A review of the database used by Qantas’s Manila call centre revealed various personal details of 5.7 million customers were being stored on the platform, ranging from frequent flyer status and points balance to meal preference.

To date, more than a million customers have been informed about what details were stolen by the cyber criminal following an interaction with the call centre almost two weeks ago.

But many are still waiting to be told just what details held by the airline have now been shared with a hacker, putting the customer at risk of further exploitation through scams.

“The information on its own might not seem that bad, but it’s what more information that might allow the cyber criminal to get that concerns me,” said one frequent flyer caught up in the breach.

Qantas confirmed the details on record for each customer varied, with names, birthdates, addresses, phone numbers, gender and frequent flyer numbers among the fields.

Almost half of those compromised by the breach had their frequent flyer number and status tier recorded, while a smaller subset also had their points balance and status credits included.

Frequent flyer expert Adele Eliseo, of The Champagne Mile, said such information could identify “high-value” individuals that would be of interest to cyber criminals.

“Last week’s announcement gave no indication that fields like points or tier status were at risk,” Ms Eliseo said.

“These are sensitive fields that can help bad actors zero in on frequent flyers with the most to lose.”

The hack also threatened to identify members of Qantas’s exclusive invitation-only Chairman’s Lounge, the guest list of which was a closely guarded secret.

Ms Eliseo also raised concerns about Qantas including members’ full frequent flyer numbers in email communications about the breach, even though both may have been compromised.

“In banking, account identifiers are typically masked or redacted,” Ms Eliseo said.

“Qantas’s disclosure of such information highlights that perhaps loyalty data still isn’t being handled with the same level of care we expect for sensitive personal information.”

Qantas reiterated that emails were being sent progressively, a week after customers first learned if their details were stored on the Salesforce platform used by the call centre in Manila.

Chief Executive Vanessa Hudson has stressed no financial details or passport information were stored on that platform, which has now been secured.

Those who had received an email outlining what data was now in the hands of a cyber criminal were urged to “follow general precautionary steps and remain vigilant to any misuse of their personal information”.

“Remain alert especially with email, text messages or phone calls, particularly where the sender or call purports to be from Qantas,” said the Qantas update signed by Ms Hudson.

“Always independently verify the identity of the caller by contacting them on a number available through official channels.”

Customers were also advised to stay informed about the latest threats and scams via the Australian Cyber Security Centre and the National Anti-Scam Centre’s Scamwatch web page.

“Do not provide your online account passwords, or any personal or financial information,” the Qantas advisory said.

“Qantas will never contact customers requesting passwords, booking reference details or sensitive login information.”

Ms Hudson signed off with an apology, noting her appreciation of customers’ patience as the cyber attack investigation unfolded.

“You put your trust in us with your personal information, and we take that responsibility very seriously,” she said.

“If you have any concerns, please contact our dedicated 24/7 customer support line at 1800 971 541 or 61 2 8028 0534. You’ll be able access specialist identity protection advice and resources through this team.”

More Coverage

Matter of trust: The next step in hack of Qantas the hardest

Eric Johnston

Cyber hacker contacts Qantas

Robyn Ironside

Originally published as Qantas cyber incident: frequent flyers, customers await update on stolen data