[German]The Australian airline Qantas fell victim to a cyber incident involving data leakage. It's unfortunate when lawyers take up the case and a judge issues an injunction. Troy Hunt, who runs the website Have I Been Pwned (HIBP), is unable to add names and other data to his database due to an injunction.
The Qantas hack in June 2025
On June 30, 2025, Australian airline Qantas detected "unusual activity" on a platform used by its contact center to store the data of nearly six million people. Qantas then contacted its customers after it became clear that a cyberattack had been launched on a third-party customer service platform. The cyberattack included names, email addresses, phone numbers, dates of birth, and frequent flyer numbers, as reported by the BBC here, for example.
Lawsuit against data publication
ShinyHunters have only financial interest in the story: they want to extort ransom money from the hacked Salesforce customers and are threatening to publish data. In the case of Qantas, this would be customer data. On October 8, 2025, ABC Australia reported on a new step in its article Qantas says 'legal protections in place' as cyber hacking group threatens to release personal data.
The deadline set by the cybercriminals of the Scattered Lapsus$ Hunters group for Qantas to pay the ransom is due to expire in the next few days. According to reports, the group is threatening to publish stolen data from dozens of global companies, including Qantas, if this deadline is not met. On the other hand, Qantas already obtained a court order in July 2025 to prevent the publication of customer data as a preventive measure.
Troy Hunt with HIBP in a Sandwich position
Troy Hunt runs the website Have I Been Pwned (HIBP), where he posts email addresses and passwords that he learns about from hacks. This allows users to check whether they may have been affected by a cyber incident involving their data. Now Troy Hunt has fallen between two stools—on the one hand, he wants to make the data from hacks available, but on the other hand, he is not allowed to do so for Qantas—and he himself has probably fallen victim with his own data.
Yesterday, I came across the above BlueSky post, which draws attention to the problem. Cynthia Brumfield writes, "A really interesting article about the impact of court injunctions against the publication of data stolen by criminal groups." She refers to Troy Hunt's post Court Injunctions are the Thoughts and Prayers of Data Breach Response.
The conclusion for HIBP is that Troy Hunt cannot include the data from the Qantas incident in his system because it is subject to the court injunction. However, this is to the detriment of victims and organizations who want to know whether they have been affected by this or any other incident.
In his article, Troy Hunt writes: "From HIBP's perspective, we obviously cannot upload this data to the database. It is very likely that hundreds of thousands of our subscribers will be affected, and we will not be able to inform them (which is one of the reasons I wrote this post—so that I can refer them here if they have any questions).
Qantas apparently sent disclosure notices to the affected individuals informing them that they had been affected by a data breach. But Hunt argues that it is one thing to learn about a security incident, but a hit on Have I Been Pwned has a different meaning (someone is actively searching to see if they have been affected). Furthermore, Qantas will not notify the owners of the domains where their customers' email addresses are located. Many affected individuals use their business email address for their Qantas account.
When combined with the other disclosed data attributes, this creates an organizational risk. Companies want to know when company resources (including email addresses) are exposed in a data breach. Normally, it would be easy to clarify this by querying Have I Been Pwned. Unfortunately, this will not work because the lawyers have done their "well-intentioned" work and prohibited any publication by court order – at least as far as I understand. Well-intentioned is still a long way from well done.
