Qantas hack: lawyers launch class action compensation case
Australia's leading class actions law firm takes the first step in action against Qantas.
Qantas customers whose personal details have been leaked as a result of the Qantas cyber-hack attack are being asked to join a Qantas Data Breach Class Action compensation case launched by high-profile Sydney law firm Maurice Blackburn.
The data breach, which occurred earlier this month, saw the personal details of some 5.7 million travellers leaked – including names and addresses, phone numbers, email addesses, birth dates and information associated with their Qantas Frequent Flyer account.
Qantas maintains no frequent flyer passwords, passport data, or financial details such as bank account and credit card numbers were accessed.
However, Maurice Blackburn – considered Australia's leading class actions law firm, winning more than $5 billion in class actions recoveries since 1998 – says “the scale and sensitivity of the exposed data have raised serious concerns.”
“We’ve filed an official complaint with the Office of the Information Commissioner, which is the authority charged with taking action over breaches of the Privacy Act,” confirms principal lawyer Elizabeth O’Shea.
O’Shea said the complaint, filed on Thursday July 17, is “in relation to Qantas failing to adequately protect the personal information of its customers.”
How to join the Qantas Data Breach Class Action compensation case
Qantas customers impacted by the breach are being asked to register on Maurice Blackburn’s Qantas Data Breach Class Action website “to receive updates about the representative complaint and compensation which may be sought on your behalf.”
Registration is free and available to any current or former Qantas customer who have received notification from Qantas that your information was impacted by the data breach.
“Registering will not expose you to any out of pocket cost,” Maurice Blackburn notes.
“Unless and until there is a successful outcome in any legal claim, all costs will be borne by Maurice Blackburn.”
“In the event of a successful outcome, any costs payable to Maurice Blackburn will be deducted from, and will not exceed, any compensation that you are entitled to receive.”
Approached by Executive Traveller for comment, a Qantas spokesperson saud the airline “understands that a complaint has been lodged by Maurice Blackburn on behalf of some affected customers in relation to our recent cyber incident.”
“Our focus continues to be on supporting our customers and providing ongoing access to specialist identity protection advice and resources.”
What customer data was exposed in the Qantas hack attack?
As previously reported, Qantas says some 4 million customers flyers had their name, email address and frequent flyer details exposed.
- 1.2 million customer records contained name and email address
- 2.8 million customer records contained name, email address and Qantas Frequent Flyer number
The majority of those 2.8 million people also had their Qantas status tier leaked, while the airline says “a smaller subset of these had points balance and status credits included.”
In addition to that, a further 1.7 million people had some or all of the following data leaked:
- business and/or residential address (1.3 million)
- date of birth (1.1 million)
- phone number (900,000)
- gender (400,000)
- meal preference (10,000)
Each customer caught up in the cyber-attack will receive an email from Qantas with specific details on their data exposure.
“Customer records are based on unique email addresses and customers with multiple email addresses may have multiple accounts,” the airline notes.
“There is no evidence that any personal data stolen from Qantas has been released but, with the support of specialist cyber security experts, we continue to actively monitor.”
“There continues to be no impact to Qantas Frequent Flyer accounts. Passwords, PINs and login details were not accessed or compromised. The data that was compromised is not enough to gain access to these frequent flyer accounts.”
Executive Traveller readers have reported a definite uptick in scam emails and texts over recent days, which appear to be targeting customers whose data was exposed.
Here are our five tips for what to do next.
1. Don’t panic
Qantas maintains the hack did not reveal:
- credit card details
- passport details
- frequent flyer passwords PINs or other login details
So there’s no need to rush out and cancel credit cards, and there’s also a reduced immediate risk of identity theft, compared to the 2022 cyber-attack on Optus which exposed the passport numbers of 100,000 Australians.
That said, the information which was stolen from the Qantas systems can enable other attacks such as ‘phishing’ scams or to build a more detailed identity profile over time – particularly when combined with data from other breaches.
2. Consider changing your Qantas Frequent Flyer PIN
While Qantas maintains no frequent flyer or passwords – which are four-digit numerical PINs – were leaked, or accounts breached, you should still consider changing your password – if only for peace of mind.
The biggest risk comes from using the same password across multiple online services.
