Senior executives at the Australian flag carrier Qantas were in line for big bonuses after the airline reported pre-tax annual profits of $2.39 billion and either met or exceeded short-term incentive targets after a rip-roaring year of successes.
That was, however, until Qantas revealed that it had fallen victim to a cyber attack at a customer service call center, giving hackers access to the personal details of as many as six million customers.
The attack was revealed on June 30, although it’s not known how long the database containing intimate personal details, including names, dates of birth, phone numbers, and frequent flyer numbers, was compromised until the airline became aware and took steps to secure the system.
Executives at Qantas are remunerated through a base salary, as well as short-term and long-term incentive payments.
The short-term bonus is based on the airline’s annual financial performance, alongside other metrics like employee engagement, safety performance, and sustainability initiatives, which are all fed into an overall scorecard with a maximum
an overall score of 163.75 per cent possible.
For the 2024/2025 financial year, the scorecard came in at an above-average score of 139% but the Qantas board decided to dock 15% off this score to reflect the impact the cyber attack had on so many of the airline’s customers.
As a result, chief executive Vanessa Hudson has had her short-term incentive bonus docked by A$250,000. The overall reduction amounted to A$800,000.
“The business had an outstanding year, delivering not just on financial metrics but importantly delivering for customers and our people,” commented Qantas Group chairman John Mullen.
But while Mullen praised Hudson for the “fantastic job” she had done, he said the board “decided to reduce annual bonuses by 15 percentage points as a result of the impact the cyber incident had on our customers.”
Mullen added: “This reflects their shared accountability, while acknowledging the ongoing efforts to support customers and put in place additional protections for customers.”
The board decided to dock the bonuses of its executives even before an investigation into the security breach has been completed – a process that may still take many months.
In recent months, leading cybersecurity firms have put the aviation industry on high alert to the threat of cyber attacks by criminals using sophisticated ‘social engineering’ scams to deceive IT help desks into giving them access to sensitive internal systems.
In particular, the infamous Scattered Spider group is known to use social engineering rather than lines of code to break into private computer systems of private organizations, including airlines.
Several other airlines have fallen victim to cyber attacks in recent months, including Canadian carrier WestJet, Hawaiian Airlines, and KLM Royal Dutch Airlines.
In July, British Airways became so worried about the threat of an attack on its computer systems that it locked hundreds of pilots and flight attendants out of key operational systems after revoking permission to reset passwords on devices that weren’t hardwired into the airline’s network.
