Over the past few hours, reports of a Qantas data breach have been spreading rapidly across the internet. The development gaining attention concerns a Supreme Court of New South Wales injunction, which legally prohibits hackers from accessing, viewing, releasing, transmitting, or publishing the stolen data online.
The breach is tied to the compromise of Salesforce servers earlier this year. Hackers reportedly exploited vulnerabilities to gain unauthorized access to client networks, including that of Qantas Airways. This incident, which occurred in May 2025, allegedly exposed sensitive personal information such as names, email addresses, phone numbers, dates of birth, and in some cases, home or business addresses and even meal preferences.
Fortunately, Qantas confirmed that no financial or payment-related data was stored on the affected systems, limiting the potential damage. This has provided some relief to customers concerned about possible financial fraud.
While the injunction issued by the Australian court in New South Walles is legally valid, cybersecurity experts argue that enforcing such an order against anonymous international hackers is practically impossible. There is no established mechanism or jurisdictional reach that allows courts to compel cybercriminals—who often operate from foreign territories—to comply with domestic legal rulings.
The situation underscores a broader challenge in modern cybersecurity: just as cryptocurrencies operate without centralized control, cybercrime networks function beyond the reach of traditional legal systems. Governments and law enforcement agencies face significant hurdles in tracking and prosecuting threat actors, particularly those operating from nations that are uncooperative or beyond Western legal influence, such as Russia and China.
Adding to the complexity, a cybercriminal group calling itself “Scattered Lapsus$ Hunters” has claimed responsibility for the breach. The group alleges it has obtained data belonging to approximately 5.7 million Qantas customers and is reportedly demanding a multi-million-dollar ransom in exchange for halting the release of the stolen information.
As investigations continue, Qantas and cybersecurity authorities are working to assess the full scope of the breach and to safeguard customer data from further exposure. The case serves as yet another reminder of the growing sophistication of cyberattacks and the legal limitations in dealing with digital threats that transcend borders.
Join our LinkedIn group Information Security Community!
