Cyber Threat Radar – The Qantas data breach has escalated. On October 12, hackers followed through on a threat to leak the personal details of nearly 5.7 million customers after a ransom deadline passed.
The breach did not stem from Qantas’ internal systems. Instead, attackers compromised a third-party platform used by one of the airline’s customer contact centres.
Qantas first detected unusual activity on June 30. The breach was tied to a Salesforce database managed outside of its own infrastructure. Within days, the airline took steps to secure the affected system and launched a full investigation, supported by cybersecurity specialists.
The stolen data includes email addresses, phone numbers, dates of birth, and frequent flyer numbers. Fortunately, no credit card or passport information was involved. But that offers little comfort to millions of affected individuals now at risk of phishing, impersonation, and fraud.
After attempts to extort payment failed, the hacker group known as Scattered Lapsus$ Hunters released the data online. The extortion message accompanying the leak read: “Don’t be the next headline. Should have paid the ransom.”
This attack is part of a broader campaign. Qantas is one of more than 40 companies reportedly targeted in a string of coordinated attacks against Salesforce tenants. Analysts believe that up to 1 billion customer records may have been affected globally.
In response, Qantas secured an injunction from the Supreme Court of New South Wales to prevent dissemination of the stolen data. The airline is working closely with federal agencies, including the Australian Cyber Security Centre and law enforcement.
Qantas has increased security across its operations. This includes enhanced detection systems, tighter third-party oversight, and identity protection support for affected customers.
But the breach is also a lesson. It underscores how even the most trusted brands are only as secure as their weakest external partner. For modern enterprises, especially those managing customer-facing platforms, this incident is another reminder that third-party access can be a critical attack surface.
Why AI-Powered Malware Is a Growing Threat Vector
Although there is no direct evidence that AI-powered malware caused the Qantas data breach, we know this is a preferred method of attack for sophisticated threat actors. These tools no longer rely solely on stealing files. Instead, they capture screen content in real time, then use OCR and JSON extraction to convert visual data into structured, exfiltratable records.
That means sensitive on-screen data—customer records, dashboards, internal support portals—can be harvested even without breaching databases.
And with millions of support agents and employees using third-party platforms like Salesforce daily, the risk is only growing.
The Proven Countermeasure: SentryBay’s Armored Client
SentryBay’s Armored Client provides active endpoint protection where most tools cannot reach: the visible layer.
It defends against AI-powered screen capture and keylogging threats by:
-
Blacking out screen content at the system level, making screenshots unreadable to OCR tools
-
Randomizing keystrokes before they reach the OS
-
Securing browser-based and VDI applications even when malware is present
“Enterprises must assume that what’s on screen is as vulnerable as what’s in storage,” says Paul Gilbert, cybersecurity executive at SentryBay. “Armored Client helps businesses stay ahead by neutralising exfiltration at the point of visibility.”
As attackers evolve, prevention – not detection – must lead the response. Tools like Armored Client are designed to meet this moment.
