Full Report
In July, DataBreaches reported that Qantas had obtained a preliminary injunction prohibiting the publication of any customer data stolen from it in a cyberattack by “persons unknown.” Those defendants were served with the injunction via email and online means. Although Qantas did not reveal who signed the ransom note, ShinyHunters and Scattered Spider didn’t hesitate... Source
Analysis Summary
# Incident Report: Qantas Airways Data Breach and Injunction Saga
## Executive Summary
Qantas Airways suffered a significant data breach affecting 5.7 million customer accounts, reportedly originating from an attack on one of their call centers. Threat actors, potentially associated with groups like ShinyHunters and Scattered Spider, exfiltrated over 153 GB of PII. Qantas responded by obtaining preliminary and then permanent injunctions to prevent the data's public release, even securing a non-publication order for their legal counsel due to fears of retribution. Despite these legal actions, the threat actors publicly mocked the injunctions and listed Qantas on a new leak site, demonstrating the limitations of court orders against actors operating outside the court's jurisdiction.
## Incident Details
- Discovery Date: Not explicitly stated, but legal action reported in July 2025 and October 2025 updates.
- Incident Date: Cyber attack occurred in June 2025 (based on subsequent reporting reference).
- Affected Organization: Qantas Airways
- Sector: Airline/Travel
- Geography: Australia (NSW Supreme Court involved)
## Timeline of Events
### Initial Access
- Date/Time: Occurred in June 2025.
- Vector: Cyberattack targeting one of Qantas Airways' call centers.
- Details: Led to the compromise of 5.7 million customer accounts.
### Lateral Movement
- Details: Not explicitly detailed in the source, but the scope suggests successful intrusion leading to data collection/exfiltration.
### Data Exfiltration/Impact
- Date/Time: Prior to July 2025.
- Details: Theft of 153 GB of data containing PII from over 5 million records, including Full Name, Email Address, Phone Number, Residence Addresses, Date of Birth, and Frequent Flyer Numbers.
### Detection & Response
- **July 2025:** Qantas obtains a *preliminary injunction* in the NSW Supreme Court prohibiting the publication of the stolen data. Defendants were served via email/online means.
- **Post-July 2025:** Threat actors (ShinyHunters/Scattered Spider) ignore the injunction and publish the court filing documents showing Qantas's injunction request on Telegram.
- **October 3, 2025 (Approx.):** Qantas obtains a *permanent injunction* barring data release and secures a six-month non-publication order over the names of their acting solicitors/counsel due to fears of retribution.
- **October 4, 2025 (Approx.):** Threat actors ("Scattered LAPSUS$ Hunters") debut a leak site, listing Qantas among 39 targets whose data will be released if demands related to a separate Salesforce issue are not met by October 10.
## Attack Methodology
- Initial Access: Unspecified cyberattack vector into a call center environment.
- Persistence: Not specified, but implied necessity to maintain access to scrape/exfiltrate large data volumes.
- Privilege Escalation: Not specified.
- Defense Evasion: Threat actors demonstrated effective evasion by ignoring or circumventing international legal deterrents (injunctions).
- Credential Access: Likely involved accessing credentials linked to call center systems or databases storing customer PII.
- Discovery: Implied reconnaissance to identify the volume and sensitivity of the stolen data.
- Lateral Movement: Assumed movement through systems related to customer data storage.
- Collection: Gathering 153 GB of PII records (5M+ accounts).
- Exfiltration: Data was successfully transferred out of the Qantas environment.
- Impact: Exposure of sensitive personal information belonging to millions of customers.
## Impact Assessment
- Financial: Not specified, but costs associated with securing injunctions and managing the breach response would be incurred.
- Data Breach: 153 GB of data, 5.7 million customer records compromised. Including PII such as Name, Email, Phone, Address, DOB, and Frequent Flyer Numbers.
- Operational: Direct operational disruption from the initial call center incident is implied, though the focus is on the subsequent data risk.
- Reputational: Significant negative reporting related to the breach size and the public legal battle involving injunctions.
## Indicators of Compromise
- **Network indicators:** None specified (URLs/IPs would be defanged if provided).
- **File indicators:** 153 GB dataset of stolen customer information.
- **Behavioral indicators:** Ignoring court injunctions; publishing court documents online; establishing a publicized leak site.
## Response Actions
- **Containment measures:** Not explicitly detailed, but presumably occurred after the June incident and before July legal actions.
- **Eradication steps:** Not detailed.
- **Recovery actions:** Obtaining and strengthening legal injunctions (preliminary to permanent) to prevent data publication.
## Lessons Learned
- **Key takeaway:** Legal injunctions, while necessary for domestic protection, have limited efficacy against sophisticated threat actors operating globally/outside specific jurisdictions.
- **What could have been done better:** Early detection and prevention of the initial breach are paramount, as legal remedies only address the fallout of data exposure, not the compromise itself. Failure to secure legal counsel from the potential threat is evident by the subsequent non-publication order sought for lawyers.
## Recommendations
- Implement multi-factor authentication (MFA) across all call center access points and ensure robust access controls on systems housing PII.
- Review data retention policies to minimize the volume of sensitive PII stored.
- Enhance legal preparedness: Develop clear protocols for immediate engagement with international legal counsel upon discovery of PII exfiltration, acknowledging that public legal maneuvers may provoke threat actors.
- Audit third-party/vendor risk if the call center operation involved external entities.