As Qantas and cyber officials piece together the events of the past four days that led to the biggest attack on Australians’ data since the Medibank hack, industry sources said the stolen cache was yet to be shopped around on the dark web. And Qantas confirmed on Thursday it had not received any ransom demand from the hackers, who have not been formally identified.

On Friday, apologising again for the incident, chief executive Vanessa Hudson said the investigation was “progressing well” to determine what information has been accessed and there is “no further threat activity in the system”.

“We know that data breaches can feel deeply personal and understand the genuine concern this creates for our customers,” she said. “Right now we’re focused on providing the answers and transparency they deserve.”

She said more than 5000 customers had contacted the support line since the incident.

Additional security measures have been put in place to further restrict access and strengthen system monitoring and detection, including for Frequent Flyer accounts.

“Next week we will be in a position to update affected customers on the types of their personal data that was contained in the system,” Ms Hudson said on Friday.

Cloud-based software company Salesforce was behind the platform, but said the issue was “not due to any known vulnerability” in its product.

“Salesforce has not been compromised,” said a spokesman.

That’s because the so-called vishing attack had all the hallmarks of the Scattered Spider group, which was the subject of an FBI warning on June 28, following similar hacks against Hawaiian Airlines and WestJet. Vishing is a voice-based ruse.

Ms Hudson has also emailed passengers warning them to be on alert for “unusual communications claiming to be from Qantas” as well as “emails or calls asking for personal information or passwords”.

Names, dates of birth, email addresses, phone numbers and Frequent Flyer numbers were available on the Qantas customer database accessed by the hacker, who convinced a Manila call centre operator they worked for the airline.

“These (cyber criminals) rely on social engineering techniques, often impersonating employees or contractors to deceive IT help desks into granting access,” the FBI said in a post on X.

“They target large corporations and their third-party IT providers which means anyone in the airline ecosystem including trusted vendors and contractors could be at risk.”

Senior staff research engineer at Maryland-based cybersecurity firm Tenable, Satnam Nerang, said the attribution of the Qantas attack was “tricky”.

“Based on the limited details we know so far, it bears a resemblance to attacks conducted by the hacking collective referred to as Scattered Spider,” he said.

“(But) so far, there has been no confirmation that Scattered Spider was behind the attack against Qantas nor have we seen any attempts to shop the stolen data on the dark web.”

When Russian hackers struck Medibank in late 2022 they began publishing troves of sensitive customer information – including about policyholders treated for drug and alcohol addiction – within days of the attack after the health insurer refused to pay a $15m ransom.

Qantas emailed those affected late on Wednesday.

“Unusual activity” on the third party platform was detected on Monday, when action was taken to contain the system. No financial details were compromised.

It’s a major blow for the airline which has worked hard to rebuild trust under Ms Hudson following a series of controversies in 2023.

As well as being found to have unlawfully outsourced its ground handling workforce, Qantas faced heat from customers over its management of Covid-19 travel credits, and the consumer watchdog took legal action against the airline over the sale of tickets on already cancelled flights concluding in a settlement.

To date, those matters have cost Qantas $240m in compensation and fines with more to come in the form of a penalty for the unlawful outsourcing, and a class action over travel credits.

Ms Hudson’s email to customers caught up in the latest crisis said the incident was being taken “extremely seriously”.

“We’re implementing additional security measures to strengthen system monitoring and protection of your information as part of our response,” she said.

“If we identify new important information as we continue to investigate and respond to this incident, we will share it with customers.”

She also warned customers to be alert for “unusual communications claiming to be from Qantas” as well as “emails or calls asking for personal information or passwords”.

Maurice Blackburn class actions lawyer Lizzie O’Shea said the attack on Qantas had shone a light on the inadequacy of Australia’s privacy laws which were letting down consumers.

“In other parts of the world this is not happening to the scale that it happens in Australia and in part that’s because they have different laws in place that focus on things like data minimisation and higher standards of cyber security,” said Ms O’Shea.

“Australia is falling behind because our regulatory regime does not incentivise, or encourage or require high standards of data handling practices or cyber security, so we need to improve our privacy laws to get up to date with the rest of the world and then I think customers will see an improvement in how their information is handled.”

More Coverage

Will Qantas customers get compensation after the data breach?

Robyn Ironside

Vanessa Hudson’s first big test as Qantas boss is here

Eric Johnston

Originally published as How Qantas is managing the fallout of a cyber attack targeting the personal details of 6 million people