Telstra, one of Australia’s leading telecommunications providers, has denied claims of a data breach related to the Scattered Spider group.
In response to the claims of 19 million personally identifiable information (PII) being compromised by the hacker group, the company denied any compromise of its internal systems. In a statement shared on X (formerly Twitter), Telstra retracted the claims by the hacker group, stating:
“We’ve investigated it, and the data has been scraped from public sources, not Telstra systems. No passwords, banking details, or personal identification data like driver’s licence or Medicare numbers are included.”
The Telstra Data Breach and Claims 100GB of Compromised Data
The threat actor, posting on a dark web leak site under the banner Scattered Lapsus$ Hunters, listed Telstra as one of its latest victims in a post dated October 3. The post claimed that over 100GB of personally identifiable information (PII) had been compromised, including data such as full names and physical addresses.
A particularly alarming portion of the post stated:
“We highly recommend a decision-maker to get involved as we are presenting a clear and mutually beneficial opportunity to resolve this matter.”
According to the group’s listing, the data compromise allegedly occurred in July 2023, and they set a ransom deadline of October 13, 2025. The attackers claim to have obtained 16,983,437 records in a file named telstra.sql, allegedly part of a larger trove of over 19 million PII records.
Salesforce Also Targeted — Refuses to Negotiate
Interestingly, the ransom demands appear to be linked not just to Telstra but also to global cloud computing firm Salesforce. The attackers have demanded that negotiations begin with Salesforce, though the connection between Telstra’s data and Salesforce remains unclear.
On October 8, 2025, Salesforce released a firm statement refusing to negotiate or pay any ransom:
“Salesforce will not engage, negotiate with, or pay any extortion demand.”
This position is consistent with recommendations from global cybersecurity authorities, who advise against paying ransoms to cybercriminals.
A Pattern of Alleged Breaches
The data breach at Telstra appears to be part of a broader campaign by Scattered Lapsus$ Hunters. The group’s dark website now lists over 40 international companies, including Qantas, Google AdSense, IKEA, and more.
Cybersecurity researchers and platforms such as Cyble Vision have noted multiple past claims of Telstra data breaches. In one instance from 2024, a separate threat actor known as UnicornLover67 advertised a dataset allegedly containing 47,300 Telstra employee records.
This data reportedly included names, email addresses, hashed passwords, timestamps, and employment status, with the most recent entries dated November 2024.
In yet another incident from 2022, Telstra acknowledged a third-party data breach that affected approximately 132,000 customers. While this earlier breach was not linked to Scattered Spider, it demonstrates a worrying trend of recurring security incidents involving the telecom giant.
Is This a Fresh Breach or Recycled Data?
While Telstra continues to deny any recent breach, cybersecurity experts remain skeptical. Some analysts suggest that the data now being used in this Telstra cyberattack may originate from previous incidents, repackaged to appear as a fresh breach. Others warn that even if the data was scraped from public sources or old leaks, its reuse in a ransom campaign still poses a real threat to affected individuals.
Adding to the confusion, a Telstra spokesperson previously acknowledged in November 2024 that a file containing internal company data was listed for sale online. At the time, the company maintained that the leak involved non-sensitive internal data and was unrelated to any active breach, as reported by the Australian Financial Review.
Ongoing Investigation
The Telstra data breach remains under active investigation. While the company holds its ground on denying a system compromise, the seriousness of the threats made by Scattered Spider cannot be dismissed outright. With the ransom deadline looming on October 13, 2025, the situation continues to evolve.
As of now, The Cyber Express has reached out to the organization to learn more about this incident. However, at the time of writing the article, no further information or statement was received. This is an ongoing story, and The Cyber Express will be closely monitoring the situation. We’ll update this post once we have more information on the Telstra data breach or any official communication from the company.
