Criminals threatening to leak personal details of millions of Qantas customers might not be the group behind the data hack.
Australia's largest airline is among 39 major companies including Disney, Toyota and FedEx caught up in an international extortion incident.
A group named Scattered LAPSUS$ Hunters is holding their customers' data for an undisclosed amount and threatens to release the information on Friday unless the companies enter ransom negotiations.
They claim to have more than five million Qantas records including full names, email addresses, phone numbers, residential addresses, dates of birth and Frequent Flyer numbers.
The incident highlights a level of sophistication from the criminals, but RMIT cyber security professor Matthew Warren says they may not be responsible for the initial data breach.
"What you have is the commercialisation of cybercrime," he told AAP.
"It's actually very difficult to determine who these threat actors are and whether they were the entities behind the attack.
"What they've most probably done is just bought the data on the dark web and decided this would be a good way to make some more money."
Qantas first revealed it was hacked in mid-2025 after a third-party system used by an offshore call centre was compromised.
If released, the personally identifiable information could be used by scammers to steal customers' identity, contact them posing as Qantas in search of more information or even take out bank loans.
A Qantas page on the extortionware portal claiming to belong to Scattered LAPSUS$ Hunters urged a decision-maker to get involved.
"We highly advise you proceed in the right decision," the dark web site says.
"Your organisation can prevent the release of this data, regain control over the situation and all operations remain stable as always."
Companies are generally advised to not pay ransoms.
Qantas has obtained a measure from the NSW Supreme Court to prevent the stolen data from being accessed, viewed, released, used, transmitted or published by anyone.
It has also offered a support line and specialist identity protection advice to affected customers.
"Ensuring continued vigilance and providing ongoing support for our customers remain our top priorities," Qantas said in a statement.
Optus faced a similar breach in 2022, when more than 10 million customers' details were compromised, and a 2023 incident at Dymocks led more than one million people's details to be shared on the dark web.
"It's just the new normal," Prof Warren said.
"There's so many vulnerabilities and areas of potential exploit and the problem you have is the organisations also have problems managing their own complex systems as well."
He recommended consumers protect themselves by using strong passwords and multi-factor authentication, but acknowledged many incidents were the result of corporate failures.
