I'm not arguing Air NZ should have waited. I see no issues with their time frames for notifying customers. I do however take issue with the fact they didn't notify what was leaked when this was known on Thursday, and customers since Friday have been advised of this when they've pushed for it. Why were they not clear and open about this? I don't see any reason why you wouldn't simply tell people what data was revealed unless you're trying to downplay things.



Because they didn’t know at the time the full extent of what had been compromised, going through three to seven years of email and OneDrive to detect what had been accessed within a specified amount of time from specific addresses takes time. They had an idea from some documents what the minimum exposure was, and they went with that.


sbiddle:It does seem that the compromised document(s) are probably data extracts for offline analysis and based on the numbers of customers in the leak I'd take a pretty big guess that these are neither "Airpoints customers who have traveled in the past 2 weeks" nor "Airpoints customers using the valet parking". This almost certainly is HVC data, and the fact it's essentially been HVCs who have had the email.


That is a core part of where we differ, I would never state an assumption or educated guess as fact. I had to check back on what AirNZ has published publicly but HVCs comprise 620,000 accounts, so I’m not sure what you’re doing with 112,000 and saying “all of AirNZ’s HVCs” I would suggest this is a subset, not a comprehensive “all” 


Which is the core of the argument, you seem to be emotively stating things as an authority and ascribing intent based on your assumptions, but you don’t know the facts. “downplay” describes intent, whereas “don't have enough information to give you a full picture yet, but this is what we know” seems an unacceptable option?