Qantas said data belonging to 5.7 million customers stolen in a major cyberattack has been shared online, widening the fallout from a campaign tied to a third-party platform used by dozens of global companies.
The airline reiterated that the compromise originated at a provider later identified as Salesforce and involved a customer contact-centre system first disclosed in July.
Attackers obtained names, email addresses, phone numbers, dates of birth and frequent-flyer numbers, while payment cards, financial details and passport data were not taken, the company said.
The disclosure follows claims by a hacker collective that it had leaked records linked to Qantas after a ransom deadline passed, part of what it says is a broader tranche spanning more than 40 firms.
Companies reported to be affected include Disney, Google, Ikea, Toyota, McDonald’s, and airlines Air France and KLM.
Salesforce has acknowledged awareness of extortion attempts by threat actors, while Qantas said no further breaches of its systems have occurred since the initial incident.
The airline added that it is cooperating with the Australian Cyber Security Centre and the Australian Federal Police.
Qantas said an injunction obtained from the New South Wales Supreme Court remains in force to prevent any access, viewing, release, use, transmission, or publication of the stolen data.
The carrier has engaged specialist cybersecurity experts to analyse the posted material and confirm the contents. It said impacted customers were proactively notified in July of the categories of personal information involved and that this assessment is unchanged.
Since the breach, Qantas said it has implemented additional security measures, expanded staff training, and strengthened monitoring and detection. Customers have access to specialist identity-protection services, a 24/7 support line, and updates via the airline’s website.
The company urged vigilance against scams, advising verification of unsolicited contacts through official channels, the use of multi-factor authentication, and avoiding the sharing of passwords or sensitive information.
It encouraged reporting suspected fraud to Australia’s National Anti-Scam Centre and consulting guidance from the Australian Cyber Security Centre, IDCARE, and the Office of the Australian Information Commissioner.
The incident underscores growing operational and legal risks around supply-chain and software-as-a-service dependencies, as well as the use of court orders to restrict the dissemination of stolen data.
Qantas said it continues to investigate the scope of the published material and to coordinate with authorities and partners.