Make sure the PIN to your Qantas Frequent Flyer account is unique to that account, in case previous or future hack attacks and data leaks help criminals gain access to your account through common passwords.
For example, many people use their date of birth to construct a four- or six-digit numercial password used in multiple accounts and online services – and with their birthdate now exposed, along with their Qantas Frequent Flyer membership number, this can put hackers one step away from accessing your stash of hard-earned points.
3. Tighten up your account security
Make sure that two-factor authentication (2FA) or multi-factor (MFA) is enabled on your Qantas account.
This will send a prompt or code to your phone (via SMS) or email when you – or somebody else – logs into your Qantas Frequent Flyer account.
You can also opt to use a separate authenticator app which generates a unique six-digit code every 30 seconds which you can enter into a website or app for secure tasks such as logging in and making payments.
This is especially useful if you’re overseas and don’t have access to SMS texts sent to your Australian mobile number.
4. Watch out for scam emails, texts and calls
The biggest immediate risk is that, armed with your name, email address, phone number and Qantas Frequent Flyer number, scammers can impersonate Qantas in an attempt to harvest more of your personal information and potentially do real damage.
And while as a savvy Executive Traveller reader you probably know to avoid this, the same can’t be said for many other people – so please pass that advice along to any friends and family members you feel might fall prey to such scams.
These could be phone calls from somebody pretending to be from Qantas requesting passwords or other login information.
It could also take the form of legitimate-looking emails leading to a fake Qantas website – especially emails which say Qantas is offering money, travel credit or points in apology or compensation for the data breach.
Qantas says some scams are already being attempted, noting “this is unfortunately common after incidents like this.”
“We recommend customers remain alert for unusual communications claiming to be from Qantas or requesting personal information or passwords.”
5. Stay informed
Qantas is regularly updating its website with information on the cyber-attack, and also offers a dedicated support line on 1800 971 541 or +61 2 8028 0534 which is available around the clock.
“All customers have access to specialist identity protection advice and resources through this team,” the airline says.
Readers are asked to keep their comments on-topic and constructive, with the aim of adding to the advice this article.
Qantas - Qantas Frequent Flyer
28 Apr 2017
Total posts 4
I’m not aware Qantas had a password only a PIN. Lots of advice about the need to change Qantas password but useless if there isn’t one. If there is a password for a logon could someone let me know. Many thanks
20 Oct 2015
Total posts 279
Password = PIN = same thing, different people just know it as different things.
I don't feel it's necessary to change the PIN but I get that it gives people 'peace of mind' that they have done something, and especially given so many people use the same or a similar PIN or 'password', it's always best practice to have something unique to each website and service. Will be interesting to see if Qantas makes any chances to this after the hack, eg changes from a numerical PIN to a proper password.
Qantas - Qantas Frequent Flyer
25 Feb 2017
Total posts 22
It's not the same thing, a PIN is just a number - which I believe is the OP's point, and has been an irritant of mine with Qantas (and ING Direct) for ages. It's completely inappropriate for a reputable company to just have a four digit number allowed to access private account information. Users should be allowed to use a password manager to select a complicated password to protect their info.
Qantas - Qantas Frequent Flyer
11 Nov 2016
Total posts 72
A password and a PIN are not the same.
Qantas - Qantas Frequent Flyer
30 Aug 2017
Total posts 29
Qantas marketing again at its best down-playing a significant breach in customer confidence- Names, DOBs and email addresses are significant pieces of personal information that can be misused to the passenger's detriment. Interesting to see if compensation is considered / given or a class action of sorts. I'm not comfortable that such comprehensive data has been accessed.
Qantas - Qantas Frequent Flyer
22 May 2018
Total posts 78
We need to wait and see . rather than go into panic mode and run about like headless chooks , changing this and that. Give it a week and so to see what happens. in the meantime monitor your e mails and keep a lookout on your banking accounts.
Virgin Australia - Velocity Rewards
13 Jan 2014
Total posts 128
Absolutely the worst advice.
Companies constantly downplay exposure or they just don't have all the facts yet but need to put something out. Also depending on the company and their auditing/logging etc may never know full impact.
Change your password any time there is even a chance it’s been leaked. Use a password manager. Don’t share passwords.
