Once again, want to be clear I'm not trying to defend Qantas here. Apart from anything else, I'm still awaiting the 3rd email which suggests I've hit the jackpot (no meal preference on file though, so I already know that I won't be yelling out "BINGO!"), but....
Another school of thought on this is that it would likely be faster to identify customers with minimal data loss (e.g. if they had minimal info on file in the system of record, then you're going to know quick smart that they only had a small subset of fields leaked). Conversely, it will likely take longer to determine the (full) extent of the leak for customers with more data points on file. If this is in any way close to the reality of Qantas' / CyberCX's investigations, then it stands to reason that Qantas would - and should - communicate out to those minimally impacted customers as soon as practically possible in order to assuage their concerns. No need to leave them waiting on tenterhooks whilst they keep digging into the worst case scenario breaches for other customers.
I honestly don't see any way in which Qantas comes out of this comms exercise with glowing reviews from all customers? It's basically a case of one group of FF members arguing "...I'm more heavily impacted so you should have communicated to me earlier instead of pushing a "nothing to see here" agenda with those who had nothing overly meaningful leaked" vs another group of FF members who would be arguing "...why did you keep me waiting and worrying for so long before telling me I was on the lower end of the impact scale?"
Communicate to all at once and (some) customers will have issues. Communicate to subsets of customers at different points in time and/or differing orders of severity and (some) customers will vehemently disagree with the approach. The way I see it, I don't think there's much they could have done* that would not have been viewed with cynicism, frustration, anger et. al.
* other than avoid a data breach in the first instance
.
