Qantas has cut short-term bonuses for its top executives by 15% in response to a customer data breach, even as the airline reported a strong year of profits.
CEO Vanessa Hudson saw her bonus reduced by about AUD 250,000 under the 2025 remuneration decisions, with the airline saying the adjustment reflected shared accountability across the leadership team.
Despite the cut, Hudson’s total pay package rose to roughly AUD 6.3 million for the year, up from AUD 4.4 million in 2024, due to increases in base salary and other components.
The bonus reductions follow a cyber incident in late June 2025, when a hacker targeted a third-party customer servicing platform used by a Qantas call centre.
The breach exposed personal details of around six million customers, including names, emails, phone numbers, birth dates, and frequent flyer numbers. The airline confirmed no financial data, passports, or login credentials were compromised.
Qantas Group Chairman John Mullen said the decision to act within the financial year was intended to demonstrate accountability.
“While we recognise that the investigations into this incident may not be finalised for some time, it is important for both our executives and shareholders that the remuneration consequences of this incident be dealt with this year. The bonus adjustment reflects executives’ shared accountability. This decision demonstrates our commitment to creating a culture of accountability and ownership,” Mullen said.
He acknowledged the seriousness of the breach but highlighted the team’s efforts to support affected customers and strengthen security measures.
The airline’s operations continued to perform strongly, with Qantas posting a profit increase of nearly 16% for fiscal 2025.
The company said that while the breach highlights the risks facing airlines, its impact had been addressed through leadership accountability without derailing operational momentum.
Will This Become the Norm?
John Watters, CEO at iCOUNTER, said: “The last headline I can recall about a CEO being held responsible for a breach dates back to the Target breach in 2013, when the CEO was forced to step down the following year. It will certainly be interesting to see if this is a once-a-decade event or if it becomes the norm moving forward.”
Cybersecurity is the responsibility of everyone within the organization and accountability for this starts with the CEO, added Dave Gerry, CEO at Bugcrowd. “Oftentimes it’s easy to point the finger at the various technology teams – including the CISO – but the reality is that the accountability for funding, prioritizing and evangelizing security practices sits with the CEO and senior leadership team.
Gerry said demonstrating that there is a financial impact for the CEO sends a clear message to shareholders that cybersecurity is a business enabler, protecting customers data is of paramount importance, and the CEO is taking ownership of ensuring that the business does everything possible to uphold the trust placed in them by their customers.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.