The flying kangaroo was one of six global companies involved in a weekend data leak after a hacking collective made good on its ransom threat.
The leak stemmed from up to 5.7 million Qantas customers having data compromised through an offshore call centre that used Salesforce software.
The July breach could cost the company more than $A7 billion ($NZ7.95b) if ruled to be a serious or repeated interference with privacy, while class actions from affected customers also loom.
The hack has cost Qantas chief executive Vanessa Hudson $A250,000 after senior executives had their short-term bonuses trimmed by 15 percent in September.
The leak included full names, addresses, Frequent Flyer details, dates of birth, phone numbers, gender and even meal preferences.
Qantas could face "very serious penalties", Cybersecurity Minister Tony Burke said.
"You can't simply outsource to other companies and think suddenly you've got no obligations on cybersecurity," he said on Monday.
He urged customers not to go looking on the dark web for the data, even their own.
A Qantas dataset totalling 153 gigabytes appears to have been removed from file-sharing platform LimeWire.
The data could give hackers more points of verification for identity-theft attacks, Have I Been Pwned cybersecurity expert Troy Hunt said.
While not overly concerned about his own information leaking, Mr Hunt said Qantas would be "lawyered up to their eyeballs".
"They will now have to face all the inevitable class actions and things that will follow," he told AAP.
RMIT cyber security professor Matthew Warren said the leak would fuel a "second wave of scams".
"Other criminals are going to use that information pretending to be from Qantas," he said.
Swinburne University emerging technologies expert Dimitrios Salampasis said worried customers should review social media privacy settings and their publicly available information.
"Leaked data could be combined with online details to build convincing scams."
Affected customers represent about one-third of the 17.6 million Frequent Flyer members Qantas had in June.
The airline has offered a support line and specialist identity protection advice.
It obtained a NSW Supreme Court injunction to prevent stolen data being accessed.
But it did not cover international jurisdictions, with stolen databases of Qantas, Vietnam Airlines, GAP, Fujifilm and two other companies posted online on Sunday.
A complaint over the Qantas data breach has been lodged by law firm Maurice Blackburn with the Office of the Australian Information Commissioner.
The legal outfit alleged Qantas breached privacy laws by failing to protect customer information.
Compensation claims were made against Optus and Medibank following major data breaches in 2022.
Qantas notified the commissioner in July under a scheme requiring companies to report data breaches likely to result in serious harm to affected individuals.
The Federal Court on Wednesday ordered Australian Clinical Labs to pay $A5.8 million for a February 2022 data breach, in which more than 223,000 people's personal information was accessed without authorisation.
But penalties have increased significantly under a scheme in place since December 2022.
Maximum penalties rose to $A50 million, or three times the value of the corporation's benefit, if a court can determine it.
If not, penalties could be set at 30 percent of the corporation's adjusted turnover for a minimum of 12 months covering the breach period.
That would exceed $A7 billion against Qantas' reported revenue of $A23.8 billion in the financial year before the breach.
