Around 900,000 phone numbers were compromised and the gender details of 400,000 people were stolen.
“The real risk is that someone’s going to be able to patch this sort of information together to use it to fool another organisation into giving them details,” said Patrick Sharp, Aura Information Security general manager.
A person in possession of stolen data might approach a victim’s bank or try to acquire loans from a finance company, Sharp added.
But he said people could take some steps to protect themselves.
Victims of fraud or potential fraud could ask credit agencies such as Illion, Equifax and Centrix to freeze or suppress their credit reports.
Centrix’s website said a freeze meant the agency would not, except in limited circumstances, share a person’s credit report to credit providers or update or add information to a credit file.
Sharp said some of the stolen Qantas information might be used by scammers or telemarketers to attempt contact with data breach victims.
His advice to the public was to hang up and not engage.
“They shouldn’t give any more information to that person or try to interact with that person.”
He said some scammers in possession of stolen data might impersonate bankers, contact potential victims and ask for bank details or claim there was a problem needing urgent attention.
Sharp said people should never share bank login details in such circumstances.
“You should just go independently to your bank’s website through the app and log in separately there.”
Sharp said key issues the Qantas breach raised were the volume of information companies held, and for how long.
He said in New Zealand, the Privacy Act already had principles indicating companies should not collect more information than needed and not retain it for longer than necessary.
“We don’t know in this case, but in previous breaches in Australia, for instance Medibank, these companies have retained information for much longer than they needed to, therefore exposing more people.
“In terms of what needs to change, the only way to really get businesses to be really diligent about that is through stronger regulation.”
Last year, a Talbot Mills poll found 60% of respondents regarded the maximum fine of $10,000 for cyber breaches as insufficient.
It was not known how many people affected in last week’s cyber attack were New Zealanders but it’s understood most were Australian.
Qantas chief executive Vanessa Hudson said the airline was contacting customers to provide specific details of stolen data.
The hack happened after a call centre was compromised and hackers infiltrated a system.
The airline today said it had progressed its forensic analysis of customer data in the compromised system.
It said there was no evidence personal data stolen from Qantas had been released but specialist cyber security experts were monitoring the situation.
Two days ago the airline said a potential cyber criminal made contact, but it did not elaborate on the identity or nature of that contact.
Hawaiian Airlines and Canada’s WestJet were targeted in cyber attacks last month.
Sharp has told the Herald the Qantas attack had hallmarks of the Scattered Spider hacker group.
Impersonators
Two days before Qantas was attacked, the FBI warned about Scattered Spider expanding targets to include the airline sector.
“These actors rely on social engineering techniques, often impersonating employees or contractors to deceive IT help desks into granting access.”
US news website Axios said Scattered Spider was causing chaos for corporate America.
“The group’s tactics, including help desk impersonation and SIM swapping, continue to wreak havoc across critical industries.”
Axios added: “Far from a sophisticated attack, cyber experts said one of the hackers likely impersonated an IT or other official, and simply tricked a Qantas call centre worker in Manila to obtain the login details to that third-party platform.”
John Weekes is a business journalist mostly covering aviation and courts. He previously covered consumer affairs, crime, politics and courts.
