The Qantas data hack could lead to changes in the way organisations collect data, as awareness grows of the risks involved in storing large amounts of sensitive customer information for long periods of time.

Maurice Blackburn class action principal lawyer Lizzie O’Shea said at present, there was no restriction on how long customer details could be stored by companies, creating huge banks of data that were attractive to cyber criminals.

An estimated six million Qantas customers had personal details stolen from a database after an “interaction” between the cyber criminal and an offshore call centre late last month.

Qantas is yet to decide whether to compensate those affected, and will not say if it’s received a ransom demand from the culprit.

Following on from other major cyber attacks on Optus and Medibank in recent years, Ms O’Shea said it was not good enough to simply suggest that such incidents happened all the time.

“We’ve seen many Australian businesses engaging in huge data collection on the assumption that one day it might be valuable to their business, and now I think we’re going into a period of re-evaluation where it’s clear that collecting data is not just an upside for a business — it may also create liabilities,” she said.

“We’ve been worrying about this for a very long time and I think now we’re starting to see some understanding in corporate Australia that that might be true.”

Qantas said the database in question contained names, birthdates, phone numbers, frequent flyer numbers and email addresses but the amount of information could differ from person to person.

One customer who did not want to be named was dismayed to learn their details were being stored, despite not having made a booking with Qantas since 2014.

The investigation into the cyber theft is continuing, and Qantas has stressed no financial details or passport information were stored on that platform provided by cloud-based information technology company Salesforce.

Neither the airline nor the Australian Federal Police have identified what group may be responsible for the hack which had the hallmarks of Scattered Spider, known for its social engineering attacks.

The group was the subject of a Federal Bureau of Investigation warning just days beforehand, advising that “anyone in the airline ecosystem could be at risk”.

Ms O’Shea said under Australian law, companies could hold onto customers’ personal details almost indefinitely.

“If you’re not using it for the purpose that you collected it for, you may have to potentially seek consent for a different kind of use but there’s no obligation to engage in what we might call data minimisation,” said Ms O’Shea.

“By that I mean reducing data when you’re no longer needing it for ongoing purposes, which can lower the impact of a significant data breach.”

She said it was clearly an area in need of attention to help reduce the impact of such cyber attacks.

“In general companies have continued to collect large amounts of personal information and hold it for very long periods; often for people who may have ceased to become customers some time ago,” Ms O’Shea said.

“I can understand why that might be a source of particular frustration for customers but at the moment at least, our policy position does not require (data minimisation).”

On Monday, Qantas revealed the company had been contacted by someone purporting to be the cyber criminal, but would not say if any ransom demand or threat was made.

Senior research engineer at Tenable, Satnam Narang said contact from criminals after a hack, was usually in the form of some type of demand.

“When a potential cyber criminal contacts a victim organisation, it almost always means they want something, typically financial in nature, in exchange for not disclosing the data that’s been stolen,” said Mr Narang.

“This is a very sensitive area, as we know that the Cyber Security Act 2024 took effect on May 30 and requires reporting ransom payments.”

He said so far no Qantas customer information had been leaked onto the dark web, which could indicate the airline was negotiating to mitigate the fallout from Australia’s biggest cyber attack since the strike on Medibank in late 2022.

During the Medibank hack, the health insurer refused to pay a $15m ransom. That led to a cache of sensitive customer information — including those with drug and alcohol addiction or who had abortions — published on the dark web, which is also a marketplace for criminals to exchange information to commit extortion and other crimes.

Customers who had left Medibank years ago were caught up in the hack, with the health insurer saying it was legally obliged to retain some information for seven years. It faced a damage bill of about $150m, according to analysts.

A Qantas spokesman declined to comment about the nature of the contact because it was a “criminal matter”.

An AFP spokesman said the airline had been “highly engaged in assisting authorities and police with investigating this incident”.

More Coverage

Cyber hacker contacts Qantas

Robyn Ironside

Vanessa Hudson’s ‘great regret’ over Qantas cyber attack

Robyn Ironside, Jared Lynch

Originally published as Qantas cyber hack highlights danger of storing huge banks of customer data, says legal expert