When I log in to QF website, I need three things: Membership Number, Family Name and 4-digit PIN. The first two have been published to the world (data breach) so all that stands between me and the bad people is a 4-digit PIN.
They do have lockouts after failed attempts, etc, but there can be subsequent attempts, and the brute force method has plenty of memberships to try it on. Many people will be using a year of birth as their 4-digit PIN. So start with 19, then it is just a 2-digit PIN. It would have been simple to change to a 6-digit PIN, or even better a 6-character PIN, allowing letters and numbers. Yes, technically a password, but still short enough to be easily remembered, like a car's number plate. Qantas has apparently done nothing to improve the security of login.