Qantas has cut executive bonuses by 15 per cent for fiscal 2025 following a cyber-attack that exposed millions of customer records. The airline’s board described the move as an accountability measure, even as the company reported one of its strongest annual profits on record.
Qantas said the breach affected a call-centre database, compromising personal data such as names, email addresses, phone numbers, dates of birth and frequent-flyer numbers of up to six million customers. While investigations are still under way, the board said it was important to act this year.
The 15 per cent reduction applied to short-term incentive payments across the executive leadership team. For Chief Executive Vanessa Hudson, the cut amounted to about A$250,000. Even so, her total remuneration rose from A$4.4 million in the previous year to A$6.3 million, reflecting the airline’s strong financial performance.
In its statement, the airline said: “While we recognise that the investigations into this incident may not be finalised for some time… it is important for both our executives and shareholders that the remuneration consequences of this incident be dealt with this year.”
The financial backdrop highlights the contrast. Qantas delivered an underlying profit of A$2.39 billion, the second highest in its history, with statutory net profit up 28 per cent to A$1.6 billion. Its low-cost arm Jetstar was a major contributor, as high demand and elevated ticket prices supported record revenue.
The airline also moved to reward employees with a share plan and resumed dividend payments, marking a turnaround from the pandemic years when its balance sheet was under strain. Shareholders are set to benefit from a final dividend of 20 cents a share.
Yet the decision to trim executive pay is as much about perception as it is about financial consequence. The cut represents a visible sanction for a breach that has already triggered a class action lawsuit and regulatory scrutiny. The Office of the Australian Information Commissioner continues to investigate, with potential fines of up to A$50 million if violations of privacy law are established.
This episode also reflects a broader shift in corporate governance. Boards in Australia and beyond are facing heightened expectations to show direct consequences for leadership when cyber incidents occur. After high-profile breaches at Optus and Medibank, and a wave of similar incidents across sectors from healthcare to retail, stakeholders now view data protection as a core leadership responsibility rather than a back-office technical issue.
Other companies may look to Qantas’s example as a blueprint: linking executive incentives to cyber resilience and reputational risk management. While a 15 per cent cut is relatively modest, the move establishes a precedent that boards cannot ignore systemic vulnerabilities without consequences. As cyber threats escalate, tying remuneration to security outcomes could become a standard tool of accountability across industries.
The coming months will test whether this measure is seen as sufficient. Regulators, investors and customers will be watching not only the outcomes of ongoing investigations, but also the airline’s ability to strengthen data protection while sustaining operational performance.
