October 13, 2025 • 11 mins
Names, phone number and email addresses were just some of the personal data points compromised during a hacking scandal that first hit Qantas back in July.
Fast forward to this week, and things have escalated, with the hackers behind that attack leaking that data on the dark web.
On today’s podcast, we’re breaking down exactly what happened, how the hackers got in, who was behind the attack, and what Qantas customers can do to protect themselves.
Hosts: Elliot Lawry and Billi FitzSimonsProducer: Orla Maher
Want to support The Daily Aus? That's so kind! The best way to do that is to click ‘follow’ on Spotify or Apple and to leave us a five-star review. We would be so grateful.
The Daily Aus is a media company focused on delivering accessible and digestible news to young people. We are completely independent.
Want more from TDA?
Subscribe to The Daily Aus newsletter
Subscribe to The Daily Aus’ YouTube Channel
Have feedback for us?
We’re always looking for new ways to improve what we do. If you’ve got feedback, we’re all ears. Tell us here.
See omnystudio.com/listener for privacy information.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
Already and this is this is the Daily h this
is the Daily OAHs. Oh now it makes sense.
Speaker 2 (00:14):
Good morning, and welcome to the Daily Odds. It's Tuesday,
the fourteenth of October. I'm Elliott, Lorie.
Speaker 1 (00:19):
I'm Billy good.
Speaker 2 (00:20):
Simon's names, phone numbers, and email addresses were just some
of the personal data points compromise during a hacking scandal
that first hick Quantas back in July. Fast forward to
this week and things have escalated, with the hackers behind
the attack leaking that data on the dark web. On
today's podcast, we're breaking down exactly what happened, how the
hackers got in, who was behind the attack, and what
(00:42):
Quantus customers can do to protect themselves.
Speaker 1 (00:48):
Elliott, there were so many headlines about Quantus and this
data leak over the weekend. Where did this story all begin?
Because I remember this coming up a few months ago.
Speaker 2 (00:58):
Now, Yeah, this story's been kicking around for quite a
while now. It actually first came up in July. That
was when we first heard from Quantus that they had
detected a breach at one of their third party call
centers and they were working to contain that breach. As
part of the statement that they first put out, they
revealed that the data of up to six million Quantus
customers had been compromised. That's a lot. It's a very
(01:20):
big number. Now, when I say compromised, we're talking about
things like names, email addresses, phone numbers, birth dates, and
frequent flyer numbers. Importantly, Quantus said that things like passports,
credit card details, account passwords and pins, you know that
really sensitive information that was not part of the breach.
And Quantus responded by obtaining a permanent injunction from the
(01:41):
Supreme Court of New South Wales to prevent use or
further publication of the stolen data. So this basically made
it illegal to spread any of the information publicly, but
it doesn't erase the fact that the data is already
out there.
Speaker 1 (01:54):
When I was reading about this over the weekend, one
of the things that I was really interested to learn
is actually how hackers got this information, because it wasn't
just through them going into the computer systems. What can
you tell us about that?
Speaker 2 (02:06):
Yeah, A little peak behind the TDA curtain is that
when we put stories in the morning, it's often hard
to get Billy up and excited about what we're talking about.
That's not true this morning. You were especially excited about
this story.
Speaker 1 (02:18):
I was because of how they got this information. I
find it so interesting.
Speaker 2 (02:22):
It is interesting, I'll give you that. So basically it
wasn't a direct breach of Quantuss systems, but rather they
got the information from a platform called Salesforce. So I'm
sure quite a few of our listeners would be familiar
with Salesforce, at least they would have heard the name. Maybe.
It's basically a really popular tool that's used by a
lot of companies around the world to help with managing
(02:43):
customer relationships. That's kind of the primary function, but it
also can be used for marketing and sales and a
bunch of other things that help the business go around. Now,
at least forty major companies from around the world who
used Salesforce were caught up in this attack, So we're
talking about some pretty big names here. Think of Toyota, Disney, McDonald's, Aquia,
and of course Quantus. Yes, so basically Salesforce holds all
(03:07):
of these companies customer data, and in the case of Quantus,
it's understood the hackers retrieve the information from a call
center in the Philippines.
