The stolen data include some customers' names, email addresses, phone numbers, birth dates and frequent flyer numbers, Qantas said.
Qantas says millions of customers are caught up in a major cyber incident at one of its contact centres.
A cyber security expert said the case showed some companies were holding on to too much personal information for too long, and customers should be on the lookout for scammers and imposters.
Qantas this morning said a cyber criminal targeted a call centre and gained access to a third-party customer-servicing platform.
Some six million customers had service records on the affected platform.
The airline said it detected unusual activity on a third-party site used by a Qantas airline contact centre.
The cyber attack follows an FBI warning about the so-called Scattered Spider cyber attacks targeting airlines.
The Herald approached Qantas about those cyber attacks on Monday.
Air New Zealand on Monday said it had not been impacted by the cyber attacks detected overseas.
But Qantas this morning said it was contacting customers to make them aware of the incident, apologise and provide details on the support available.
Qantas today said there was “no impact” to its operations or safety.
“There are six million customers that have service records in this platform,” the airline said.
“We are continuing to investigate the proportion of the data that has been stolen, though we expect it will be significant.
“An initial review has confirmed the data includes some customers’ names, email addresses, phone numbers, birth dates and frequent flyer numbers.”
Qantas said credit card details, personal financial information and passport details were not held in this system.
“No frequent flyer accounts were compromised nor have passwords, PIN numbers or log-in details been accessed,” the airline added.
It was not immediately clear if the attacks on Qantas were linked to the Scattered Spider attacks.
“The threat from Scattered Spider is ongoing and rapidly evolving,” the FBI said in a statement to Newsweek.
Patrick Sharp, Aura Information Security general manager, said the Qantas attack had many similarities with Scattered Spider attacks.
“It’s using methodology common for Scattered Spider, which is to attack call centres, using software engineering to try and bypass multi-factor authentication.
“And the second is that Scattered Spider tends to target industries and they seem to have targeted a number of North American airlines recently,” he told the Herald.
Sharp said Scattered Spider was a group of perhaps 1000 people believed to be native English-speakers probably scattered across the United States and the United Kingdom.
Financial gain usually through the sale of data was likely the group’s motive, Sharp said.
“In other cases they will encrypt all machines and then attempt to extort money out of the company they’ve done that to, or they will steal data and then either try to sell it back to the victim company or try and sell to the dark web or both.”
He said companies should have instant response plans prepared for any cyber attack.
Companies should also not hold personal data any longer than needed, Sharp said.
“In this case, six million people’s names seems like an awful lot of information to have actually had in that system.
“And when you look at the previous breaches of Latitude Finance and Medibank, they retained information a lot longer than they should have. And as a result, the breaches are much more serious than they should be."
A March 2023 data breach compromised customers of Latitude Financial, which included Genoapay and Gem services.
It impacted millions of people across New Zealand and Australia.
The Medibank breach five months earlier put 9.7 million people at risk of exploitation and fraud, according to the Queensland Government.
“It’s very common for companies to retain more information than they need because it’s quite complex to identify which information to delete and to have processes in place to regularly delete it,” Sharp said.
“If this amount of data is being exfiltrated out of your business, having some kind of monitoring so that you can actually prevent it from going is also quite critical.”
Sharp said anybody who faced extortion or blackmail threats should contact police and cyber security agency Cert NZ.
“Unfortunately, the kind of information stolen, you can’t change most of it. For people who are Qantas customers, they should probably be regularly checking their frequent flyer points ... to ensure they’re not being spent on anything.”
Cybersecurity company Norton said cybercriminals could make money from birthdates, full names and addresses and other personally identifiable information.
“They use it to commit identity theft, they sell credit and debit card numbers to other cybercriminals, and bleed bank accounts dry using bank account information.”
Norton urged people to never reuse the same password on multiple websites.
“Even if it’s just two or three sites, it’s still not a good idea.”
Norton said anybody whose personally identifiable information was leaked might want to consider putting a security freeze on their credit report.
“This will prevent other institutions from accessing your report entirely, which will prevent opening any new credit lines or credit extensions under your name.”