While Airpoints accounts, passwords and credit card details were not accessed, the airline says some information relating to membership profiles may have been compromised.
''We're sorry to advise that some of your personal information may have been affected by a recent phishing incident relating to two Air New Zealand staff accounts," the airline's regional general manager, loyalty and customer direct Jeremy O'Brien said in an email to members.
The airline's loyalty scheme has about two million members but the number affected is unclear.
''We have secured the two affected accounts and are conducting a thorough investigation. We're also focused on further hardening our security processes to help prevent any similar incidents from happening in the future," he said.
It is warning members to look out for phishing emails over the next few months.
It says it will never ask you for credit card details or login information in an email and says anyone with further questions to email onlinesupport@airnz.co.nz.
The airline has also issued the following advice on how to spot phishing emails:
• Phishing scams can be very sophisticated. If your personal information was exposed in this recent incident, it could possibly be used to create authentic-looking hoax emails. They could include your name and your Airpoints number, for example.
• Be cautious of emails:
- that appear to be from Air New Zealand, but are not from one of our mailing addresses which usually end in airnz.co.nz, airnewzealand.co.nz or grabaseat.co.nz
- Make urgent appeals for fast action
- Ask you to make an online payment
- Include attachments that may contain viruses
- Contain links to sites that are malicious or unsavoury
• If the email seems to be from someone you trust but is asking you to make an unusual financial transaction, call or text the real sender to check.
• If you think you have been sent a phishing email, delete it immediately. For more information on phishing emails visit CERT NZ, the New Zealand Government's cyber security advisory service, or Netsafe NZ.
Airlines have enormous data bases of customers and are a prime target for phishing and hacking.
Earlier this year British Airways was fined $360 million for last year's breach of its security systems.
Users of British Airways' website were diverted to a fraudulent site. Through this false site, details of about 500,000 customers were harvested by the attackers,
Last year Cathay Pacific said there had been "unauthorised access" to passenger data of approximately 9.4 million people who were travellers with the company and its subsidiary, Hong Kong Dragon Airlines.
