Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
A self-identified hacking “collective” made several attempts to open communications with Qantas before the airline responded.
Court documents obtained by Cyber Daily from the Supreme Court of NSW have shed new light on the timeline of events and on the initial attempts at communication by the hackers to contact Qantas.
The documents reveal that as Australia’s national carrier was engaging in its first steps to shape the narrative around a cyber attack that was about to impact millions of Australians, the hackers behind the attack were readying their own next moves.
Qantas first confirmed that one of its offshore offices hosting customer data in a third-party platform had been compromised on 2 July and that the initial incident of unauthorised access had occurred the day before, on Monday, 1 July.
On 4 July, at just after 6am, Qantas published another update on the incident, outlining its ongoing response and investigation to the incident, and noting that, at that time, “Qantas has not been contacted by anyone claiming to have the data, and we’re continuing to work with the government authorities to investigate the incident.”
First contact
However, later on that same day, the hackers sent Qantas several emails outlining the scope of the data impacted. The emails were provided by Qantas to the Supreme Court as part of its efforts to obtain an injunction against the publication or sharing of the stolen data.
Qantas received at least three emails on 4 July, all with the same subject line: “[CRITICAL - REPLY] Qantas Airways Limited Databreach/Cyberattack”. As provided to Cyber Daily, the emails are heavily redacted, but it appears the hackers identified themselves to Qantas.
“Hello, we are [REDACTED],” the email said.
“We’re contacting you to inform you that we’re the collective that’s behind the Qantas Airways Limited (qantas.com) databreach, one of the biggest in Australia’s history, close in the rankings of the Optus, Medibank, and Latitude hacks.”
The next sentence is entirely redacted, and following that, the hackers reveal the total count of compromised records (also redacted), and details of what they possess, namely full names and email addresses, phone numbers and dates of birth, and Frequent Flyer numbers. The hackers also warned they had “much more” than that, before saying: “We will provide large samples of the data below.”
What follows is almost nine pages of what appear to be lines of data, likely each corresponding to a single customer’s data, in much the same way hackers share sample data on hacking forums. This list is also redacted, and at the end of the email, the hackers provide a Tox address for initial contact.
The other letters are largely similar in content, though with the headers redacted, it’s impossible to know if they’re from the same individual and sent to the same Qantas representative, or from different members of the so-called collective, and sent to several contact points at the airline. All the emails include a 72-hour deadline to make contact.
What appears to possibly be a fourth email, or possibly a separate attachment, is entirely redacted, but it does appear to have both lines of text and, possibly, images, all obscured.
Qantas did not initially return the hackers’ emails, and on 7 July, the threat actor sent a follow-up.
Second attempt
Again, this email is heavily redacted, but it appears to be lengthier and may outline the consequences if Qantas does not enter into negotiations with the hackers.
“This is our second attempt at reaching out to resolve this matter,” the email said. The next four or so lines are redacted, but the email continues after that.
“At this time, no information has been disclosed or distributed,” the hackers said.
“If you are not the appropriate contact for this matter, please forward this message to someone with the authority to address confidential risk-related issues.”
What follows are more lines of redacted customer data, though the hackers do give Qantas another 72-hour deadline to respond. Still, the requested nature of that response is also redacted.
Reaching out
At this point, Qantas finally contacted the hackers, and while Qantas provided this correspondence to the court, the version provided to Cyber Daily is, understandably, almost completely redacted. All that’s readable is the subject line of the Qantas email reply, “Reaching out”.
In the exchange of emails that followed, a Qantas spokesperson sent a total of six emails after the first one, of varying lengths, while the airline received 11 in response, the last three all appearing to be without response from the airline.
In a description of the documents provided to the court, dated 16 July, Qantas said it had provided a “complete log of the email exchange between Qantas and the defendant between 4 and 15 July 2025”.
Qantas had revealed on the evening of 7 July that it had been in contact with “a potential cyber criminal” but that as the incident was an ongoing criminal matter, it “won’t be commenting any further on the detail of the contact”.
Qantas’ latest update, posted to its online News Room, said that investigations remained ongoing and that it was “progressively emailing affected customers”.
“We remain in constant contact with the National Cyber Security Coordinator, Australian Cyber Security Centre and the Australian Federal Police,” Qantas CEO Vanessa Hudson said in the 9 July update.
“I would like to thank the various agencies and the federal government for their continued support.”
Cyber Daily has reached out to Qantas for comment.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
