Qantas Airways confirmed customer data stolen in a July breach had been published by cybercriminals.
The airline said in July that more than a million customers had sensitive details such as phone numbers, birth dates or home addresses accessed in one of Australia’s biggest cyber breaches in years.
Another four million customers had just their name and email address taken during the hack, it said at the time.
The July breach represented Australia’s most high-profile cyberattack since telecommunications giant Optus and health insurer Medibank were hit in 2022, incidents that prompted mandatory cyber resilience laws.
On Sunday, Qantas said in a statement that it was “one of a number of companies globally that has had data released by cyber criminals following the airline’s cyber incident in early July, where customer data was stolen via a third party platform”.
The platform is widely reported to be Salesforce, with hackers using social engineering techniques to gain access.
“With the help of specialist cyber security experts, we are investigating what data was part of the release,” it said.
“We have an ongoing injunction in place to prevent the stolen data being accessed, viewed, released, used, transmitted or published by anyone, including third parties,” the airline added.
Hacker collective Scattered Lapsus$ Hunters is behind the Qantas data release, which occurred after a ransom deadline set by the group passed.
