Scattered Spider Target Vietnam Airlines CRM, Breach Exposes Millions of Government Records
Published
- Massive data leak: A breach of Vietnam Airlines' Salesforce CRM has exposed over 23 million records, including sensitive data of Vietnamese and foreign government officials.
- Threat actor: The Scattered Spider threat group is implicated in the attack, which leveraged social engineering to gain access to the CRM system.
- International impact: The breach exposed contact information for government personnel from Vietnam, Australia, the U.S., Japan, and South Korea.
The threat actor group known as Scattered Spider is linked to a significant Vietnam Airlines data breach, which resulted from the compromise of the airline's Salesforce Customer Relationship Management (CRM) system. The exfiltrated data allegedly amounts to approximately 63 GB.
Scale and Scope of Government Data Exposure
Reports say the Vietnam Airlines data breach was not caused by a vulnerability within the Salesforce platform itself, but rather by a successful social engineering attack that compromised access credentials.Â
It reportedly leaked 23,129,780 records containing a vast amount of personally identifiable information (PII). The data was confirmed to be actively in use at the time of the incident, with records modified as recently as June 2025.
A sample analysis of the leaked data revealed more than 31,000 unique email addresses, with nearly 95% of them paired with corresponding phone numbers. Exposed fields include:
- full names,Â
- emails,Â
- phone numbers,Â
- dates of birth,Â
- frequent flyer numbers.
This method highlights the persistent threat of human-targeted attacks in gaining entry to secure corporate environments, which is an approach familiar to threat actors such as Scatterd Spider.Â
Widespread International and Diplomatic Exposure
This incident has significant international implications due to the extensive government data exposure. Over 23,000 contacts belong to Vietnamese government officials (gov.vn) across top-level ministries, including Trade, Finance, and Justice.Â
Furthermore, the leak contains thousands of records linked to foreign diplomatic and defense personnel, creating a substantial risk for follow-on intelligence gathering and targeted cyberattacks.
This includes:
- 1,892 contacts from Australia (.gov.au),Â
- 1,024 from the U.S. (.gov),Â
- 769 from Japan (.go.jp)Â
- 560 from South Korea (.go.kr).
Recently, reports said the major 2025 Qantas data breach resulted in the exposure of sensitive information belonging to tens of thousands of government officials across Australia and its key international allies due to a compromise of a third-party Salesforce environment.
The Salesforce-related breaches were attributed to Scattered Spider (UNC3944)  and ShinyHunters (UNC6040), impacting Google, Cisco, Air France-KLM Group, and more.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular