It is the most high profile cyber attack on an Australia company since 2022 when both Optus and Medibank were targeted.

Here is everything you need to know about the Qantas hack and what actions you can take to protect yourself.

WHAT HAPPENED IN THE QANTAS CYBER ATTACK?

Last week Qantas informed customers that a hacker had infiltrated their systems and stole the personal data of 5.7 million customers.

Qantas Group CEO Vanessa Hudson sent an email to customers in the wake of the hack.

“I know this incident has been concerning and I am deeply sorry for the uncertainty this has caused,” Ms Hudson wrote.

WHAT PERSONAL DATA WAS STOLEN?

A wide range of personal data was accessed by the hacker.

For four million customers, the data accessed is limited to their name, email address and Qantas Frequent Flyer details.

Of these four million, 1.2 million customers only had their name and email address accessed by the hacker and the remaining 2.8 million also had their Qantas Frequent Flyer number accessed.

Most of the customers whose frequent flyer number was accessed also had their tier and, in a lesser umber of cases, their points balance and status credits.

However for 1.7 million customers, the data hack was more substantial.

Of these customers, 1.3 million had their address revealed to the hacker – this includes business addresses and also the addresses of hotels customers may have stayed in which Qantas had records of for the purpose of reuniting them with misplaced baggage.

Around 1.1 million people had their date of birth accessed.

Approximately 900,000 customers had their phone numbers accessed, 400,000 had their gender revealed to the hacker and 10,000 the meal preferences they chose on flights.

Reassuringly, Qantas confirmed the following data was not breached.

“Qantas has reconfirmed no credit card details, personal financial information or passport details were stored in this system and therefore have not been accessed,” Qantas said in a statement.

“There continues to be no impact to Qantas Frequent Flyer accounts. Passwords, PINs and login details were not accessed or compromised.

“The data that was compromised is not enough to gain access to these frequent flyer accounts.”

HAS QANTAS SAID WHAT DATA HAS BEEN COMPROMISED?

Fortunately, the hacker has not published any of the data.

“Qantas has progressed its forensic analysis of the customer data in the system that was compromised,” a Qantas statement reads.

“There is no evidence that any personal data stolen from Qantas has been released but, with the support of specialist cyber security experts, we continue to actively monitor.”

WHAT HAVE CUSTOMERS BEEN TOLD SO FAR?

By now, all impacted customers should have received an email titled “confirmation of your details impacted by the cyber incident.”

The email explains exactly which of your details were accessed by the hacker and flags an update to the Qantas Frequent Flyer platform which will be available soon and allow customers to see the “types of data held on the compromised system.”

WHAT CAN CUSTOMERS DO?

Qantas has set up a dedicated 24/7 customer cyber support line which you can call on 1800 971 541 or +61 2 8028 0534.

This line provides those impacted with access to specialist identity protection advice and resources.

Where available, customers should use two-step authentication – such as an authentication application – for personal email accounts and other online accounts.

CAN QANTAS CUSTOMERS CLAIM COMPENSATION?

Peter Carter, director of Carter Capner Law, said the answer to this is complex.

“Whether or not customers are entitled to compensation in respect of the Qantas’ data breach depends on the extent of the measures the airline took to protect the personal information that was hacked,” he said.

“Public statements by the Qantas CEO that the airline has already taken ‘additional security measures to further strengthen our systems’ might be an indication that its cyber protection measures were inadequate at the time the breach occurred.

“In a similar case, Optus faces a customer class-action for losses occasioned by the leak of their personal information including for the time and money customers spent replacing identity documents and damages for vexation, distress, frustration and disappointment.

“In the Qantas case, it appears the cyber criminals were able to import customers’ names, addresses, email details, frequent flyer point balances, meal preferences, phone numbers and dates of birth. Particulars of identity documents and credit card details were not – according to the airline – breached.

“Thus the breach appears at least on the surface – to be of a less serious category than was the case with Optus. Affected customers would therefore likely be restricted to claims on the second category namely for vexation, distress, frustration etc.”

QANTAS WAS CONTACTED BY THE HACKER – WHAT’S THE LATEST?

The bad actor responsible for the hack has contacted Qantas who have refused to comment further given the active criminal investigation.

Precedence, including the Optus and Medibank incidents, suggest it is unlikely Qantas will cave and pay the ransom demand of the hacker which have not been made public but could be in the many millions of dollars.

WHAT HAS QANTAS DONE TO PROTECT CUSTOMERS IN THE FUTURE?

Ms Hudson explained a raft of measures had been put in place in the wake of the hack.

“Since the incident, we have put in place a number of additional cyber security measures to further protect our customers data, and are continuing to review what happened,” Ms Hudson said.

“We remain in constant contact with the National Cyber Security Coordinator, Australian Cyber Security Centre and the Australian Federal Police.

“I would like to thank the various agencies and the Federal Government for their continued support.”

ARE CUSTOMERS VULNERABLE TO SCAMS NOW?

Qantas has recommended customers take precautionary steps and maintain an increased level of vigilance in the wake of the cyber attack.

“Remain alert, especially through email, text messages or telephone calls, particularly where the sender or caller purports to be from Qantas,” an email to impacted customers reads. “Always independently verify the identity of the caller by contacting them on a number available through official channels.

“Do not provide your online account passwords, or any personal or financial information. “Qantas will never contact customers requesting passwords, booking reference details or sensitive login information.”

The following websites contain information on known scam activity and further resources on protecting your identity:

Australian Cyber Security Centre

National Anti-Scam Centre’s Scamwatch

IDCARE

Office of the Australian Information Commissioner

If you believe you have been targeted by a scammer, please report the incident to Scamwatch.

More Coverage

Qantas frequent flyer price hike: How to beat it and get best value

Hayley Goddard

Originally published as Qantas cyber attack explained: What Australians must know about the data hack