Massive Airline Data Breach Hits 13 Million Vietnam Airlines and Qantas Customers

Third-Party Breach at Salesforce Partner Exposes Personal Data of 7.3M Vietnam Airlines and 5.7M Qantas Customers

HIGH
October 16, 2025
October 20, 2025
5m read
Data BreachSupply Chain Attack

Impact Scope

People Affected

13.02 million customers

Affected Companies

Vietnam AirlinesQantas

Industries Affected

Transportation

Geographic Impact

VietnamAustralia (global)

Related Entities(initial)

Threat Actors

Scattered LAPSUS$ Hunters

Organizations

Salesforce

MITRE ATT&CK Techniques

T1078.004Initial Access

Cloud Accounts

T1530Collection

Data from Cloud Storage Object

T1537Exfiltration

Transfer Data to Cloud Account

T0885

Supply Chain Compromise

Full Report(when first published)

Executive Summary

A significant third-party data breach has impacted approximately 13 million customers across two major airlines, Vietnam Airlines and Qantas. A threat actor group calling itself "Scattered LAPSUS$ Hunters" has claimed responsibility, stating they breached a technology partner of the airlines in June 2025 and exfiltrated customer data from their Salesforce accounts. The compromised data, affecting roughly 7.32 million Vietnam Airlines customers and 5.7 million Qantas customers, was subsequently leaked publicly. The exposed Personally Identifiable Information (PII) includes full names, dates of birth, emails, phone numbers, and loyalty program details. While more sensitive data like payment and passport information is reportedly secure, the breach poses a significant risk of follow-on phishing and identity theft attacks against the affected individuals.

Threat Overview

The incident highlights the persistent risk posed by supply chain vulnerabilities, where an attack on a single service provider can have a cascading impact on multiple clients.

  • Threat Actor: "Scattered LAPSUS$ Hunters," a name that evokes the tactics of the notorious LAPSUS$ group, though a direct link is unconfirmed. Their name suggests a focus on hunting for exposed credentials or access, possibly related to SIM swapping or credential theft.
  • Attack Vector: The attackers claim to have compromised the Salesforce accounts of a technology partner that provides customer service platforms for the airlines. This suggests the initial intrusion may have been due to stolen credentials, lack of MFA, or a vulnerability in the partner's environment.
  • Data Compromised: The breach exposed a significant amount of PII, which is highly valuable for cybercriminals:
    • Full Names
    • Dates of Birth
    • Email Addresses
    • Phone Numbers
    • Loyalty Program Information (e.g., Lotusmiles, Frequent Flyer)
  • Timeline: The attackers claim the breach occurred in June 2025, but the data was not publicly leaked until October 2025, four months later. This delay could have been used for private sale of the data or attempted extortion.

Vietnam Airlines has confirmed the breach occurred on a platform managed by a "global technology partner," but did not name the company. Both airlines have stated their core internal IT systems were not affected.

Technical Analysis

While the exact TTPs are not detailed, an attack targeting a third-party's cloud service accounts often follows a common pattern.

Probable MITRE ATT&CK Techniques:

  • Initial Access: T1078.004 - Valid Accounts: Cloud Accounts. The attackers likely obtained valid credentials for the partner's Salesforce instance through phishing, credential stuffing, or purchase from an initial access broker.
  • Collection: T1530 - Data from Cloud Storage Object. Once inside the Salesforce environment, the attackers would have used its native features or APIs to query and export the customer data.
  • Defense Evasion: The attackers likely operated within the normal functions of the Salesforce platform, making their activity difficult to distinguish from legitimate administrative tasks.
  • Exfiltration: T1537 - Transfer Data to Cloud Account. The data could have been exfiltrated directly from the cloud platform using its built-in export functionality.

Impact Assessment

The leakage of 13 million customer records has severe consequences for both the individuals and the airlines.

  • For Customers: Affected individuals are now at a high risk of targeted phishing campaigns, where attackers can use the stolen PII to craft highly convincing emails to steal passwords, financial information, or deploy malware. The data can also be used for identity theft, SIM swapping attacks, and spam.
  • For Airlines: Vietnam Airlines and Qantas face significant reputational damage and potential regulatory fines under data protection laws like GDPR, even though the breach occurred at a third party. They will also incur costs related to incident response, customer notification, and potential legal action.
  • For the Third-Party Provider: The unnamed technology partner faces catastrophic business impact, including loss of major clients and severe damage to its reputation.

This incident is a stark reminder that an organization's security posture is only as strong as its weakest link, which often lies within its supply chain.

Detection & Response

For organizations using third-party SaaS platforms like Salesforce:

  1. Monitor Cloud Logs: Continuously monitor Salesforce audit trails and logs for suspicious activity. Look for large data exports, access from unusual IP addresses or locations, and privilege escalations. This is an application of D3FEND Cloud Log Analysis (a conceptual D3FEND technique).
  2. Data Exfiltration Alerts: Configure alerts for unusually large data exports or API query volumes. Establish a baseline for normal data access patterns and investigate deviations.
  3. Third-Party Due Diligence: Implement a robust vendor risk management program that includes auditing the security controls of all critical partners.

