Major Extortion Alert: Qantas and Dozens of Brands Face Ransom Demand

A cybercrime collective calling itself Scattered Lapsus$ Hunters claims to have stolen data from nearly 40 major global companies — including Qantas, Disney, Toyota, IKEA and others — and is demanding ransom, threatening to publish the stolen records if demands aren’t met. Qantas has obtained a court injunction and says it’s supporting affected customers; Salesforce and several other companies deny systemic platform compromise and warn against negotiating with criminals. This is an ongoing, fast-moving extortion campaign driven largely by social-engineering intrusions. The Guardian+2ABC+2

What happened (chronology & mechanics)

• June–September 2025 (attacks & access): Security researchers reported a coordinated social-engineering campaign that targeted corporate employees and third-party vendors handling Salesforce or CRM tools. Attackers used vishing (voice phishing) and credential-theft techniques to gain access to data loaders and export customer records. Wikipedia+1
• October 2025 (extortion campaign): The criminal collective (a coalition of previously known groups) announced a mass extortion campaign and threatened to publish stolen data from about 39–40 companies unless ransom negotiations began — setting tight deadlines for victims. Qantas is named among those targeted; some affected firms have already obtained injunctions or taken legal steps. The Guardian+1
• Responses: Qantas says it has legal protections and is offering support to affected customers; Salesforce publicly stated its platform has no evidence of systemic compromise and will not negotiate with criminals. Regulators and cybersecurity authorities are investigating. ABC+1

Who’s affected? (table of reported victims)

Note: reporting varies by outlet; investigators are still confirming lists. Below are companies named in multiple credible reports.

Company (reported)	Notes / Source
Qantas	Affected via customer records; court injunction obtained. ABC
Disney	Named among targeted firms in extortion list. The Guardian
Toyota	Reported as one of the victims; linked to Salesforce customer lists. News.com.au
IKEA	Reported as affected in multiple outlets. News.com.au
Google (AdSense/other units)	Reported in extortion list; Google Threat Intelligence tracking attackers. The Guardian
Chanel / LVMH subsidiaries	Reported in prior Salesforce-targeted intrusions. Wikipedia
McDonald’s / KFC (Yum)	Named in some reports. News.com.au
Air France / KLM	Airlines also reported in extortion list. The Guardian
(Others)	Multiple other multinational brands, insurers and retailers reported in regional outlets. News.com.au+1

Why this attack is different (and worrying)

1. Scale + targeting of CRM data: Instead of a single ransom demand against one firm, attackers claim to possess consolidated datasets (customer names, contact details, passport info, purchase histories) across dozens of organizations — increasing risk of identity theft and targeted scams. The Guardian
2. Social engineering, not zero-day code exploits: Google threat intel and multiple reporting lines indicate the group used vishing and credential theft to manipulate employees and third-party support tools, meaning human weaknesses — not just technical holes — are the primary vector. That makes prevention harder without broad staff training and vendor controls. Wikipedia+1
3. Coalition of criminal groups: Reports suggest the campaign is run by a coalition (Scattered Spider + Lapsus$ + ShinyHunters style actors), increasing resources and publicity impact. These groups also have histories of publishing stolen data to pressure payments. The Australian

Immediate risks for customers and employees

• Phishing & vishing surge: You’re likely to see targeted phishing or phone-based scams impersonating company support or courier services.
• Identity theft & account takeover: If attackers publish passport numbers, birthdates, or frequent-flyer numbers, criminals can try to open fraud accounts, book travel, or impersonate customers.
• Credential stuffing: If reused passwords are exposed, attackers will test them across other services (banking, email).

