After being awarded an interim injunction against the use, release, transmission or publication of stolen customer details, Qantas returned to court on Friday for the hearing against an unnamed defendant, who did not appear. Even the name of the airline’s barrister was not allowed to be spoken.

The identity of the hacker remains unknown, although cyber experts suspect it is the group known as Scattered Spider.

Justice Francois Kunc, who outed himself as one of those caught up in the attack, was told Qantas would seek damages in the event the hacker was ever unmasked.

Qantas’ efforts to limit any further fallout from the breach came as law firm Maurice Blackburn flagged its intention to seek compensation on behalf of the 5.7 million customers affected.

A Qantas spokeswoman acknowledged the complaint made by Maurice Blackburn to the Office of the Australian Information Commissioner in relation to the cyber attack.

“Our focus continues to be on supporting customers and providing ongoing access to specialist identity protection advice and resources,” said the spokeswoman.

No credit card details, passport information, passwords or PINs were stored on the database accessed by the cyber criminal but a range of other information was, including names, birthdates, addresses, emails, phone numbers and Frequent Flyer numbers and status.

Trustwave director Craig Searle said the incident had highlighted the importance of such data to companies, and raised questions about its retention.

He previously described customer data as the “new oil”, but the Qantas attack showed it was more like the “new uranium”.

“(Data) is extremely useful and extremely powerful for a period of time. However, the by-product, or the waste, as it were, of that data can also be extraordinarily dangerous,” Mr Searle said.

“So organisations holding on to data that they either don’t need, or is no longer time relevant, actually has the potential to come back to bite them.”

Even data traditionally deemed “non-sensitive” such as meal preferences could be considered sensitive and valuable information if it indicated religion.

“Because of the way the Privacy Act is written it’s either a statement of fact or a reasonably held opinion about someone’s attributes... Similarly, (if someone orders) a diabetic or lactose intolerant meal that clearly indicates a medical issue.”

Mr Searle said organisations needed to spend more time and effort cataloguing what data they had.

“Do they actually need to hold it? And who do they give access to that data to?” he asked.

“What third party vendors, their supply chain, so on and so forth, have access to that data?”

Alex Newman, country manager for Informatica ANZ, said the Qantas data breach highlighted a systemic vulnerability many large Australian organisations face: a lack of oversight and control over data handled by third-party vendors.

“What’s missing for most of these organisations is the ability to automatically detect where sensitive data is located, who has access to it, and whether that access is appropriate,” said Mr Newman.

“Without that baseline visibility and policy enforcement, breaches often go unnoticed until after the fact. Data governance, privacy and access management — not just IT security measures — need to be embedded into day-to-day operations, with clear visibility and governance of sensitive data.”

More Coverage

Qantas class action: opportunism or justice?

Jared Lynch

Maurice Blackburn pursues Qantas breach

Robyn Ironside

Originally published as Qantas’s fight against faceless opponent as airline races to safeguard stolen data