Qantas Airways has cut executive bonuses by 15% after a July cyberattack exposed the personal data of 5.7m customers.
The decision, announced in the Australian airline’s annual results, and reported by Reuters, came despite the firm reporting a A$2.39bn (US$1.5bn) profit before tax in the year to June, one of its strongest financial performances on record.
The move highlights how cybersecurity lapses are increasingly shaping boardroom decisions on pay.
Chairman John Mullen said the board wanted to deal with “remuneration consequences” in the same fiscal year as the breach, adding that the cuts reflected “shared accountability” across senior management.
Group chief executive Vanessa Hudson’s short-term bonus was trimmed by about A$250,000 (£121,250) while other executives collectively forfeited A$550,000 (£266,750).
In total, Hudson’s total pay rose to A$6.3m (£3.06m) from A$4.4m (£2.13m) a year earlier due to the airline’s strong operational performance.
The Qantas attack, traced to a third-party contact centre in Manila, compromised names, emails, dates of birth, phone numbers and frequent flyer details, though no financial information, passwords or passport numbers were taken.
Qantas said it had contacted affected customers, engaged law enforcement and tightened security measures.
“Our absolute focus since the incident has been to understand what data has been compromised for each of the 5.7 million impacted customers and to share this with them as soon as possible,” Hudson said.
The penalty reflects a growing trend of linking executive pay to cybersecurity performance. Last year, US casino operator MGM Resorts withheld bonuses after a ransomware attack disrupted operations in Las Vegas for 10 days, costing an estimated $100m.
In 2022, UK telecoms group TalkTalk faced scrutiny over executive pay following a breach that exposed 157,000 customer records, with investor groups urging tougher remuneration policies tied to data protection.
Qantas is among several major companies targeted by Scattered Spider, a loosely affiliated collective skilled in social engineering and extortion.
In April, the group also attacked Marks & Spencer , disrupting its supply chain and forcing the retailer’s website offline for about 46 days, halting online orders until services were restored.
