Qantas confirmed customer names, email addresses, phone numbers, dates of birth and frequent flyer numbers were compromised.
“There is no evidence that any personal data stolen from Qantas has been released, but with the support of specialist cybersecurity experts, we continue to actively monitor,” the airline said today.
The airline has apologised and said the affected system was contained.
It said unusual activity was detected on a third-party platform used by a Qantas airline contact centre.
“We continue to work with specialist cybersecurity experts, including to forensically analyse the impacted system.”
Qantas said no credit card details, personal financial information or passport details were stored in the affected system.
“There is no impact to Qantas Frequent Flyer accounts,” the airline added.
It said there was no impact to Qantas’ operations or safety.
“If you have upcoming travel, there is nothing you need to do.”
The airline said it was still investigating exactly how much data was stolen.
Qantas said customers could contact a dedicated support line on +61 2 8028 0534 day or night.
“All customers have access to specialist identity protection advice and resources through this team.”
The cyber attack has raised concerns about New Zealand’s privacy rules.
“The problem with attacks of this nature is consumers have no agency or ability to protect themselves,” Consumer NZ chief executive Jon Duffy told the Herald.
He said New Zealand had a convoluted and archaic privacy complaint system.
Patrick Sharp, Aura Information Security general manager, said the stolen information would probably be sold multiple times in different chunks.
The cyberattack followed an FBI warning about the Scattered Spider group targeting airlines.
John Weekes is a business journalist mostly covering aviation and courts. He previously covered consumer affairs, crime, politics and courts.