Speaker 1 (03:15):
And that's what's so interesting. That they called this call
center and kind of convince them to hand over the
data by posing as an employee.
Speaker 2 (03:25):
Yeah, that's exactly what happens. So they pretended to be
a Quantus employee. In this instance, they actually use AI
to modify their voice and make themselves more recognizable to
the person on the other end of the line, and
they were able to convince someone in that call center
to grant them access to the database. Now, this is
becoming an increasingly popular method for hackers if you think
(03:45):
about it. You know, most companies these days, they're really
bolstering up their cybersecurity efforts, so it's harder and harder
to attack in the traditional ways. So they're actually using
humans as kind of the weak points in companies to
make their way in.
Speaker 1 (03:59):
So basically, the tech is becoming so air tight that
the way they obviously humans make errors and so that's
how they're seeing as their way in.
Speaker 2 (04:09):
Yeah, and in this case, that is how they launched
this attack. So essentially, they were able to speak to
someone who had the right access for Salesforce, and they
were able to convince them to install a fake integration
with Salesforce that basically was a key for the hackers
to access the data that was stored on Salesforce at the.
Speaker 1 (04:25):
Time got it and so that was back in July,
tell us why we're talking about it today.
Speaker 2 (04:31):
So last week we were actually made aware of a
post on the hackers' website that contained a sample of
the data that they'd stolen from those forty companies.
Speaker 1 (04:38):
Around the world, kind of like a teaser, a.
Speaker 2 (04:40):
Teaser exactly, a very dark cliber teaser. As part of
that post, the hackers told Salesforce that they would have
to pay a ransom on behalf of the companies or
risk having the rest of the data leaked on the internet.
Needless to say, they didn't cough up the money, and
a Salesforce spokesperson told Titia that they quote will not engage,
negotiate with, or pay any extortion demand. And on Saturday,
(05:03):
the data from Quantus at least was leaked. On that
same day, the hackers posted saying quote don't be the
next headline, should have paid the ransom.
Speaker 1 (05:11):
WOWE interesting statement from them. I always find it interesting
whenever we have these conversations about cyber leaks and ransoms
that the general principle is for these companies to never
pay ransoms. What is the kind of logic behind that.
Speaker 2 (05:28):
Yeah, I think it is an interesting one because you'd
sort of see all these headlines and think, why didn't
they just paid? It would be so much easier. But
paying ransoms is generally discouraged by cybersecurity experts, and that's
because while it might make a problem in the moment
go away, so maybe this startup wouldn't have got leaked,
at the end of the day, you're still paying cyber criminals,
so you're effectively financing the next hack. You're paying for
(05:52):
them to have more resources and more capabilities, And on
top of that, it also puts your company in a
vulnerable position because the hackers now know that you're or
willing to pay up.
Speaker 1 (06:01):
It's about the precedent that it sets as well.
Speaker 2 (06:03):
Yeah, exactly. Now, there's also no guarantee that they won't
leak the data anyway or use it for other purposes,
because at the end of the day, we are talking
about negotiating with criminals here, so they're not kind of
bound under laws of a traditional agreement where you'd be
paying money for someone to stop doing something. Now, there
are some small situations where a company might choose to
(06:25):
pay ransom, and that's often when hackers have extremely sensitive
information and you know, they're willing to do basically whatever
to make sure that the threat is contained.
Speaker 1 (06:34):
And what do we know about the hackers in this case?
Speaker 2 (06:37):
This is actually really interesting. I think we should do
a whole nother podcast on this, okay, But the sort
of short version of it is that the hackers in
this scenario go by the name of Scattered Lapsus Hunters,
which I won't say again, so we're going to call
them SLSH. Okay. Moving forward, now, you can kind of
think of them as like a supergroup that's made up
of some of the world's most notorious cyber criminals. It's
(06:59):
understood that the members of SLSH are mainly young native
English speakers from the US and the UK, some in
Australia as well, and there's been reports that some of
them are as young as sixteen years old, so being
sort of brought into this world very young. Now. The
people on the STEAM have been responsible for some pretty
high profile cyber crime incidents, including a ransomware attack on
(07:21):
MGM Resorts that you might remember that was back in
twenty twenty three, and that attack cost the company one
hundred million US dollars just to get the computer systems
back online.
