➽Data Breach
➽Latest News

Qantas Airways Confirms Data Breach Affecting 6 Million Customers Linked to Salesforce Exposure

Oct 12, 2025
|
by Cyber Analyst
Qantas Airways Confirms Data Breach Affecting 6 Million Customers Linked to Salesforce Exposure

➤Summary

In late June, Qantas revealed it was among several international companies affected by a breach involving Salesforce’s customer service software. The incident reportedly exposed sensitive customer data stored within Salesforce’s cloud environment used by Qantas to manage support inquiries and loyalty program interactions.

At the time, Qantas stated that the affected systems contained customer contact details, loyalty membership IDs, and limited service communication history, but no passport, payment card, or password information was directly compromised.

However, in October, cybersecurity researchers and journalists began linking the leaked data appearing on hacker forums to the Qantas incident — suggesting the scope might be wider than initially believed. The leak allegedly contains up to 6 million unique records from Qantas’ global customer base.

What information was exposed?

According to early analysis of the leaked dataset circulating on the dark web, the exposed information may include:

  • Full names, email addresses, and phone numbers

  • Frequent flyer membership numbers and tier levels

  • Customer service messages and case IDs

  • Flight booking references and partial travel history

While no financial data appears in the current samples, experts warn that even partial personal information can enable phishing, identity theft, and social engineering attacks.

A cybersecurity analyst from DarknetSearch.com commented:

“Attackers rarely need full credit card details. With names, emails, and loyalty account identifiers, they can impersonate airlines or customer service reps, tricking victims into revealing far more sensitive data later.”

How the Salesforce breach unfolded

The Salesforce breach was first disclosed in June 2025, when the company detected unauthorized access within one of its customer support environments. Attackers reportedly exploited a misconfigured API endpoint that allowed them to enumerate and extract datasets from multiple client instances.

Among the affected organizations were several airlines, financial services providers, and retail brands — including Qantas, which relied heavily on Salesforce’s infrastructure to manage customer engagement workflows.

Salesforce issued an emergency patch and began notifying impacted clients immediately. Yet by July, samples of data attributed to several brands had begun circulating privately among cybercriminal groups.

Industry observers note that this incident mirrors previous supply-chain breaches, where attackers target third-party providers to reach multiple organizations simultaneously. 🧩

Potential impact on Qantas customers

For millions of Qantas customers, the implications are serious. Even without passwords or payment data, the leaked records can be misused in various ways:

  • 🎯 Phishing campaigns: Fraudulent “Qantas support” or “Frequent Flyer update” emails asking users to confirm details.

  • 💳 Loyalty fraud: Attackers redeeming frequent flyer points or selling them on illicit markets.

  • 📩 Spam and identity theft: Using personal information for targeted scams or impersonation attempts.

  • 🕵️‍♂️ Credential testing: If any Qantas users reused credentials on other systems, those accounts could also be at risk.

Qantas has advised customers to remain vigilant and report any suspicious communications claiming to represent the airline or its partners.

Qantas’ official response and investigation

Following the revelations, Qantas released a detailed statement confirming the Salesforce link and outlining mitigation efforts.

“While the breach originated from a third-party service provider, we take full responsibility for protecting our customers’ information,” the company said. “We are working with cybersecurity specialists and Salesforce to assess the scope of the incident and strengthen controls around shared data environments.”

The airline added that its core flight operations, payment systems, and mobile app infrastructure remain unaffected.

Qantas has also initiated direct notifications to impacted customers and offered complimentary identity protection services for frequent flyer members whose information was found in the compromised dataset.

Salesforce’s position on the incident

Salesforce confirmed the breach but emphasized that it affected a “limited subset” of customers and was not the result of a vulnerability in its core platform.

In an official statement, the company said:

“The incident stemmed from a misconfiguration within a client-specific environment. Upon discovery, access was revoked and forensic teams immediately contained the exposure. We are cooperating with all affected organizations to support mitigation and compliance measures.”

Despite Salesforce’s assurances, analysts note that cloud misconfigurations remain one of the leading causes of large-scale data exposures, especially for enterprises managing multi-tenant systems.

Previous airline data breaches highlight a pattern

The Qantas event follows a troubling pattern across the aviation industry:

  • Cathay Pacific (2018): 9.4 million passengers’ personal details leaked.

  • British Airways (2019): Credit card and travel information stolen from 380,000 customers.

  • EasyJet (2020): 9 million records exposed, including 2,000 credit card numbers.

  • Air India (2021): Breach involving passenger data managed by SITA, affecting 4.5 million people.

Each case illustrates how airlines — with their vast customer datasets and reliance on third-party systems — remain prime targets for cybercriminals seeking valuable personal and travel information.

The dark web dimension

Researchers at DarknetSearch.com have confirmed that listings referencing “Qantas customer data” began appearing on dark web forums in early October. Some of these listings include samples matching the structure of Salesforce export files, suggesting a direct correlation with the June breach.

Cybercriminals are allegedly offering access to the data for as little as $2,000, with premium buyers requesting exclusive access to high-value frequent flyer accounts.

