Qantas says it has reduced bonuses received by its CEO and executive management team by 15 percentage points “in recognition of the seriousness” of its June data breach, which affected around six million customers.
The airline announced the change in its annual report on Friday, in which Qantas chair John Mullen said the company's board had “decided to reduce 2024/25 short-term bonuses … for the CEO and Executive Management” over the incident.
The change meant Qantas CEO Vanessa Hudson’s bonus would be cut by $250,000, while the wider executive management team of five people, excluding the CEO, would see a reduction of $550,000 shared across their bonuses.
“This decision demonstrates our commitment to creating a culture of accountability and ownership,” Mullen wrote.
Qantas publicly announced a data breach on 2 July after cybercriminals used social engineering to convince a Qantas call centre in Manila to grant access to a third-party customer service platform — activity which the airline said it detected on 30 June.
The compromised accounts leaked personal information including names, email address, phone numbers, dates of birth, Qantas Frequent Flyer numbers, and the number of points in individual accounts, exposing millions of people to a higher risk of fraud.
Reduced bonuses highlight ‘shared accountability’, Qantas says
Qantas said the cuts to executive bonuses recognised the importance of the company's security systems, as well as the executives’ responsibility for the handling of customer data.
“This adjustment reflects their shared accountability and our commitment to a culture of responsibility and transparency while also acknowledging the work that has been done since the incident,” Qantas said in its report.
“This includes notifying and supporting customers, and engaging extensively with relevant stakeholders such as the Australian Cyber Security Centre.”
The Qantas board said while it acknowledged investigations into the incident “may not be finalised for some time”, it believed it was “important for both our executives and shareholders that the remuneration consequences of this incident be dealt with this year”.
Despite the cut to her short-term bonus, Hudson’s total annual remuneration increased by 44 per cent in the latest report to $6.3 million, as Qantas’s share price has risen around 75 per cent in the past 12 months.
The five members of the executive team, excluding Hudson, received $4.3 million in base pay between them for the 2024-25 financial year, and $13.1 million in other benefits and bonuses.
Hudson took over Qantas following the 2023 departure of former CEO Alan Joyce, who picked up his final bonus shares worth $3.8 million in the airline's latest figures.
Qantas CEO Vanessa Hudson (pictured left) received more than $6.3 million in total remuneration in 2024-25. Image: Qantas / LinkedIn
Qantas facing ‘increasing social engineering threats’
Qantas said it was improving its cyber defences and response strategies in the wake of the June incident.
It added it was “observing increasing social engineering threats” from cybercriminals, and said an “intensifying geopolitical climate worldwide has exacerbated cyber espionage and warfare attacks on Australian organisations”.
The airline also referred to malicious actors “employing advanced techniques to target Australian companies and critical infrastructure for ransom”, but did not say whether it had been targeted by ransomware itself.
Qantas Group — which also includes subsidiaries such as Jetstar and QantasLink — remained “exposed to reputational and brand damage from risks associated with” cyber incidents, including those involving companies in its supply chain, the annual report stated.
The company said its ongoing work included “enhancing secure-by-design capabilities to support new technological initiatives, fortifying the human firewall through education and awareness initiatives, and advancing cyber defences with advanced technology and expertise to remain ahead in the attack-defence dynamic".
The report also acknowledged law firm Maurice Blackburn's July complaint to the Office of the Australian Information Commissioner (OAIC), which alleged Qantas had breached privacy laws by failing to protect customers’ personal information.
The firm is seeking compensation for affected Qantas customers.
Qantas reiterated in both July and August that it was “aware of increased reports of scammers impersonating Qantas” following the cyber incident, and warned customers to be wary of potential scams.
While the airline has not named which group (or groups) of malicious actors it believes may have been behind June’s data breach, experts have speculated it may have been the so-called Scattered Spider hacking group.
Qantas has not provided a formal update on the investigation since 17 July, when it was granted an interim injunction in the New South Wales Supreme Court to prevent the stolen data “from being accessed, viewed, released, used, transmitted or published by anyone, including by any third parties”.
The company revealed earlier in July that it had been in contact with a "potential cybercriminal" in the days after the breach.
