Qantas — Salesforce-connected CRM exfiltration

On 30 June 2025 Qantas detected unusual activity on a third-party platform connected to its Salesforce customer environment. By 2 July the airline had publicly confirmed a cyber incident, and over the following week disclosed that personal information for approximately 5.7 million customers had been exfiltrated. The data taxonomy was specific: names, email addresses, phone numbers, dates of birth and frequent-flyer numbers. Payment-card data and passport numbers were unaffected. The volume was material — 5.7 million records is a meaningful share of Qantas’s frequent-flyer programme — but the dataset was lower-grade than a typical retail-banking breach.

The intrusion vector matters more than the data taxonomy. The compromised platform was a contact-centre operation in Manila that managed the airline’s Salesforce environment under a third-party services contract. The attackers, claiming the alias Scattered Lapsus$ Hunters, phoned the contact centre and impersonated Qantas IT staff. They convinced an operator to grant Salesforce session access, then exported the customer-record dataset before the access was withdrawn. The technique — voice-phishing of an outsourced support function with privileged CRM access — is the same one Scattered Spider used against MGM Resorts and Caesars Entertainment in September 2023, and the same one ShinyHunters has subsequently used against Carnival, Pitney Bowes and a long tail of other Salesforce-customer victims in April 2026. Qantas was one of the first major worked examples in what has since become a single operational pattern with a named brand.

The attribution itself is the second story. Scattered Lapsus$ Hunters is the public alias for an alliance the threat-intelligence community has labelled the “Trinity of Chaos” — Scattered Spider (also tracked as Octo Tempest and UNC3944), ShinyHunters and Lapsus$ operating as a coordinated extortion bloc. The alliance’s public ransom demand against Qantas was directed at Salesforce CEO Marc Benioff personally and threatened to leak data from “91 organisations, multinational conglomerates and governments” unless 20 BTC was paid. The framing was a deliberate signal. The attackers were positioning the campaign not as a Qantas breach but as a Salesforce-platform problem, with Qantas as one of ninety-one downstream victims. The August 2025 Salesloft Drift OAuth-token theft, which exposed Salesforce credentials for hundreds of integrated downstream tenants, sits behind that framing as the upstream technical link.

Qantas’s response was, by Australian standards, robust. The airline obtained an injunction from the Supreme Court of New South Wales in July 2025 prohibiting publication, distribution or further dissemination of the stolen dataset, and notified the Office of the Australian Information Commissioner within the statutory window. Qantas Group CEO Vanessa Hudson took a $250,000 cut to her short-term incentive bonus, a step the board described publicly as “shared accountability” for the customer impact. The injunction did not, in the end, prevent publication. The attackers ignored it, waited out their own ransom deadline, and on 12 October 2025 published the dataset on a dark-web leak site. The Australian Federal Police and the OAIC have continuing investigations open.

The defender takeaway is uncomfortable, because the technical surface area where Qantas could have intervened was narrow. The compromised account was not a Qantas employee. The compromised credential was not a Qantas password. The compromised endpoint was not a Qantas device. What was Qantas’s was the Salesforce object permission scope granted to a third-party contact-centre user role, and that is where prevention had to live. A contact-centre support agent does not need bulk-export permission on a customer record object. They need single-record read access, scoped to the conversation they are servicing, with rate limits, anomaly detection and alerting on bulk-query patterns. Most enterprise Salesforce deployments grant that role considerably more than that, because the platform’s permissioning model defaults toward usability and the contact-centre operator’s training emphasises customer-resolution speed.

For UK and Australian financial-services firms the read-across is direct. The vendor-managed Salesforce contact-centre is a supply-chain category that hasn’t typically been treated as critical-third-party for resilience and security review. After Qantas, after Marks & Spencer, after the broader Salesloft-Drift cluster, that category sits squarely inside whatever framework — DORA, FCA SS2/21, APRA CPS 234 — your firm uses for managing operational resilience risk. The Salesforce permission scope of a Manila contact-centre seat is now a board-level question, in a way it wasn’t twelve months ago.

The Qantas case is the first major published example of that lesson. It will not be the last.