Australia remains steadfast: no negotiations with hackers after Qantas breach
The Australian government has reaffirmed its policy of not negotiating with cyber criminals or paying ransoms, even as a well-known hacking collective released stolen Qantas data on the dark web. The development follows a July cyberattack that affected 5.7 million Qantas customers and involved data linked to several global firms connected to Salesforce. While some details were limited to basic identifiers, more sensitive information such as address, date of birth, phone numbers, and gender were exposed for a subset of customers. Importantly, Qantas says payment card data was not compromised.
The breach and the hackers’ timeline
In July, the attack compromised the data of 5.7 million Qantas customers. The breach affected not only Qantas but also a group of 40 global firms with ties to Salesforce, illustrating how interlinked corporate ecosystems can magnify risk. After the ransomware group behind the attack failed to secure a payment on its deadline—posted through its Telegram channel—the data was released on the dark web, signaling a persistent threat environment for Australian businesses.
What data was affected?
Qantas has indicated that for most customers, the exposed data included names, email addresses, and frequent flyer details. A portion of customers faced exposure to more sensitive information, including home addresses, dates of birth, phone numbers, and gender. The airline stressed that credit card details were not part of the breach, which may influence how customer risk is assessed and communicated.
Government response and policy stance
Federal authorities have repeatedly stated that Australia will not negotiate with cyber criminals or pay ransoms. Transport Minister Catherine King emphasized that while Australia does not need to overhaul its approach, the country must adapt to a continually evolving threat landscape. She urged companies and individuals to clamp down on security vulnerabilities, urging stronger authentication measures and cautious online behavior.
Advice for individuals and organizations
Officials urged Australians to change passwords, enable two-factor authentication, and avoid clicking on suspicious links in unsolicited emails. The message is clear: robust personal cybersecurity practices reduce the likelihood of future breaches and limit potential damage even when attackers manage to access some data.
Privacy law and regulatory response
Federal Attorney-General Michelle Rowland highlighted ongoing efforts to strengthen privacy protections as part of Australia’s broader regulatory reforms. The aim is to empower the Information Commissioner’s office to respond more effectively to data breaches and to impose higher penalties on entities that fail to protect customer data. While the Information Commissioner has not publicly commented on whether Qantas will face a financial penalty, the government’s stated direction signals a tougher stance on privacy compliance.
Qantas’ ongoing response
Qantas said it is actively reviewing leaked information via dark web monitoring channels and is coordinating with federal authorities and law enforcement to assess the breach. The airline has set up a 24/7 support line and continues to offer specialized identity protection services to affected customers. As investigations proceed, customers are encouraged to rely on official updates from Qantas’ website for the latest information.
Why the policy matters
By maintaining a no-ransom policy, the government aims to deter extortion schemes and discourage criminals from extending their reach. The stance also places greater responsibility on organizations to harden cybersecurity, invest in incident response planning, and implement user-friendly protections for customers. The Qantas breach serves as a case study in the need for robust data governance across interconnected networks.