Speaker 1 (07:32):
Wow.
Speaker 2 (07:33):
Now, one thing that we've kind of brushed over in
this conversation is that even though we are focusing on Quantus,
this is affecting, you know, at least forty global companies.
Quantus was just the biggest Australian one, which is why
we're talking about it today. It affects the people listening
to this podcast. But it was a global response to
this leak. So notably the FBI in the US, they
(07:53):
were the ones who on the weekend stepped in and
actually seized the domain that the data was published on,
and they shut down on the hacker's website. As Lsh
then took to the social media platform Telegram to say,
seizing a domain does not really affect our operations. FBI
try harder, and they popped a little winky face on
them as well, so, you know, needless to say, they
(08:14):
are very, very confident. And then in another post they
also threatened Australia specifically, with one member writing Australia, I
really hope, for the love of God, you've learned your
lesson this time.
Speaker 1 (08:25):
Well, they certainly have a certain tone to their statements,
Yes before we go. For anyone listening to this who
has received an email from Quantas saying that their data
was part of this breach, For anyone who was affected,
what do they what should they do now? Yeah?
Speaker 2 (08:43):
So, I mean the number one piece of advice is
to just stay on high alert. Quantus has offered a
specialist identity protection service in the meantime, so affective customers
can call their twenty four to seven helpline on one
eight hundred and nine seven five four one. But on
top of that, you probably shouldn't be taking any calls
for Quantas because it's very likely that that call could
(09:03):
be coming from the hackers themselves. And because they have
your details now, it's far easier for them to impersonate
someone who works with Quantas or who knows you well,
because they have those details and they can kind of
put together a bit of a profile on you. While
the hackers might not have access to financial details in
this breach, they could be using that information to, you know,
(09:23):
take out credit cards in your name or do other
forms of identity thefts. So just keep a monitor on
your accounts and make sure that anything that comes through
that looks suspicious you're following that up.
Speaker 1 (09:33):
And lastly, anything from the Australian government on kind of
what their involvement in this is.
Speaker 2 (09:39):
Yeah, so they've been pretty stern with Quantas over the
whole incident. The cyber Security Minister Tony Burke has hinted
at the possibility of a major fine for Quantus. He
told the ABC yesterday quote, you can't simply outsource to
other companies and think suddenly you've got no obligations on cybersecurity.
Apart from that, it's another one of those situations where
we'll just have to wait and see.
Speaker 1 (10:00):
One thing that I have found so interesting is yesterday's
podcast on the person who allegedly started the fires in
la earlier this year and then now this they've both
had alleged criminals really using AI to further their crimes
and the extent of their crimes, and it's just a
real interesting space to also kind of keep your eye on,
(10:23):
is how all of these alleged criminals are using AI
to further perpetrate their crimes.
Speaker 2 (10:30):
Yeah. I think, unfortunately, we might be doing a couple
more podcasts on this over the next few years.
Speaker 1 (10:34):
Yes, thank you so much Elliott for explaining that to
us and thank you so much for listening to this
episode of The Daily os. We'll be back this afternoon
with your evening headlines, but until then, have a great day.
Speaker 2 (10:49):
My name is Lily Madden and I'm a proud Aarunda
Bungelung Calcuttin woman from Gadigl Country.
Speaker 1 (10:55):
The Daily oz acknowledges that this podcast is recorded on
the lands of the Gadigul Piece and pays respect to
all Aboriginal and torrest Rate island and nations.
Speaker 2 (11:04):
We pay our respects to the first peoples of these countries,
both past and present.
Already and this is this is the Daily h this
is the Daily OAHs. Oh now it makes sense.
Speaker 2 (00:14):
Good morning, and welcome to the Daily Odds. It's Tuesday,
the fourteenth of October. I'm Elliott, Lorie.
Speaker 1 (00:19):
I'm Billy good.
Speaker 2 (00:20):
Simon's names, phone numbers, and email addresses were just some
of the personal data points compromise during a hacking scandal
that first hick Quantas back in July. Fast forward to
this week and things have escalated, with the hackers behind
the attack leaking that data on the dark web. On
today's podcast, we're breaking down exactly what happened, how the
hackers got in, who was behind the attack, and what
(00:42):
Quantus customers can do to protect themselves.
Speaker 1 (00:48):
Elliott, there were so many headlines about Quantus and this
data leak over the weekend. Where did this story all begin?
Because I remember this coming up a few months ago.
Speaker 2 (00:58):
Now, Yeah, this story's been kicking around for quite a
while now. It actually first came up in July. That
was when we first heard from Quantus that they had
detected a breach at one of their third party call
centers and they were working to contain that breach. As
part of the statement that they first put out, they
revealed that the data of up to six million Quantus
customers had been compromised. That's a lot. It's a very
(01:20):
big number. Now, when I say compromised, we're talking about
things like names, email addresses, phone numbers, birth dates, and
frequent flyer numbers. Importantly, Quantus said that things like passports,
credit card details, account passwords and pins, you know that
really sensitive information that was not part of the breach.
And Quantus responded by obtaining a permanent injunction from the
(01:41):
Supreme Court of New South Wales to prevent use or
further publication of the stolen data. So this basically made
it illegal to spread any of the information publicly, but
it doesn't erase the fact that the data is already
out there.
Speaker 1 (01:54):
When I was reading about this over the weekend, one
of the things that I was really interested to learn
is actually how hackers got this information, because it wasn't
just through them going into the computer systems. What can
you tell us about that?
Speaker 2 (02:06):
Yeah, A little peak behind the TDA curtain is that
when we put stories in the morning, it's often hard
to get Billy up and excited about what we're talking about.
That's not true this morning. You were especially excited about
this story.
Speaker 1 (02:18):
I was because of how they got this information. I
find it so interesting.
Speaker 2 (02:22):
It is interesting, I'll give you that. So basically it
wasn't a direct breach of Quantuss systems, but rather they
got the information from a platform called Salesforce. So I'm
sure quite a few of our listeners would be familiar
with Salesforce, at least they would have heard the name. Maybe.
It's basically a really popular tool that's used by a
lot of companies around the world to help with managing
(02:43):
customer relationships. That's kind of the primary function, but it
also can be used for marketing and sales and a
bunch of other things that help the business go around. Now,
at least forty major companies from around the world who
used Salesforce were caught up in this attack, So we're
talking about some pretty big names here. Think of Toyota, Disney, McDonald's, Aquia,
and of course Quantus. Yes, so basically Salesforce holds all
(03:07):
of these companies customer data, and in the case of Quantus,
it's understood the hackers retrieve the information from a call
center in the Philippines.
Speaker 1 (03:15):
And that's what's so interesting. That they called this call
center and kind of convince them to hand over the
data by posing as an employee.
Speaker 2 (03:25):
Yeah, that's exactly what happens. So they pretended to be
a Quantus employee. In this instance, they actually use AI
to modify their voice and make themselves more recognizable to
the person on the other end of the line, and
they were able to convince someone in that call center
to grant them access to the database. Now, this is
becoming an increasingly popular method for hackers if you think
(03:45):
about it. You know, most companies these days, they're really
bolstering up their cybersecurity efforts, so it's harder and harder
to attack in the traditional ways. So they're actually using
humans as kind of the weak points in companies to
make their way in.
Speaker 1 (03:59):
So basically, the tech is becoming so air tight that
the way they obviously humans make errors and so that's
how they're seeing as their way in.
Speaker 2 (04:09):
Yeah, and in this case, that is how they launched
this attack. So essentially, they were able to speak to
someone who had the right access for Salesforce, and they
were able to convince them to install a fake integration
with Salesforce that basically was a key for the hackers
to access the data that was stored on Salesforce at the.
Speaker 1 (04:25):
Time got it and so that was back in July,
tell us why we're talking about it today.
Speaker 2 (04:31):
So last week we were actually made aware of a
post on the hackers' website that contained a sample of
the data that they'd stolen from those forty companies.
Speaker 1 (04:38):
Around the world, kind of like a teaser, a.
Speaker 2 (04:40):
Teaser exactly, a very dark cliber teaser. As part of
that post, the hackers told Salesforce that they would have
to pay a ransom on behalf of the companies or
risk having the rest of the data leaked on the internet.
Needless to say, they didn't cough up the money, and
a Salesforce spokesperson told Titia that they quote will not engage,
negotiate with, or pay any extortion demand. And on Saturday,
(05:03):
the data from Quantus at least was leaked. On that
same day, the hackers posted saying quote don't be the
next headline, should have paid the ransom.
Speaker 1 (05:11):
WOWE interesting statement from them. I always find it interesting
whenever we have these conversations about cyber leaks and ransoms
that the general principle is for these companies to never
pay ransoms. What is the kind of logic behind that.
Speaker 2 (05:28):
Yeah, I think it is an interesting one because you'd
sort of see all these headlines and think, why didn't
they just paid? It would be so much easier. But
paying ransoms is generally discouraged by cybersecurity experts, and that's
because while it might make a problem in the moment
go away, so maybe this startup wouldn't have got leaked,
at the end of the day, you're still paying cyber criminals,
so you're effectively financing the next hack. You're paying for
(05:52):
them to have more resources and more capabilities, And on
top of that, it also puts your company in a
vulnerable position because the hackers now know that you're or
willing to pay up.
Speaker 1 (06:01):
It's about the precedent that it sets as well.
Speaker 2 (06:03):
Yeah, exactly. Now, there's also no guarantee that they won't
leak the data anyway or use it for other purposes,
because at the end of the day, we are talking
about negotiating with criminals here, so they're not kind of
bound under laws of a traditional agreement where you'd be
paying money for someone to stop doing something. Now, there
are some small situations where a company might choose to
(06:25):
pay ransom, and that's often when hackers have extremely sensitive
information and you know, they're willing to do basically whatever
to make sure that the threat is contained.
Speaker 1 (06:34):
And what do we know about the hackers in this case?
Speaker 2 (06:37):
This is actually really interesting. I think we should do
a whole nother podcast on this, okay, But the sort
of short version of it is that the hackers in
this scenario go by the name of Scattered Lapsus Hunters,
which I won't say again, so we're going to call
them SLSH. Okay. Moving forward, now, you can kind of
think of them as like a supergroup that's made up
of some of the world's most notorious cyber criminals. It's
(06:59):
understood that the members of SLSH are mainly young native
English speakers from the US and the UK, some in
Australia as well, and there's been reports that some of
them are as young as sixteen years old, so being
sort of brought into this world very young. Now. The
people on the STEAM have been responsible for some pretty
high profile cyber crime incidents, including a ransomware attack on
(07:21):
MGM Resorts that you might remember that was back in
twenty twenty three, and that attack cost the company one
hundred million US dollars just to get the computer systems
back online.
Speaker 1 (07:32):
Wow.
Speaker 2 (07:33):
Now, one thing that we've kind of brushed over in
this conversation is that even though we are focusing on Quantus,
this is affecting, you know, at least forty global companies.
Quantus was just the biggest Australian one, which is why
we're talking about it today. It affects the people listening
to this podcast. But it was a global response to
this leak. So notably the FBI in the US, they
(07:53):
were the ones who on the weekend stepped in and
actually seized the domain that the data was published on,
and they shut down on the hacker's website. As Lsh
then took to the social media platform Telegram to say,
seizing a domain does not really affect our operations. FBI
try harder, and they popped a little winky face on
them as well, so, you know, needless to say, they
(08:14):
are very, very confident. And then in another post they
also threatened Australia specifically, with one member writing Australia, I
really hope, for the love of God, you've learned your
lesson this time.
Speaker 1 (08:25):
Well, they certainly have a certain tone to their statements,
Yes before we go. For anyone listening to this who
has received an email from Quantas saying that their data
was part of this breach, For anyone who was affected,
what do they what should they do now? Yeah?
Speaker 2 (08:43):
So, I mean the number one piece of advice is
to just stay on high alert. Quantus has offered a
specialist identity protection service in the meantime, so affective customers
can call their twenty four to seven helpline on one
eight hundred and nine seven five four one. But on
top of that, you probably shouldn't be taking any calls
for Quantas because it's very likely that that call could
(09:03):
be coming from the hackers themselves. And because they have
your details now, it's far easier for them to impersonate
someone who works with Quantas or who knows you well,
because they have those details and they can kind of
put together a bit of a profile on you. While
the hackers might not have access to financial details in
this breach, they could be using that information to, you know,
(09:23):
take out credit cards in your name or do other
forms of identity thefts. So just keep a monitor on
your accounts and make sure that anything that comes through
that looks suspicious you're following that up.
Speaker 1 (09:33):
And lastly, anything from the Australian government on kind of
what their involvement in this is.
Speaker 2 (09:39):
Yeah, so they've been pretty stern with Quantas over the
whole incident. The cyber Security Minister Tony Burke has hinted
at the possibility of a major fine for Quantus. He
told the ABC yesterday quote, you can't simply outsource to
other companies and think suddenly you've got no obligations on cybersecurity.
Apart from that, it's another one of those situations where
we'll just have to wait and see.
Speaker 1 (10:00):
One thing that I have found so interesting is yesterday's
podcast on the person who allegedly started the fires in
la earlier this year and then now this they've both
had alleged criminals really using AI to further their crimes
and the extent of their crimes, and it's just a
real interesting space to also kind of keep your eye on,
(10:23):
is how all of these alleged criminals are using AI
to further perpetrate their crimes.
Speaker 2 (10:30):
Yeah. I think, unfortunately, we might be doing a couple
more podcasts on this over the next few years.
Speaker 1 (10:34):
Yes, thank you so much Elliott for explaining that to
us and thank you so much for listening to this
episode of The Daily os. We'll be back this afternoon
with your evening headlines, but until then, have a great day.
Speaker 2 (10:49):
My name is Lily Madden and I'm a proud Aarunda
Bungelung Calcuttin woman from Gadigl Country.
Speaker 1 (10:55):
The Daily oz acknowledges that this podcast is recorded on
the lands of the Gadigul Piece and pays respect to
all Aboriginal and torrest Rate island and nations.
Speaker 2 (11:04):
We pay our respects to the first peoples of these countries,
both past and present.
Popular Podcasts
CrimeLess: Hillbilly Heist
It’s 1996 in rural North Carolina, and an oddball crew makes history when they pull off America’s third largest cash heist. But it’s all downhill from there. Join host Johnny Knoxville as he unspools a wild and woolly tale about a group of regular ‘ol folks who risked it all for a chance at a better life. CrimeLess: Hillbilly Heist answers the question: what would you do with 17.3 million dollars? The answer includes diamond rings, mansions, velvet Elvis paintings, plus a run for the border, murder-for-hire-plots, and FBI busts.
Crime Junkie
Does hearing about a true crime case always leave you scouring the internet for the truth behind the story? Dive into your next mystery with Crime Junkie. Every Monday, join your host Ashley Flowers as she unravels all the details of infamous and underreported true crime cases with her best friend Brit Prawat. From cold cases to missing persons and heroes in our community who seek justice, Crime Junkie is your destination for theories and stories you won’t hear anywhere else. Whether you're a seasoned true crime enthusiast or new to the genre, you'll find yourself on the edge of your seat awaiting a new episode every Monday. If you can never get enough true crime... Congratulations, you’ve found your people. Follow to join a community of Crime Junkies! Crime Junkie is presented by audiochuck Media Company.
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.