Qantas - Qantas Frequent Flyer
05 Oct 2016
Total posts 163
Completely agree. I work in software and I've been involved with some server hacks and breaches, and i contend from what I've seen in these cases, that yes QF may know WHAT data was available, but it would be very difficult if not impossible to know exactly HOW MUCH was taken. Sorry this will be cold comfort to people, and I'm also caught up in this QF breach, but systems are rarely good enough to be able to provide clear information on what exactly was taken or copied. It's just not that simple. I'll guarantee their marketing is hard at work fudging what they really know, and probably have little idea of exactly what is leaked. And its certain to be everything and more that was in that system. They will be pretty much flat out working on complete assumptions right now and will never be able to fully determine a clear picture.
Qantas - Qantas Frequent Flyer
24 Jan 2019
Total posts 17
I’m so annoyed. QFF and QClub members have been treated with contempt as the value of points are diluted and the quality decreases, and now our data has been compromised. This is my third data breach by a major corporation but if my identity is compromised I’m the one who will suffer.
18 Apr 2023
Total posts 4
The latest news is that the bad actors didn't hack into the system using brute force or anything sophisticated. They simply gained access by manipulating a consultant i.e. social engineering. Apparently they claimed to be from Qantas IT and got the user to hand over credentials.
It doesn't matter if the contact centre was onshore or offshore, the same tactic would work. The people are the weakest link, and sadly contact centres aren't likely to pay well enough to attract sufficient people who would be immune to this style of attack.
Maybe an onshore call centre would get better training, but it's not guaranteed. We'd like to think that Australian call centre employees would be more alert to this, but I don't think they would be.
Jetstar Airways - Qantas Frequent Flyer
14 Jan 2017
Total posts 71
With the awful communication skills and poor language capacity of these overseas call centre staff I have experienced I am not so sure the outcome would have been the same if Qantas held sensitive customer data securely on shore and in house.
Qantas - Qantas Frequent Flyer
11 Nov 2016
Total posts 72
All airlines with frequent flyer schemes devalue points over the years. That is not Qantas-specific. You have to accept that frequent flyer points have an 'inflation' aspect to them and they will have less buying power over the years.
29 Jan 2012
Total posts 224
A good example for companies to keep their call centers local and not contracted out to 3rd party operators with minimal security measures in place. Keeping call centers local will not reduce the problems 100%, but given Australian operating standards may assist in the security and operational standards required to protect the mountains of private information being held and leaked out as this example clearly shows.
On the other hand I may be wrong.
Qantas - Qantas Frequent Flyer
15 Aug 2016
Total posts 7
Good comments. 3rd Party always strikes me as a no care no responsibility all in the name of saving money.
Jetstar Airways - Qantas Frequent Flyer
14 Jan 2017
Total posts 71
Most Australians would not be happy with third party overseas contractors having access to their sensitive data. Especially given the poor quality of service provided by these overseas call centres. If companies faced penalties for data breaches they might find the true cost of their outsourcing isn’t worth it. I would also like to know what other data is accessed by these 3rd parties and why?
QF
11 Jul 2014
Total posts 1092
I’m deeply frustrated that companies — Qantas included — continue to allow these breaches to happen. We’re required to provide our personal information, yet they consistently fail to protect it. This is unacceptable. There must be serious consequences for organisations that neglect their responsibility to safeguard customer data. And if reports are correct that someone was able to impersonate an employee over the phone to gain access — that’s a staggering failure in basic security protocols.
Virgin Australia - Velocity Rewards
24 Jan 2018
Total posts 870
But my dear UpUpAndAway, surely you were comforted by Ms Hudson's response - “As soon as I heard the breach had happened, I stopped everything I was doing and I connected with the team and was leading our response,”. I slept much easier after learning of her alarm, it had all the hallmarks of urgency as the previous CEO (Alan what's-his-name).
And when she gets back to Sydney, I'm sure that there'll be a full report on her desk.
08 May 2020
Total posts 67
In previous hacks, the company involved has provided me a free year to one of the companies that looks out for your personal data being used online. Not seen anything like that from Qantas yet
15 Sep 2021
Total posts 16
Totally agree with those who comment on concerns with Qantas offshore call centres.
