Millions of customers could already have been targeted by scammers in the two days it took Qantas to share details of a major cyber attack, an expert says.

And there might be further attempts by malicious actors to hit Australia’s biggest airline now that a vulnerability has been exposed.

The airline announced on Wednesday that a third-party system used by an offshore call centre had been attacked two days earlier.

Qantas said the hack potentially compromised the names, dates of birth, email addresses and frequent flyer numbers of six million customers, although their financial information remained secure.

But a cybersecurity expert said the 48-hour delay in telling customers of the attack might have left millions vulnerable to scam attempts.

“That second round can be a lot more powerful than the first breach and then there is the risk of customers not knowing to be alert to any emails or phone calls from Qantas as suspicious,” La Trobe University’s Daswin De Silva said.

“These emails can be sent very quickly … phishing or other impersonation attacks could have happened in those 48 hours.”

Qantas representatives should explain the 48-hour delay in notifying customers of the scam risk, De Silva said.

He speculated the delay was likely due to Qantas figuring out whether other systems had been compromised and deploying security measures to dispel the cyber criminals.

Qantas confirmed that scammers were already impersonating the airline and has warned customers to be vigilant.

The airline has been contacted for comment about the notification delay.

On Friday, the company provided an update confirming that credit card details, personal financial information, passport details and Qantas Frequent Flyer accounts were not exposed.

However, customers will have to wait several more days for an individual update on which personal details were compromised due to the hack.

“I want to apologise again for the uncertainty this has caused,” chief executive Vanessa Hudson said.

“We’re committed to keeping our affected customers informed with regular updates as our investigation progresses.”

Qantas, which is working with government authorities to investigate the incident, said there had been no further threat to its systems and additional security measures had been enacted.

The Australian Federal Police confirmed they were investigating and the airline had been “highly engaged” with authorities.

Qantas has remained tight-lipped about who it believes is behind the attack and no cyber criminal groups have taken responsibility.

But De Silva said it could be an ominous sign of more cyber strikes to come for the airline now that criminals had found a vulnerability.

“Once you figure out a weak spot, they try to exploit it to the maximum,” he said.

Multiple cyber experts believe the group responsible is Scattered Spider, a cabal of young cyber criminals in the US and Britain.

The US Federal Bureau of Investigation recently warned that the group was targeting airlines by impersonating legitimate users to bypass multifactor authentication and access systems.

De Silva said Scattered Spider was a financially motivated group that did not obtain credit card details or other “valuable” information in the attack.

“They might be planning further attacks that gets them to their objective because obviously they want to see their effort fulfilled,” he said.

Qantas has added security measures for its frequent flyer accounts, including requiring extra identification for any changes.

It has had more than 5000 customer inquiries since revealing the attack.

Legal experts suggest the incident could lead to a class action against Qantas after compensation claims were made against Optus and Medibank following major breaches in 2022.

-AAP