulnerabilities
Although the campaign invoked Salesforce, the root‑cause appears to be heavy reliance on social engineering and third‑party access rather than a pure software breach.
Lesson for you: Cybersecurity needs to cover human behaviour, vendor ecosystems, third‑party risk, access controls — not just patching systems.
2. Third‑party and supply‑chain risk is real
The attack vector may have been a call centre vendor or contact‑centre provider. Organisations often outsource or integrate with external suppliers and assume risk is managed. The Qantas case shows they may not be.
Lesson: Vendor due‑diligence, contract clauses, continuous monitoring of third‑parties are crucial.
3. Data exposure is expensive (even if no financial data)
Even where credit or passport info wasn’t exposed, names, phone numbers, email addresses, birthdates are gold for attackers. They fuel phishing, impersonation, fraud.
Lesson: Think of data classification and assume even “non‑financial” personal data has a risk.
4. Prevention + detection + response = good posture
Qantas took steps post‑incident: legal injunction, customer support, increased monitoring & training. But ideally, we want to move from “reaction” to “preparedness”.
Lesson: Prepare incident‑response plans, tested backups, segmentation, monitoring of abnormal activity.
5. The extortion threat is growing
Large hacker groups now coordinate to target many organisations through shared SaaS platforms, cloud integrations, vendor linkages. Paying ransom is no guarantee.
Lesson: Don’t assume “we’re too small” or “we don’t store financial data so we’re safe”.
—
The Qantas extortion attempt is a stark reminder: large, respected organisations can fall victim — and it doesn’t always require a flashy zero‑day exploit.
By taking a holistic approach — people, process, technology, vendors — and partnering with a strong cybersecurity provider like ANP Technology, your organisation can shift from being the next headline to being the next example of resilience. Contact us for details.
