Qantas and 39 other companies face ransom deadline from Trinity of Chaos cybercrime group.

Qantas and 39 other companies are facing a ransom deadline from cybercrime supergroup Trinity of Chaos, who threaten to release customer information on the dark web. The hackers gained access to data through Salesforce software, including names, email addresses, phone numbers, and frequent flyer numbers. Qantas has refused to pay the ransom, and the cyberthieves' negotiating position appears weak.

September 12, 2025 - Qantas and 39 other companies are facing a ransom deadline from the cybercrime supergroup Trinity of Chaos, who threaten to release customer information on the dark web. The hackers gained access to data through Salesforce software, including names, email addresses, phone numbers, and frequent flyer numbers.

Trinity of Chaos, a ransomware collective presumably associated with Lapsus$, Scattered Spider, and ShinyHunters, launched a Data Leak Site (DLS) on the TOR network containing 39 companies, including Qantas Airlines ShinyHunters Launches Data Leak Site: Trinity of Chaos Announces New Ransomware Victims^[3]. The group aims to continue its activities and has shifted toward a traditional ransomware modus operandi. The listing on the DLS includes references to the most recent victims, including Qantas, which has refused to pay the ransom ShinyHunters Launches Data Leak Site: Trinity of Chaos Announces New Ransomware Victims^[3].

The hackers exploited vulnerabilities in Salesforce software, particularly the Drift AI chat integration, to gain unauthorized access to customer data. This breach follows a similar attack on the British luxury carmaker Jaguar Land Rover, which severely disrupted its retail and production activities ShinyHunters Launches Data Leak Site: Trinity of Chaos Announces New Ransomware Victims^[3].

Qantas has stated that it will not engage with the hackers' demands, and the cyberthieves' negotiating position appears weak. The airline has been in contact with affected customers to provide support and has urged them to update their access tokens to prevent further breaches ShinyHunters Launches Data Leak Site: Trinity of Chaos Announces New Ransomware Victims^[3].

Salesforce has informed its users that it will not pay a ransom if hackers threaten to publish stolen user data. The company emphasized that it would neither negotiate nor comply with any form of extortion Salesforce refuses to pay ransom to hackers following data breach incident.^[1]. SalesLoft, the third-party provider whose Drift application was compromised, has not yet publicly responded to the incident Salesforce refuses to pay ransom to hackers following data breach incident.^[1].

The increasing frequency and severity of ransomware attacks have been a growing concern for businesses and governments alike. In recent months, high-profile incidents have caused significant disruptions, including the suspension of production and shipments at Asahi Group Holdings Ltd. and the temporary shutdown of Jaguar Land Rover Automotive Plc.'s production lines Disruptive Ransomware Attacks Plague 'Big Game' Targets^[2].

The cybersecurity firm Arctic Wolf Networks Inc. reports that manufacturers account for the largest share of ransomware victims, making up 18.6% of cases last year, with the health care sector following at 13.1% Disruptive Ransomware Attacks Plague 'Big Game' Targets^[2]. The trend of ransomware actors becoming more selective and targeting organizations they know have the most to lose has been noted by cybersecurity experts Disruptive Ransomware Attacks Plague 'Big Game' Targets^[2].