What’s more worrying than a large-scale cyber attack? Political leaders who display a laissez-faire attitude to such strikes, emboldening online criminals.

Barely three months after hackers siphoned thousands of dollars from members of some of Australia’s biggest industry super funds’ retirement savings – and Anthony Albanese dismissed such attacks as happening “all the time” – Qantas has become a victim of a co-ordinated heist.

Hackers infiltrated a Qantas database where the personal details of about six million customers are stored, in one of Australia’s biggest cyber attacks, underscoring the ever-present danger of online crime.

It comes as the US Federal Bureau of Investigation warned that a notorious cyber-criminal group, dubbed “Scattered Spider”, was targeting airlines. Scattered Spider uses “social engineering techniques, often impersonating employees or contractors to gain access to company IT systems and bypass multifactor authentication, which is considered one of the strongest online security measures.

Qantas chief executive Vanessa Hudson “sincerely apologised” to customers and said it was notifying them on Wednesday morning about the mass data breach.

But when I checked my inbox, the only emails I had from Qantas were offers about how to boost my frequent flyer points, which have been debased at a similar rate to the speed of a grand piano falling from the airline’s lumbering A380s.

Ms Hudson was quick to highlight in an ASX statement that no credit card or passport details had been stolen. But there remains a lot of unknowns.

Ms Hudson said the database contained personal information, including names, birthdates, phone numbers, frequent flyer numbers and email addresses. What’s concerning is these are all the ingredients cyber criminals need to create fake IDs, impersonate you and commit identity theft.

The strike on Qantas underlines the need for companies to be sure their cyber defences remain top-notch and flexible enough to combat escalating threats – whether they be from state-sponsored hackers from Russia, Iran, China and North Korea, or organised crime syndicates.

The scale of the heist on Qantas is similar to the strikes on Medibank and Optus in late 2022. But complacency and fatigue have begun to creep into the populace, further heightening the risk.

Just look at the Prime Minister’s response to a cyber attack on some of Australia’s biggest super funds. Rather than incur his wrath – like former Home Affairs minister Clare O’Neil’s fiery words during the attacks on Medibank and Optus – the Prime Minister said cyber attacks “happened all the time”.

A test of his leadership will be how his government responds to the Qantas hack. Cyber attacks may happen all the time, but tell that to the super fund members who had hundreds of thousands of dollars siphoned from their accounts, or the Qantas customers who now face an anxious wait to learn if they will become victims of identity theft and other crime.

Political leaders must step up and apply pressure on company executives and directors to do more to protect their customers. They need to placed more firmly on the hook over such data breaches.

If there is no risk of a political fallout, being named, shamed and suffering a costly reputation hit, what impetus is there for companies to bolster their online defences and protect their customers?

Cyber security experts said the attack bears the hallmarks of Scattered Spider - which comprises mainly of young hackers from the US, UK and Canada that have partnered with counterparts in Russia, creating a powerful ransomware group.

The FBI’s top cyber official Bryan Vorndran has branded Scattered Spider an “enormous problem”.

Scattered Spider targeted big brands last month, including North Face, Cartier and Victoria’s Secret, which followed a spate of attacks on UK retailers Harrods, Marks & Spencer and Co-op.

In those attacks, the hackers posed as employees locked out of their corporate accounts and convinced a corporate help desk to reset their password - what is known as social engineering.

Satnam Narang, staff research engineer at Maryland-based Tenable, said Qantas customers whose personal details have been stolen in the data breach risked being targeted by follow-on attacks. This includes potential credential stuffing - the same method hackers used against the super funds.

Saying attacks happen all the time simply doesn’t cut it.

Originally published as Albanese must step up to protect Aussies after Qantas hack