An initial review found the data included some customers’ names, email addresses, phone numbers, birth dates and frequent flyer numbers.
Qantas says credit card details, personal financial information and passport details were not held in this system.
Yesterday the airline said it was aware of reports of scammers impersonating Qantas.
“We recommend customers remain alert for unusual communications claiming to be from Qantas or requesting personal information or passwords.”
The airline has apologised to customers for the breach. It has received more than 5000 inquiries through a special customer support line established after the cyber attack.
Cyber security experts say the stolen data will likely be used for scams and telemarketing.
It’s a reminder for those affected to update their passwords and be extra vigilant with anyone who contacts them purporting to be from Qantas.
With requirements for passwords for so many areas of our lives it’s tempting to use the same one for everything.
But that’s a high risk when scammers are getting savvier all the time.
Unique passwords are essential, especially when it comes to protecting banking and financial information.
Some Kiwis are losing out big time to cyber crime.
Last month New Zealand’s National Cyber Security Centre (NCSC) revealed $7.8 million in financial losses were reported to the government agency in the first quarter of this year.
Ten Kiwis lost more than $100,000 each in cyber incidents.
Financial losses rose 14.7% compared with the previous quarter ($6.8m).
Tom Roberts, NCSC’s response and investigations team lead, said it was the second-highest quarterly total loss figure the agency has ever recorded.
It’s likely to be only a small proportion of actual losses as only a fraction are reported to the Government agency.
Roberts said many of the losses were from scams and frauds - particularly through business email compromises where an attacker targets the email system of a business.
Companies need to get much better at protecting customer data or not collecting it if they don’t need it in the first place.
Consumer New Zealand chief executive Jon Duffy says the problem with attacks on businesses is that consumers have no agency or ability to protect themselves.
“We are entirely reliant on the companies collecting and holding our data to have robust systems in place.”
Under New Zealand’s Privacy Act entities should only collect information that is needed.
“If you’re asked for your name, address and date of birth ... you should have a need for each of those data points, and the user should consent to providing that information on the basis that you’ve explained why you need it,” Duffy says.
“And as soon as you stop needing it, you should delete that information.”
The problem is policing that.
It relies on the public complaining to the Privacy Commissioner and the commissioner then referring it to the Human Rights Review Tribunal for a case to be taken.
Duffy says a penalty regime like Australia’s would allow the Privacy Commissioner to take a more proactive approach and hold businesses who breach the law to account.
Businesses should face financial penalties if they have lax protections in place for consumer data.
The fight against scammers and fraud needs to be multi-pronged.
Business, Government and individuals all need to play their part to prevent breaches.
Scammers are highly incentivised to keep innovating to gain access to people’s data and finances.
Kiwis need to be just as motivated to protect themselves or face the potential to have their data stolen and have the information used against them to extract money.
Sign up to the Daily H, a free newsletter curated by our editors and delivered straight to your inbox every weekday.
