The hackers have also obtained stolen data from dozens of other companies including Disney, Google, Ikea, Toyota, McDonald’s and fellow airlines Air France and KLM.
“Qantas is one of a number of companies globally that has had data released by cyber criminals following the airline’s cyber incident in early July, where customer data was stolen via a third party platform,” the company said in a statement.
“With the help of specialist cyber security experts, we are investigating what data was part of the release,” it added.
It also said it had obtained a legal injunction with the Supreme Court of New South Wales, where the firm is headquartered, “to prevent the stolen data being accessed, viewed, released, used, transmitted or published by anyone, including third parties”.
Cyber security analysts have linked the hack to individuals linked to an alliance of cyber criminals called Scattered Lapsus$ Hunters.
Research group Unit 42 said in a note the group had “asserted responsibility for laying siege to customer Salesforce tenants as part of a co-ordinated effort to steal data and hold it for ransom”.
The hackers had reportedly set an October 10 deadline for ransom payment.
Threat intelligence platform FalconFeeds said on X, formerly Twitter, that the customer data had been posted on the dark web over the weekend.
Vietnam Airlines, clothing giant Gap and Japanese multinational Fujifilm also had data leaked, it said.
The hackers reportedly stole the sensitive data using a social engineering technique, referring to a tactic of manipulating victims by pretending to be a company representative or other trusted person.
– Agence France-Presse