Many AU companies engage this practice and it worries me that my personal information (which I work hard at keeping personal) is so open to so many in so many unknown.
Qantas is now trying to close the gate after the horse has bolted but I’m sure we will all receive 100 extra FF points to appease us.
United Airlines - Mileage Plus
20 Mar 2020
Total posts 5
I keep seeing references to using 2FA for login but where do you set it?
I have Authenticator linked and working elsewhere in the account eg updating My Profile but it never prompts during login.
Virgin Australia - Platinum
21 Mar 2021
Total posts 11
As one of those who have been caught up in this breach, I’m disappointed in the Qantas response. I really don’t like ET stating we shouldn’t panic. It’s our identifying data that once again has been handed over to those who will only use it to attack us directly due to poor security handling by a call centre contracted by Qantas.
Furthermore, all I’ve been offered is a chat with someone on what extra work I have to do to protect myself now my info has been stolen. Why not provide me the tools that can alert me if the information that was stolen by the breech are used? That’s what Optus did.
Now there are people out there stating “the data stolen is different to Optus” yes that’s true. These hackers are not stupid though, by using data which has been stolen previously, they can align that data with this new dump of info creating a more detailed portfolio. So that’s why a more protective system needs to be made available to those effected.
Cmon Qantas, protect those who you have let down, rather than the shareholders.
Qantas - Qantas Frequent Flyer
17 Jan 2014
Total posts 2
Two issues of relevance and concern: (a) one can ring Qantas customer service with identifying information and as of 2 weeks ago (when I likely was ringing manila with a simple query), I was not sent a text to my phone to prove my identity (unlike some other organisations), and as alluded to by others, (b) the large amount of data leaked/person (ALL of my demographic etc details were leaked) can be used elsewhere. That is likely a much bigger issue long term, as one cannot easily change name, gender, DOBirth etc and changing emails or phone numbers opens a whole new world of pain when two factor identification and access to govt portals requires use of these details. And not to mention the risk of bad actors porting our mobile phones to their new devices to set up 2 factor identification for us to lose access to other services.
QF
01 Jul 2016
Total posts 5
It just goes to show how little the spin churners and the incompetent management understand the problem.
Our private information is protected by a pathetic 4 digit pin which if you are trying to crack it manually, it would take you between 13.5-14hours. But in 2025 with the use of AI, it now only takes a whopping 0.44 seconds. That's right less than one second to be able to access your account data. If you haven't activated 2FA to fully access your personal information within your account, good luck!
So if after all of the BS we keep being fed about our data being safe and changing your PIN is the best advice they can offer, bring on the class actions now!
Qantas - Qantas Frequent Flyer
15 Jul 2014
Total posts 1
I just tried to change my pin and answer came up “not available at this time”
Qantas - Qantas Frequent Flyer
13 Jun 2019
Total posts 18
If the Federal Government go off their backside, instead of covering for Qantas and access to the Chairmans Lounge, and passed legislation that had real punative fines for breaches of personal information, like $100 million, a number of things would occur. There would be no offshoring of call centres to save money. Call centres would be here in Australia manned by Australians. There would be no overseas subcontractor control of personal data belonging to Australian citizens. And if there was a data breach, the board would be acting and there would be actual responsibility taken together with repercussions, instead of Qantas PR running a spin operation.
24 Feb 2023
Total posts 3
I agree with most of this commentary, especially PQ666, our politicians are way too attached to their Chairman's Club access to do what they know they ought to. If legislation were introduced to apply substantial fines to companies who fail to secure our data, things would be rather different. Taking the call centres off shore was an accident waiting to happen.
What's particularly irritating is that the FBI issued a warning to the industry two days prior. Qantas claiming that they're taking the privacy of our data 'seriously' is insulting - using a third party platform is essentially handing it over to these cyber criminals on a platter. Just out of interest, does anyone have a view on why 5.7 million QFF customers data (mine and family members included) was stored separately on this particular third party platform; and where is the data of the other approximately 9 million customers stored; is it for instance stored more securely.
Qantas - Qantas Frequent Flyer
09 May 2018
Total posts 4
Hi
My data breach:
Name
Address
DOB
FF Number
Status Credits
Tier
Points
email address
Phone number
Whey send a letter saying all that and do nothing. I really don't mind as there are so many data breaches although I do feel this has been handled poorly. Save the dollars and just make an announcement with a hotline.
