🔗 Share this article

The airline giant joins close to 40 worldwide businesses that must by the end of this week to initiate ransom discussions with cybercriminals who are threatening to leak potentially 1 billion confidential details.

The Extortion Note and Threat

This cybercriminal group supposedly posted the ransom demand on a information exposure site on the dark web recently, demanding payment in return for stopping the hijacked records from being shared.

They stated to have stolen data from the CRM systems of 39 corporations such as Toyota, Disney, the fast-food chain, Puma, the luxury jeweler, the athletic apparel company, Qantas, the European carrier, the advertising platform, the fashion house and the furniture retailer.

Time Limit and Negotiation Requirements

The cybercriminal group is reportedly requiring both the targeted firms and the software provider reach out to them by the 10th of October regarding the payment of the demanded amount.

“Contact us to arrange this ransom or all your customers data will be made public,” the note reportedly states.

Type of Stolen Data

Sources suggest the records was taken between spring 2024 and September 2025 and contains individual and reach-out specifics of the firms' users and workers, for example DOB, transaction logs and passport numbers.

The group also claimed to have airline customers’ loyalty program IDs.

Evidence and Previous Incidents

The hackers’ post featured samples of stolen data, including that of the airline after a significant breach in June that likely revealed the information of as many as 6 individuals.

Company Response and Actions

A Qantas spokesperson said its main goals were “continued vigilance and providing continuous assistance for our customers” after the June attack.

During the summer, Qantas received an ongoing injunction from the state judiciary ensuring measures to prevent the hijacked records being seen, viewed, leaked, utilized, forwarded or disseminated by any individual, even third parties.

“We provide a always-available assistance and specialist ID security guidance to concerned users,” the official stated.

The Platform Stance and Review

Their representative told that the company “refuses to interact, discuss with, or pay any blackmail attempt”.

It was not shown the the software had been hacked, the organization said via a release.

“We have noted of recent extortion attempts by threat actors, which we have looked into in cooperation with outside specialists and officials. The results indicate these attempts relate to previous or unconfirmed events, and we continue working with impacted users to provide support,” the statement said.

Expert Opinion and Group Background

An expert, a cybersecurity analyst with Sophos cybersecurity’s counter-threat unit, said the hackers had a track record of significant breaches.

“A great deal of what they publish is deliberate falsehoods, mischief and online harassment so it is challenging to predict what will occur on the specified date. They are willing to exposing large volumes of records so if they possess Qantas data I am not shocked if they leaked it,” he commented in a announcement.

Per research by the Google's security team, the cybercriminal group is a “financially motivated threat cluster” that specialises in vishing campaigns deceiving targets.

“The tactic has demonstrated notably efficient in fooling staff, frequently within English-speaking offices of global firms, into steps that give the attackers access or cause the sharing of sensitive credentials,” they reported.