Vishing, or voice-phishing, involves a hacker posing as a company employee by phone to gain access to confidential information and is one of the hallmarks of the criminal cyber group Scattered Spider.

The practice is considered relatively unsophisticated but the hacker was granted access to a customer database storing the names, dates of birth, phone numbers, emails and Frequent Flyer account numbers of millions of Qantas customers. The hacker did not obtain credit card, passport or password information.

The company said it understood the incident was concerning and it was in the process of contacting affected former and current passengers as chief executive Vanessa Hudson offered her “sincere apologies” for the uncertainty created.

Unusual activity was detected on a third party platform used by an offshore Qantas contact centre on Monday and that system was quickly isolated, the company said in a statement.

“We can confirm all Qantas systems remain secure,” Qantas said.

“There are six million customers that have service records in this platform. We are continuing to investigate the proportion of the data that has been stolen, though we expect it will be significant.”

Hacker group Scattered Spider was not identified by Qantas but it has been described as a “financially motivated threat group” thought to be behind cyber security breaches at Hawaiian Airlines and WestJet. Medibank was attacked by a Russian, Aleksandr Ermakov.

The FBI’s top cyber official Bryan Vorndran has branded the group an “enormous problem” and warned of attacks on the aviation sector last month. Indeed, Scattered Spider has a history of targeted campaigns, said director of security services at Arctic Wolf, Mark Thomas. It went after retailers in May including Cartier, North Face, Harrods and Victoria’s Secret.

“A known technique of Scattered Spider is posing as IT staff to gain employee passwords or multi-factor authentication codes,” said Mr Thomas.

“It is plausible they are executing a similar playbook, employing sophisticated social engineering techniques to gain initial access into victims’ networks.”

Qantas confirmed the attack had been traced back to a call centre operator in Manila.

“Our customers trust us with their personal information, and we take that responsibility seriously,” Ms Hudson said.

“We are working closely with the Federal Government’s National Cyber Security Coordinator, the Australian Cyber Security Centre and independent specialised cyber security experts.”

Australian Federal Police and Home Affairs are also involved.

Shortly after her promotion to CEO, Ms Hudson promised to review the offshore call centres that handle inquiries at all hours of the day and night but to date, no teams have been returned onshore.

Qantas also has call centres in Auckland, Cape Town, Suva and Hobart.

Opposition cyber security spokeswoman Melissa Price described the Qantas hack as “concerning” and a “stark reminder” about cyber security for “all Australian businesses”.

“We expect them to continue to work closely with relevant authorities,” Ms Price said.

“It is important too that government agencies including the Australian Cyber Security Centre support Qantas throughout this incident,” she said.

“With up to six million customers potentially impacted this is a nationally significant cyber incident and Qantas needs to maintain open and honest communications.”

It was fortunate that Qantas had segmented its database, so more sensitive information wasn’t accessed, said executive director of the Cyber Security Hub at Macquarie University, Dali Kaafar. But even without financial information, the sort of data accessed should be of concern to those caught up in the attack.

“This is data that allows malicious actors to build more complete profiles of individuals, and that makes potentially six million customers susceptible to other forms of cyber crime further down the line. I think that’s the main worry here.”

More “rigorous vendor risk management” was needed to strengthen cyber security within the supply chain, he added.

Brett Winterford, vice-president of Okta Threat Intelligence said the attackers were likely to be young, globally distributed, and from western countries.

“Their targeting is opportunistic; if they enjoy success against a target in any given industry they’ll rinse and repeat against similar organisations,” he said. “We’ve observed this in attacks on the gaming sector, on the UK retail sector, on insurance and now in aviation.”

Qantas provided a dedicated support line (1800 971 541) for specialist identity protection advice.

The airline clarified early as part of the incident that no Frequent Flyer points were stolen.

Adele Eliseo of The Champagne Mile suggested members change their PIN, ensure two-factor verification was activated, and to use their most secure email address and mobile phone number.

“For me a frequent flyer number being taken is akin to a credit-card number being taken without the CCV and expiry date,” Ms Eliseo said.

“If you’ve got frequent flyer numbers with all that other rich contact information, there’s certainly risk there.”

It’s a major blow for Qantas, which had been preparing to welcome its first A321XLR into Sydney on Wednesday.

Although the aircraft landed safely after a two-stage trip from Hamburg via Bangkok, a hangar event was cancelled due to the bad weather affecting Sydney.

The 200-seat single-aisle aircraft is the first of its kind for an airline in the southern hemisphere. Currently, only three other airlines operate the extra long-range aircraft, including Aer Lingus, Iberia Air and Wizz.

Shares in Qantas closed 2.2 per cent lower at $10.52.

More Coverage

Qantas snaps up midlife 737s as it awaits arrival of A321XLR

Robyn Ironside

Qantas makes a surprise comeback at world airline awards | FULL LIST

Robyn Ironside

Originally published as Six million Qantas customers hit in cyber attack on database storing personal information