Dark web intelligence indicates that portions of the dataset may have already been resold multiple times, complicating containment efforts.

Expert insights on corporate responsibility

Cybersecurity expert Dr. Amanda Kerr, author of Securing the Cloud Supply Chain, said:

“This is a wake-up call for every company relying on third-party SaaS vendors. Shared responsibility doesn’t mean shared blame — customers trust the brand they interact with, not its suppliers.”

Dr. Kerr emphasized that organizations must implement continuous monitoring, access audits, and data minimization policies to prevent cascading exposures when service providers are compromised.

How Qantas can rebuild trust

Rebuilding customer trust after a breach of this magnitude requires transparency, communication, and long-term investment in security. Industry best practices recommend:

  • Public updates: Ongoing communication about investigation progress.

  • Customer education: Clear instructions on recognizing phishing attempts.

  • MFA enforcement: Strong authentication for all account logins.

  • Security culture: Regular audits and mandatory cybersecurity training for staff.

  • Vendor oversight: Comprehensive third-party risk assessments.

A transparent and proactive approach will be key for Qantas to reassure its customer base and regulatory bodies.

What customers should do now

Qantas has urged affected individuals to take immediate precautions, including:

  1. Resetting passwords for all online accounts using similar credentials.

  2. Enabling multi-factor authentication (MFA) where possible.

  3. Avoiding links in unsolicited Qantas-related emails or messages.

  4. Monitoring loyalty points and financial accounts for unusual activity.

  5. Using dark web monitoring tools to check whether their information appears in leaked databases.

Security experts recommend customers visit DarknetSearch.com for free educational resources on monitoring leaked data and preventing identity fraud.

The regulatory and legal angle

Under Australia’s Privacy Act 1988 and the Notifiable Data Breaches (NDB) scheme, Qantas is legally required to notify the Office of the Australian Information Commissioner (OAIC) and all impacted individuals once a serious data breach is confirmed.

Given the global nature of the Salesforce exposure, Qantas may also face inquiries under the General Data Protection Regulation (GDPR) for affected European customers.

Legal experts expect heightened scrutiny of cloud vendor contracts and cross-border data sharing agreements, which could redefine how airlines manage outsourced services.

Broader cybersecurity lessons for enterprises

The Qantas-Salesforce incident underscores several key lessons applicable to all large enterprises:

  • Supply-chain security is only as strong as its weakest vendor.

  • Cloud misconfigurations remain one of the top causes of data exposure.

  • Real-time monitoring and automated alerting can drastically reduce breach detection time.

  • Dark web intelligence provides early visibility into data circulation.

As attacks grow more sophisticated, organizations must embrace Zero Trust frameworks, robust encryption, and continuous vulnerability scanning across all third-party integrations. 🔐

Looking ahead: industry recovery and accountability

The airline industry faces a difficult road ahead in restoring passenger confidence. Cybersecurity investment is no longer optional but integral to customer experience and brand integrity.

While Qantas has pledged to enhance its defenses and review all supplier arrangements, experts warn that data from this incident may continue circulating for years, highlighting the importance of persistent monitoring and coordinated response.

Aviation regulators in Australia and the Asia-Pacific region are reportedly considering new compliance requirements for airlines using third-party cloud vendors — a move that could reshape digital risk management across the sector.

Conclusion

The Qantas Airways data breach, affecting an estimated 6 million customers, marks a significant chapter in the ongoing Salesforce data exposure saga. It demonstrates how interconnected systems — once considered efficient — can become conduits for global security incidents when improperly secured.

Both Qantas and Salesforce now face the challenge of regaining customer trust and reinforcing the industry’s cybersecurity posture. As data breaches become more common, transparency, swift communication, and responsible governance will define which companies emerge stronger from these crises.

🚀 Discover much more in our complete cybersecurity guide
🛡️ Request a demo NOW and protect your business from supply-chain breaches

💡 Do you think you're off the radar?

Your data might already be exposed. Most companies find out too late. Let ’s change that. Trusted by 100+ security teams.

🚀Ask for a demo NOW →
🛡️ Dark Web Monitoring FAQs

Q: What is dark web monitoring?

A: Dark web monitoring is the process of tracking your organization’s data on hidden networks to detect leaked or stolen information such as passwords, credentials, or sensitive files shared by cybercriminals.

Q: How does dark web monitoring work?

A: Dark web monitoring works by scanning hidden sites and forums in real time to detect mentions of your data, credentials, or company information before cybercriminals can exploit them.

Q: Why use dark web monitoring?

A: Because it alerts you early when your data appears on the dark web, helping prevent breaches, fraud, and reputational damage before they escalate.

Q: Who needs dark web monitoring services?

A: MSSP and any organization that handles sensitive data, valuable assets, or customer information from small businesses to large enterprises benefits from dark web monitoring.

Q: What does it mean if your information is on the dark web?

A: It means your personal or company data has been exposed or stolen and could be used for fraud, identity theft, or unauthorized access immediate action is needed to protect yourself.