Qantas is yet to decide whether any form of compensation will be offered to six million customers caught up in a massive cyber attack on a call centre database, resulting in the theft of sensitive personal information.

The attack, which has the hallmarks of the Scattered Spider hacker group flagged by the FBI as targeting airlines in the past week, accessed names, dates of birth, phone numbers, email addresses and frequent flyer numbers of ­customers.

To date, the hackers have not begun shopping the stolen information on the dark web – a known marketplace for criminals – nor have they made any demands on Qantas for a ransom.

In an email to affected customers sent 12 hours after the ASX was notified, Qantas chief executive Vanessa Hudson said extra security measures were being implemented to strengthen system monitoring and protection of information.

“We’re taking this incident extremely seriously and working with government agencies and independent cyber security experts,” she wrote.

“If we identify new important information as we continue to investigate and respond to this incident, we will share it with our customers.”

The attack involved a voice call to the Qantas call centre in Man­ila, in which the hacker posed as an airline employee and was given access to a third-party data platform.

Customer experience strategy vice-president at Teleperformance in Australia Richard Valente said the incident served as a reminder that “humans are the weakest link in a data breach”.

“When large numbers of staff work remotely, whether in a call centre or from home, they are more susceptible to scams and hackers,” he said. Now that the attack had occurred, Mr Valente said, Qantas’s response was the next big test for the airline.

“In this situation where sensitive information has been compromised, consumers expect auth­en­tic, empathetic, person-to-person interactions,” he added.

One affected customer said he called the contact number provided in the email and was unimpressed by the response. He said the gist of it was he had “nothing to worry about” and the information taken could not be used to compromise third-party accounts.

“At the end of the call, I asked ‘So what you are saying in effect is don’t worry be happy?’ He replied in the affirmative. I pressed him and I was given a case number ‘in case you need to call us back’,” said the man who did not want his name published

Ms Hudson’s email said frequent flyer members did not need to reset their password or pin but customers should be wary of communications asking for such information: “Remember, Qantas will never contact you requesting passwords, booking reference details or sensitive login information.”

No decision has yet been made on compensation to customers who took to social media to express their concern and demand Qantas back up its apology with some form of restitution.

Maurice Blackburn class actions principal lawyer Lizzie O’Shea said the breach remained under investigation but it was evident Qantas customers had been let down.

“Even if (the attack) is through a third party, it is the job of the company collecting people’s personal information to do that due diligence and make sure the provider has robust protections in place,” Ms O’Shea said.

Impacted customers could make a complaint to the Office of the Australian Information Commissioner, but would likely face a long delay for any sort of response, she added.

“I think we’re at a point where that regulator is overwhelmed with complaints from people who have experienced these kinds of data breaches,” she said.

“We need to implement reform of the privacy act.”

More Coverage

Vanessa Hudson’s first big test as Qantas boss is here

Eric Johnston

‘Hallmarks of Scattered Spider’: Six million hit in Qantas cyber attack

Robyn Ironside, Jared Lynch

Originally published as What we don’t know about the Qantas hack: will customers get compensation?