08 Feb 2018
Total posts 185
Data breaches are a criminal-less crime, in Australia we just blame the victim of the crime and the criminals get away with it!
Qantas - Qantas Frequent Flyer
21 Jan 2014
Total posts 336
So in order to be part of any claim for compensation you need to go online and send all of your details to a law firm that I have no idea of how secure that information will be either, no thanks, hopefully when it all settles QF will make some sort of points/status offer and move on.
Qantas - Qantas Frequent Flyer
05 Oct 2016
Total posts 163
LOL “In the event of a successful outcome, any costs payable to Maurice Blackburn will be deducted from, and will not exceed, any compensation that you are entitled to receive.” So in effect they're entitled to keep everything or as much as they please... Nice wicket they're on there!
17 May 2017
Total posts 21
Agree with all being said and yes, I was hit as WAMQFFP . Qantas needs to get on top of this and batten down the security hatches. We need to see this type of action from them and then a remedy from QF itself to all those affected would be highly appropriate , not via a class action which makes lawyers extremely wealthy and the recipients receive basically nothing.
Virgin Australia - Velocity Rewards
20 Jul 2012
Total posts 17
Class action only really benefits lawyers.
If you look at the average payout of these claims and divide it by the number of customers affected, each person stands to get about $8-10 dollars.
Comparatively, the percentage of the pay out will earn the law firm millions.
28 May 2022
Total posts 7
First of all... Don't panic.
If what Qantas has stated is fact, and only certain data has been leaked... It's likely that 80% to 90% of that data is already in the hands of nefarious players anyway (before the Qantas breach).
It's easy to check if your data is "out there"... visit https://haveibeenpwned.com or do a search for "have I been pwned" if you prefer not to click on links... (read about the website before visiting). They hold a data set of hacked data... just enter your email address and you will be surprised what's already out there... (unless it's a new email address you are using)
As the saying goes, "let the buyer beware", is a very good stance to take, but not in purchasing but in what you do when an email is received claiming to be from XYZ company...
It's about educating yourself on the threat landscape... I'm sure that if you went on a safari to Africa, you would (or should) understand the risks... The same principle applies when opening emails.
IF IN DOUBT, DO NOT CLICK ON LINKS IN EMAILS. It really is that simple...
If you are not confident in identifying scam emails, reach out to someone with skills who can verify if the said email is fake, etc...
NEVER, click on emails to "reset" anything... or "ABC" has expired, or "Your account is going to close"... etc... Unless you are expecting the email... ALWAYS err on the side of caution.
Hope this helps.
18 Sep 2018
Total posts 19
Can anyone with an EU passport file a complaint under the GDPR. 4% of worldwide turnover or €20 million whichever is greater is a far more appropriate penalty than Australia will ever implement.
Qantas - Qantas Frequent Flyer
31 Jan 2016
Total posts 96
Ok, so I'm shallow. No thanks lawyers and 'class actions', can't be bothered, and like WAMQFFP most of my details are probably making someone else's day while they try to hack away at my empty bank balances...
But, QANTAS, I'm prepared to forgive and forget if you make me an offer I can't refuse...like, 'Lifetime Platinum'. It wouldn't cost you much, I'm already Lifetime Gold and annual Platinum for last 18+ years.
Go on, you know you want too...and I may say nice things (maybe)...!!!
Qantas - Qantas Frequent Flyer
03 Jan 2013
Total posts 67
Anyone who doesn’t have multi-factor authentication enabled for any of their online transactions or interactions is asking for trouble.
15 Feb 2023
Total posts 11
1. Agree to bring call centers back to OZ
2. Class action a joke.....shame on greedy Law Firms. If successful, estimated FF members may get < $20 ea while the shysters in line for millions.
3. If compo is warranted then MAYBE, just maybe QF could offer some FF points direct ( no 3rd party) to members.
4. Going after QF for the hack is like the police charging a home owner for allowing his/her home to be burgled, even if safeguards are in place.
I'm subject to the hack, but my knickers remain untwisted.
Hi Guest, join in the discussion on Qantas hack: lawyers launch class action compensation case