Practical steps to reduce personal risk are below. 2paxfly.com

What Qantas (and other companies) are doing

• Legal action: Qantas secured an injunction in an Australian court to block publication of stolen data and to try to limit spread across platforms and media. ABC
• Customer support & identity protection: Qantas has offered 24/7 support lines and identity protection guidance to affected customers. ABC
• Security hardening & investigations: Affected companies report working with cybersecurity firms and law enforcement while auditing third-party access and vendor credentials. Salesforce denies platform compromise and recommends customers follow security guidance. The Guardian

What customers should do now (practical checklist)

1. Change passwords for any account linked to the breached service (especially frequent-flyer, email). Use unique passwords.
2. Turn on MFA (multi-factor authentication) on all important accounts (email, banking, work).
3. Be suspicious of calls, texts, or emails claiming to be from Qantas, Salesforce, or “support” — verify via official channels. Never give OTPs or login details over the phone.
4. Monitor financial accounts & frequent-flyer activity for unusual charges or redemptions.
5. Freeze or monitor credit if personally sensitive identifiers (passport, SSN, national ID) may be exposed in your country.
6. Use identity protection services offered by the company if you were notified. These services help monitor dark-web listings and suspicious use of personal data. 2paxfly.com+1

What businesses must learn from this incident

• Harden vendor access & third-party controls: Attackers repeatedly exploit third-party support tools; require strict least-privilege, stronger authentication (hardware MFA), and monitored admin sessions. Wikipedia
• Train staff on vishing / social engineering: Regular, role-specific simulations (not just email phishing) for phone and live-chat scenarios.
• Encrypt & segment data: Limit how much data any one service can export; adopt tokenization and strict export controls for PII.
• Incident preparedness: Legal options (injunctions), customer communications, and cyber insurance should be pre-planned. Recent reporting highlights insurers now carefully evaluating exposure. Insurance Business

Table — Attack vectors, impact & mitigation

Attack vector	Immediate impact	Practical mitigation
Vishing / voice phishing	Credential theft; unauthorized access	Staff training, call-verification protocols, hardware MFA
Compromised third-party tool (Data Loader)	Bulk data exfiltration	Vendor audits, least-privilege, session monitoring
Public data dump (dark web)	Identity theft, fraud, reputational damage	Rapid breach notification, offer ID protection, credit monitoring
Social engineering across companies	Cross-company exposure	Enforce company-wide security standards, cross-vendor incident exercises

(Sources: threat reports and corporate statements). Wikipedia+1

Legal and regulatory implications

• Regulators will scrutinize vendor management and breach notification practices. In jurisdictions with strong privacy laws (GDPR, NDPA, CPRA), companies can face investigations and fines if they failed to protect personal data or delayed notification. The Guardian
• Class actions are likely. Law firms are already exploring group actions where customer data has been exposed. Qantas previously faced legal consequences after prior incidents; expect similar action if data is published. 2paxfly.com

FAQs

Q: Did Salesforce get hacked?
A: Salesforce has denied evidence of a platform-wide compromise; reporting indicates attackers used social engineering to get credentials or malicious builds of support tools, rather than exploiting core Salesforce code. Investigations are ongoing. The Guardian+1

Q: Should companies ever pay ransoms?
A: Authorities and major vendors advise against paying ransoms (it incentivizes crime and doesn’t guarantee data destruction). Decisions are complex: insurers, legal counsel, and law enforcement normally consult on a case-by-case basis. The Guardian

Q: If I’m a Qantas customer, will they notify me?
A: Qantas has stated it’s supporting affected customers and has set up dedicated support lines. If your personal data is implicated, you should receive direct notification. Meanwhile, follow the protection checklist above. ABC

Sources & further reading

• The Guardian — “Qantas among nearly 40 companies facing ransom demand from hacker group.” The Guardian
• ABC News Australia — “Qantas ‘legal protections in place’ as cyber hacking group threatens to release personal data.” ABC
• The Australian — reporting on coalition of hacker groups and claimed data volume. The Australian
• Financial Review & regional outlets reporting on extended victim lists and insurance implications. Australian Financial Review+1
• Threat intelligence background on ShinyHunters / Scattered Spider tactics and Salesforce-linked intrusions. Wikipedia