The national carrier said on Friday it is still working on its investigations into the incident where some six million Aussies’ have been potentially impacted.

The Australian Federal Police said it is also investigating the matter.

“The airline has been highly engaged in assisting authorities and the AFP with investigating this incident,” an AFP spokesperson said in a statement on Friday.

“Further comment will be provided at an appropriate time.”

It is understood a cyber criminal targeted a call centre, based in Manila in the Philippines, and gained access to a third party customer servicing platform used by Qantas.

Data breach includes some customers’ names, email addresses, phone numbers, birth dates and frequent flyer numbers.

The system has since been “contained” and the national carrier said there has been no further threat activity in the system, nor has it been contacted by anyone claiming to have the data.

“We know that data breaches can feel deeply personal and understand the genuine concern this creates for our customers. Right now we’re focused on providing the answers and transparency they deserve,” Qantas CEO Vanessa Hudson said in a statement.

“Our investigation is progressing well with our cybersecurity teams working alongside leading external specialists to determine what information has been accessed.”

The national carrier is working with specialist cyber security experts, including to forensically analyse the impacted system.

“We’re finalising a process that will enable us to provide affected customers with more information about their personal information that was potentially compromised.”

The airline confirmed the system remains secure and no credit card details, personal financial information or passport details were stored on the compromised system.

It also added there is no impact to Qantas Frequent Flyer accounts.

“We are treating this incredibly seriously and have implemented additional security measures to further strengthen our systems,” Ms Hudson said.

“Our customers can be assured that we have the right expertise and resources dedicated to resolving this matter thoroughly and effectively.

“I want to apologise again for the uncertainty this has caused. We’re committed to keeping our affected customers informed with regular updates as our investigation progresses.”

Qantas to contact affected customers next week

The airline said it will be in a position to provide an update to affected customers next week on the types of their personal data that was contained in the system.

“This will confirm specific data fields for each individual which will vary from customer to customer,” the airline said in a statement.

Since Wednesday morning, the airline said it has communicated directly with its frequent flyers to notify them of the incident and to apologise that this has occurred.

It added that Frequent flyer passwords, PIN numbers and log in details were not accessed or compromised, but customers can update these details at any time.

Qantas advises customers remain alert for unusual communications claiming to be from the airline or requesting personal information or passwords.

Customers can contact our dedicated support line on 1800 971 541 or +61 2 8028 0534, including access to specialist identity protection advice and resources.

‘Frustrating’ and ‘concerning’

Despite, credit card details, personal financial information and passport details not being impacted, an expert said the information that was exposed is actually far more “frustrating” and “concerning” to have in the hands of hackers.

“When a data breach like this occurs, it’s very frustrating for everyone involved,” said Dr Hammond Pearce from UNSW Sydney’s School of Computer Science and Engineering.

He told news.com.au the ‘date-of-birth’ being leaked was of greatest concern.

“The kind of information that has been stolen, you use it everywhere … they define you. I can change my credit card number, it’s annoying and it’s a hassle, but I can ring up my bank and it’s done.

“But my name and my date of birth, these are things that are a little bit more permanent and in many ways these are just as frustrating to have leaked because those are things you actually can’t change. I can’t change my name very easily and I certainly can’t change my date of birth.”

‘Worried about is impersonation’

Dr Pearce said that a hacker obtaining your full name, date-of-birth, email or phone number are three pieces of personal data that may pave the way for a future “downstream attack”, and that as a cybersecurity expert, his biggest fear for impacted customers is impersonation.

“The biggest thing that we’re worried about is impersonation … where they [hackers] can pretend to be you with other businesses that you might be registered with.”

Qantas is another victim in a long line of Australian companies, including Optus and Medibank, to have had a breach like this.

Dr Pearce added it’s getting “quite frustrating” that these big companies are “not responsibly looking after our data.”

Home Affairs Minister Tony Burke said the incident had created “ongoing risks for consumers” and warned that the government expected companies not to be reliant on third-party protection for their systems.

“Because emails and phone numbers have been compromised, if anyone gets a cold call from Qantas, hang up,” said Mr Burke, adding that he had spoken to acting Qantas chief executive Steph Tully twice during the day.

“If you’re going to talk to Qantas on the phone, use the published number and you make the call,” he advised, as per the Financial Review.

“If you get an email that is asking you to click through on a link in any way, don’t respond to it. The only way to deal with them digitally is to work through the Qantas app,” he said.

Qantas’ next steps are crucial

Richard Valente, vice president of customer experience strategy at TP in Australia, which has the largest airline portfolio globally, said how Qantas responds next will be important.

“Humans are the weakest link in a data breach. When large numbers of staff work remotely, whether in a call centre or from home, they are more susceptible to scams and hackers,” Mr Valente said in a statement.

“TP utilises a high-tech platform which enables organisations to scale and work with remote teams without compromising security or quality.”

He said it combines rigorous data protection protocols with AI-driven security measures and real life training scenarios.

More Coverage

Three words could destroy millions

Vanessa Brown

‘Don’t come bigger than this’: Qantas hacked

Vanessa Brown

“For example, it has the ability to shut down an employee’s computer if it detects unrecognisable motion or someone taking a photo of their screen information while working.”

Mr Valente warns Qantas should not only be leveraging technology and AI but utlising human touch and EI (emotional intelligence) to triage and respond to customers at most risk.

- with Vanessa Brown