Qantas has deducted $250,000 from Chief Executive Vanessa Hudson’s bonus after a cyberattack compromised the personal information of six million customers.
While Hudson will still earn more than $6 million in total remuneration for the 2025 financial year, her short-term incentive was cut by 15%. The Qantas board applied the same reduction to the rest of its executive team, despite the airline reporting a record $2.39 billion underlying profit.
Qantas Board Responds to Cyber Incident
Qantas Group Chairman John Mullen explained the decision:
“Despite the strong performance, the board decided to reduce annual bonuses by 15 percentage points as a result of the impact the cyber incident had on our customers. This reflects their shared accountability while acknowledging ongoing efforts to support customers and enhance protections.”
The board’s move highlights the growing corporate accountability around cybersecurity failures, even when financial performance remains strong.
Executive Pay Remains High Despite Penalty
Although positioned as a penalty, the cut leaves little impact on executives’ overall compensation. For example, Hudson’s $6.3 million package for FY2025 represents a 43% increase from the $4.4 million she received the previous year.
Much of this growth comes from Qantas’ surging share price, which has more than doubled since Hudson took over—from $4.47 three years ago to $10.74 by June 30, 2025.
What Happened in the Qantas Data Breach?
The airline disclosed that it detected the cyber breach on June 30, 2025. Hackers targeted a Qantas call centre by exploiting a third-party customer servicing platform.
The exposed information included:
- Names
- Email addresses
- Phone numbers
- Dates of birth
- Frequent flyer numbers
Importantly, Qantas clarified that no credit card details, passport numbers, or financial data were accessed, and its flight operations were not disrupted.
Cybersecurity in the Spotlight
The Qantas data breach serves as a reminder that even high-performing companies with record profits can suffer from cybersecurity incidents with significant reputational consequences. For customers, it underscores the importance of monitoring personal information for suspicious activity. For businesses, it emphasizes the need for robust third-party risk management and ongoing investment in data protection.