A new leak site, operated by Scattered LAPSUS$ Hunters, now threatens to publish data from 39 Salesforce customers by October 10. One of these targets is Qantas, with the group claiming to possess 153 GB of data, including names, addresses, phone numbers, and frequent flyer numbers for over 5 million customers. A permanent injunction was recently granted to Qantas, not only to bar the publication of this data but also to protect their lawyers from potential retribution by the hackers.
In a July cyberattack by “persons unknown,” Qantas had a significant data breach. The airline quickly sought a preliminary injunction to stop the publication of any stolen customer data. They served the injunction to the defendants via email and online platforms. However, the threat actors, identified as ShinyHunters and Scattered Spider, were not deterred. They openly claimed responsibility for the breach, stating they would ignore any injunction, and later went on to publish the court files from the injunction proceedings on their Telegram channel, demonstrating their disregard for the legal order.
Not only did these hackers flout the initial injunction, but they’ve since escalated their actions. A group calling themselves Scattered LAPSUS$ Hunters has launched a new leak site, threatening to release data from 39 companies—all customers of Salesforce—if an undisclosed ransom is not paid by October 10. Qantas Airways is one of the targeted companies on this list. The threat actors claim to have 153 GB of Qantas data, which includes more than 5 million customer records containing personally identifiable information such as names, email addresses, phone numbers, home addresses, dates of birth, and frequent flyer numbers.
In response to this new threat, Qantas went back to court to secure a more robust legal solution. The airline obtained a permanent injunction to prevent the publication of the stolen data. In a rare move, they also sought and were granted a six-month non-publication order protecting the names of their lawyers. According to Justice Francois Kunc, this was a necessary step to protect the legal team from potential retaliation by the hackers.
This legal maneuver highlights the challenges companies face when dealing with international cybercrime. While an Australian court can issue an injunction to prohibit the publication of stolen data within its jurisdiction, it has no legal authority over platforms or individuals operating outside of it. For example, a U.S.-based news organization would not be bound by such a ruling. This jurisdictional limitation means that despite the permanent injunction, the data could still be published or distributed by entities outside Australia, making it difficult for Qantas to completely control the information’s spread.
Given the complex nature of these cross-border data breaches and the limitations of legal injunctions, the ultimate outcome remains uncertain. The threat actors have already demonstrated their willingness to ignore court orders. While Qantas has taken all the legal steps available to it, the ultimate fate of the stolen data rests with the hackers. The situation underscores the ongoing cat-and-mouse game between corporations and cybercriminals and the struggle to protect sensitive information in a globalized digital world.
Reference:
