In July, DataBreaches reported that Qantas had obtained a preliminary injunction prohibiting the publication of any customer data stolen from it in a cyberattack by “persons unknown.” Those defendants were served with the injunction via email and online means. Although Qantas did not reveal who signed the ransom note, ShinyHunters and Scattered Spider didn’t hesitate to claim responsibility and stated that they would not be deterred by any injunction.
Not only did the threat actors ignore the injunction, but they later published all the court files showing how Qantas applied for the injunction. The files were leaked in their Telegram channel, and although the channel was subsequently banned, the court filings are likely in many hands by now.
Yesterday, Scattered LAPSUS$ Hunters debuted a leak site where they threaten Salesforce that if that Salesforce doesn’t pay them an unpublished amount by October 10, data from 39 targets (customers of Salesforce) will be leaked in their entirety.
One of those 39 targets on the leak site is Qantas Airways.
In the listing on the leak site, the threat actors claim to have 153 GB of Qantas Airways data, consisting of over 5M+ records with personally identifiable information. The summary provides some statistics and a description of the kinds of data types in the leak:
We possess:
– Full Name
– Email Address
– Phone Number
– Residence Addresses
– Date of Birth
– Frequent Flyer Numbers
As with all of the listings on the leak site, sample data is provided. The sample data includes personally identifiable information.
Anticipating the possibility of a leak because Scattered LAPSUS$ Hunters was actively advertising they were opening a leak site, Qantas sought, and obtained, a permanent injunction barring publication of the data. But they also sought protection for their lawyers. Steve Zemek reports:
A court has thrown a non-publication order over the lawyers acting for Qantas out of fear of retribution from hackers who launched a cyber attack which affected nearly six million customers.
Qantas launched legal action in the NSW Supreme Court to stop the compromised data being accessed or released following the cyber attack in June.
The accounts of 5.7 million Qantas customers were compromised in a data breach at one of the airline’s call centres.
The data stolen included the business and residential addresses attached to 1.3 million accounts, the phone numbers of 900,000 customers, and the dates of birth of a further 1.1 million.
In July, Qantas was granted an interim injunction in the NSW Supreme Court in an attempt to stop the data from being accessed or released.
On Thursday, Justice Francois Kunc made the temporary injunction permanent, and also agreed to a six-month non-publication order over the names of the solicitors and counsel acting for Qantas in the matter.
“In relation to the lawyers (a non-publication order) might be … justifiable on the basis that the perpetrators have some temporary ire against the legal advisors,” he said.
Read more at news.com.au.
As Lavan wrote in July:
Firstly, the Qantas injunction prevents the stolen data being accessed, viewed, used, transmitted or published by anyone, including third parties. The affected persons can therefore prevent news organisations and online platforms (for example) from broadcasting the material further.
But that’s not universal and needs to be qualified. As DataBreaches noted at the time, those prohibitions apply to those who would be covered by a court order from the NSW Supreme Court. They do not have jurisdiction over DataBreaches.net.
DataBreaches can read the sample data, which does contain personally identifiable information, inspect the data set if it is ultimately leaked, and report on it.
As a matter of policy, DataBreaches does not publish unredacted personally identifiable information but can, and often does, publish redacted screengrabs of data found in data tranches. If we publish redacted screengrabs, can Australian media outlets even read our reporting or link to it? We do not know, but DataBreaches will continue to report as we have always done, consistent with U.S. law and the protections of the First Amendment (while we still have one).