Mitigation

For Affected Customers:

  1. Change Passwords: Immediately change the passwords for your airline loyalty accounts.
  2. Beware of Phishing: Be extremely vigilant for phishing emails or text messages that claim to be from Vietnam Airlines or Qantas. Do not click on links or provide personal information.
  3. Enable MFA: Enable multi-factor authentication on any accounts that use the same email address or password as your airline accounts.

For Organizations:

  1. Vendor Risk Management: Before onboarding any third-party provider with access to customer data, conduct thorough security assessments. Mandate strong security controls, including MFA, as part of your contractual agreements.
  2. Enforce MFA on All Accounts: Mandate the use of MFA for all administrative and user accounts on third-party platforms like Salesforce.
  3. Principle of Least Privilege: Ensure that third-party providers only have access to the minimum amount of data necessary to perform their function. This is a form of D3FEND User Account Permissions (D3-UAP).

Timeline of Events

1
June 1, 2025
Approximate date of the breach, according to the threat actor's claims.
2
October 15, 2025
The stolen data is publicly released, and the breach becomes public knowledge.
3
October 16, 2025
This article was published

Article Updates

October 20, 2025

Qantas data breach update: 'Scattered Lapsus$ Hunters' leaked 5.7M customer records after ransom non-payment.

Update Sources:
checkpoint.com20th October – Threat Intelligence Report
brightdefense.comList of Recent Data Breaches in 2025

MITRE ATT&CK Mitigations

Multi-factor Authentication

M1032enterprise

Enforcing MFA on all cloud service accounts is the single most effective control to prevent account takeovers, even if credentials are stolen.

Mapped D3FEND Techniques:

D3-MFA

Audit

M1047enterprise

Ingesting and monitoring cloud audit logs is critical for detecting suspicious activity within SaaS platforms like Salesforce.

Mapped D3FEND Techniques:

D3-DAMD3-LAM

Vulnerability Scanning

M1016enterprise

While this was a third-party breach, robust vendor risk management programs should include validating the security posture of critical suppliers.

User Training

M1017enterprise

Training end-users (the affected customers) to recognize and report phishing attempts is crucial to mitigate the follow-on impact of the PII leak.

D3FEND Defensive Countermeasures

Multi-factor Authentication

D3-MFAMaps to MITREM1032
D3FEND

The most effective countermeasure to prevent this type of breach is the mandatory enforcement of phishing-resistant Multi-Factor Authentication (MFA) for all accounts with access to sensitive data, both internally and for third-party partners. In the context of the Salesforce platform, this means enabling MFA for all users, especially those with administrative or data export privileges. This should be a contractual requirement for any technology partner handling customer PII. Had the partner's Salesforce accounts been protected by MFA, the 'Scattered LAPSUS$ Hunters' would not have been able to gain access even if they had stolen valid usernames and passwords. This single control directly disrupts the most common initial access vector for cloud service compromises.

User Data Transfer Analysis

D3-UDTAMaps to MITREM1040
D3FEND

Implement a data loss prevention (DLP) or cloud access security broker (CASB) solution to monitor and control data movement out of your Salesforce environment. Specifically, configure policies to detect and alert on anomalous data transfers. For this incident, a relevant policy would be to alert when a user account initiates an export of more than a certain number of customer records (e.g., >1000) within a short time frame. Baselining is key; understand what normal data export activity looks like for your organization and its partners. An alert on a massive export of 13 million records would have provided immediate notification of the breach in progress, allowing for a rapid response to terminate the session and lock the account, potentially before the exfiltration was complete.

User Account Permissions

D3-UAPMaps to MITREM1015
D3FEND

Apply the principle of least privilege to all third-party accounts within your SaaS platforms. The technology partner in this scenario should only have had access to the specific data and functions necessary for their customer service role. Review permissions regularly to ensure that partners do not have broad data export capabilities or access to data fields they do not need. For example, if a partner's role is to view and update individual customer records, they should not have the permission to run a report that exports the entire customer database. By tightly scoping permissions, you can contain the potential damage of a partner account compromise, limiting an attacker's access to only a small subset of data rather than the entire dataset.

Sources & References(when first published)

Major data breach at Vietnam Airlines and Qantas: millions of customers affected
TravelNews (travelnews.ch) October 16, 2025

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)
LinkedIn

Tags

Data BreachVietnam AirlinesQantasSalesforceScattered LAPSUS$ HuntersThird-Party RiskSupply ChainPII

📢 Share This Article

Help others stay informed about cybersecurity threats

Continue Reading

Previous All Next