Analysis

A hacking collective, "Scattered Lapsus$ Hunters," has published sensitive data from six major corporations, including Qantas Airways and Vietnam Airlines, following claims of exploiting a Salesforce vulnerability to compromise 989 million records from 39 global firms. This initial release on October 10, 2025, includes substantial datasets, such as Qantas's 153 GB with over 5 million records and Vietnam Airlines' 63.62 GB with more than 23 million records, underscoring a significant cybersecurity breach. The leaked information is highly sensitive, encompassing extensive Personally Identifiable Information (PII) like passport numbers, frequent flyer details, full names, addresses, and internal CRM fields. Qantas Airways has confirmed that data from 5.7 million customers was published online, validating the severity of the breach and creating substantial risks for affected individuals, including identity theft and fraud. For the implicated companies, which span retail (GAP, Albertsons), logistics (UPS, FedEx), and automotive (Toyota, Stellantis), the breach poses significant reputational damage, potential financial liabilities, and regulatory scrutiny. The incident also raises critical questions regarding the security posture of third-party cloud service providers, particularly Salesforce (CRM), whose alleged vulnerability was central to the attack. The overall sentiment is extremely negative, with a high market impact score of 0.85.