Over 100,000 Air New Zealand customers may have had data compromised in a breach.

In an email sent to users of its frequent flyer program, Airpoints, the airline admitted that two Air New Zealand staff accounts were breached in a phishing attack.

“We have secured the two affected accounts and are conducting a thorough investigation,” the Air New Zealand email read.

“We’re also focused on further hardening our security processes to help prevent any similar incidents from happening in the future.”

The attackers gained access to internal documents which may have included information such as customers’ names, email, and mailing addresses – but Air New Zealand said passwords and credit card information were not affected.

A spokesperson for the airline also said “a very small number of limited passport details could have potentially been visible” to the bad actors.

Less than two weeks before the incident, the New Zealand Privacy Commissioner commended Air New Zealand for its online Privacy Centre tool that allows users to access, correct, and delete data the airline stores about them.

Privacy Commissioner, John Edwards, told 1News that successful phishing scams can effectively open the door to a system.

“Every one of these scams is worrying, particularly when they manage to defeat the security systems of a sophisticated organisation like Air New Zealand,” he said.

“It just shows that organisations need to be increasingly vigilant to have very good IT systems but also to have really good cultural training to tell people not to trust the thing that pops into their box.

“We need to, unfortunately, breed a little more suspicion into people.”

The New Zealand parliament is currently considering a bill that would replace the Privacy Act 1993 and includes a mandatory data breach notification scheme similar to the one in Australia.

Air New Zealand voluntarily notified the Privacy Commissioner of the breach on July 31 but did not tell customers until more than a week later.

“Sometimes there needs to be a little bit of a delay while an organisation actually understands the extent of what happened. Otherwise people can be concerned without need,” Edwards said.

“As soon as they become aware that identity information or credit cards or passwords have been included, that is a cue for them to act quickly.”

Air New Zealand is the latest major airline to have suffered from a data breach.

Last month, the British Information Commissioner proposed fining British Airways $329 million after half a million customers had their data stolen.

In October last year, Cathay Pacific revealed that hackers stole the data of over 9 million customers – including passport and credit card numbers.