In my opinion, this is just not good enough.
There need to be serious penalties for companies failing to protect private data, as have been introduced in the UK a number of years ago.
I don't really care about the Qantas data leaked, if someone is able to access Qantas accounts, spend/steal points etc there would be uproar if Qantas did NOT provide restitution (return to the previous balance).
What I DO care about is my name, date of birth, phone number, residential address, etc etc etc being leaked.
I can't just change them.
I will be at increased risk - permanently - from their mistake.
Leaking credit card data would be better and yet they keep "reassuring" me that no credit card data was leaked. Despite the fact that I can get a new credit card in about 3 days.
They keep talking about how their systems are secure now. I couldn't care less what they are like now - have they ever heard about closing the stable door after the horse has bolted?
It all just smacks of minimisation, lip service, and "too bad so sad" followed by them moving on.
Compensation doesn't change the fact that they have seriously let their customers down - but nor has it been offered - it just seems like they are hoping it will go away and no-one will kick up a fuss.
Disgusted
