Deadline passes on ransom to stop 5.7m Qantas customer records being leaked

The personal data of 5.7 million Qantas customers has reportedly been leaked on the dark web by a hacker group after a ransom deadline lapsed.

Notorious cyberhacker group Scattered Lapsus$ Hunters claimed to have stolen a cache of personal customer records from 39 major companies who stored data with software giant Salesforce, after they targeted the software company between April 2024 and September 2025.

More than a billion records have been stolen from the 39 companies, including the Qantas Frequent Flyers program, Toyota, Disney, McDonalds, and HBO Max.

The hackers gave Salesforce until October 11 11:59pm New York time – or 3pm AEST – to pay a ransom to the group in order to stop the leak.

Guardian Australia reports the group leaked the Qantas-related data on Saturday, with an accompanying note: “Don’t be the next headline, should have paid the ransom.”

It is understood Qantas is investigating dark web channels to verify if customer records have been leaked.

Details compromised by a July attack on a Qantas customer service platform provided by Salesforce included names, phone numbers, addresses, emails, birthdates, gender, frequent flyer numbers, points balances and status tiers.

On Wednesday Salesforce ruled out paying any ransom or negotiating with the group.

A dark web site associated with hacking group has posted repeated threats to “publicly disclose (Salesforce) data if no contact is established”.

“If Salesforce does not engage with us to resolve this, we will completely target each and every individual customer of theirs listed below,” the site reportedly said.

“Failure to comply will result in massive consequences … Don’t be the next headline, make the correct decision and reach out.”

The dark net website used to post these messages has since been seized by the FBI.

Scattered Lapsus$ Hunters responded to the raid on encrypted messaging platform Telegram

“Seizing a domain does not really affect our operations FBI … try harder ;),” the group reportedly posted.

Qantas has a Supreme Court injunction preventing the release or publication of the data but the airline will not be able to stop criminal groups from posting the information on the dark web.

In a statement made on October 2, Salesforce said it was aware of “recent extortion attempts by threat actors” that were under investigation by external experts and authorities.

“Our findings indicate these attempts relate to past or unsubstantiated incidents, and we remain engaged with affected customers to provide support,” the statement read.

“At this time, there is no indication that the Salesforce platform has been compromised, nor is this activity related to any known vulnerability in our technology.”

With the ransom deadline looming, Qantas has offered a 24/7 support line and specialist identity protection advice to affected customers.

“Ensuring continued vigilance and providing ongoing support for our customers remain our top priorities following our cyber incident in early July,” a Qantas spokesperson said.