Analysis

Qantas faces significant fallout after personal data for 5.7 million customers was released on the dark web by Scattered Lapsus$ Hunters following an unpaid ransom. This breach, stemming from a July phishing attack targeting a call center worker accessing the Salesforce platform, exposes sensitive personally identifiable information. Customer frustration is mounting due to poor communication and the heightened risk of a "second wave of scams." The incident carries substantial financial and regulatory risks for Qantas, with speculation of severe penalties under the Australian Privacy Act. Experts argue any fine must be significant, given Qantas's recent $1.6 billion full-year profit, to serve as a deterrent and incentivize improved cybersecurity. The Office of the Australian Information Commissioner has not commented on potential fines. A key legal question revolves around Qantas's liability, particularly concerning the role of the third-party platform, Salesforce (CRM). Determining whether Qantas or Salesforce held the stolen customer data will be crucial in assessing potential breaches of Australian privacy principles. This highlights broader third-party vendor risk management challenges. Overall sentiment surrounding Qantas is strongly negative and pessimistic, reflecting the severity of the data breach and its implications for customer trust and corporate governance. The incident underscores increasing regulatory scrutiny and the financial consequences of inadequate cybersecurity measures across industries.