Qantas cuts executive bonuses by 15% after a July cyberattack exposed data of 5.7M people, despite reporting $1.5B profit last fiscal year.
Qantas cuts executive bonuses by 15% after a July cyberattack that exposed data of 5.7M people, despite posting $1.5B profit in the last fiscal year.
This case study demonstrates that a security breach could impact the salaries and bonuses of C-Executives.
In early July, Australian airline Qantas disclosed a cyberattack after hackers accessed a third-party platform used by a call centre, stealing significant customer data. The breach, linked to ongoing Scattered Spider activity, was detected and contained. Qantas confirmed that while the system is now secure, a substantial amount of data was compromised during the incident.
Customer service records that may have been stolen include names, emails, phone numbers, birth dates, and frequent flyer numbers. No financial data, passport details, passwords, or login credentials were compromised.
Qantas confirmed that hackers stole data of approximately 5.7 million customers and began extortion attempts to prevent its release.
“A potential cyber criminal has made contact, and we are currently working to validate this,” reads the company’s updated statement. “As this is a criminal matter, we have engaged the Australian Federal Police and won’t be commenting any further on the details of the contact.”
The analysis of customers’ personal data has found (all numbers are approximate):
- 4 million customer records are limited to name, email address and Qantas Frequent Flyer details. Of this:
- 1.2 million customer records contained name and email address.
- 2.8 million customer records contained name, email address and Qantas Frequent Flyer number. The majority of these also had tier included. A smaller subset of these had points balance and status credits included.
- Of the remaining 1.7 million customers, their records included a combination of some of the data fields above and one or more of the following:
- Address – 1.3 million. This is a combination of residential addresses and business addresses including hotels for misplaced baggage delivery.
- Date of birth – 1.1 million
- Phone number (mobile, landline and/or business) – 900,000
- Gender – 400,000. This is separate to other gender identifiers like name and salutation.
- Meal preferences – 10,000
Customer records are based on unique email addresses and customers with multiple email addresses may have multiple accounts.
Qantas contacted affected customers to inform them of the specific data compromised and provide support. CEO Vanessa Hudson emphasized their focus on transparency and customer support.
In its latest earnings report, Qantas Group Chairman John Mullen announced the devision to cut bonuses for the CEO and Executive Management.
“Despite the strong performance, the Board decided to reduce annual bonuses by 15 percentage points as a result of the impact the cyber incident had on our customers.” Mullen said. “This reflects their shared accountability, while acknowledging the ongoing efforts to support customers and put in place additional protections for customers.”
Qantas CEO Vanessa Hudson’s pay was cut by $250K, with the board citing shared accountability and efforts to support customers and boost protections.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, data breach)
