Qantas Reduces Executive Pay Following Cyberattack
Summary
Australia’s largest airline revealed in its 2025 annual report that a cyber incident earlier this year — discovered on 30 June — compromised a third-party contact-centre platform and exposed personally identifiable information for about 5.7 million passengers.
The Qantas board decided to reduce short-term compensation for the CEO, Vanessa Hudson, and the wider executive team by 15%. For Hudson, that equals a $250,000 reduction. Qantas said attackers obtained names, email addresses and frequent flyer numbers for most affected customers; a subset also had addresses, dates of birth and phone numbers exposed. The airline says no payment card data, financial information, passport numbers or account credentials were accessed.
The incident is linked to a threat actor tracked as UNC6040, associated with the ShinyHunters collective, which has used Salesforce as an entry point in attacks on other organisations. Qantas has warned customers about increased scam and phishing activity and urged the use of two-factor authentication while the investigation continues.
Key Points
- Qantas discovered a breach in a third-party contact-centre platform on 30 June, affecting around 5.7 million passengers.
- The board reduced short-term executive compensation by 15% in response; CEO Vanessa Hudson faces a $250,000 cut.
- Exposed data included names, emails and frequent flyer numbers; some records also contained addresses, dates of birth and phone numbers.
- The attack is linked to UNC6040 / ShinyHunters and other companies using Salesforce were targeted in similar intrusions.
- Qantas emphasised customer protections, urged two-factor authentication, and warned of increased phishing and scam activity following the breach.
Context and relevance
This story is a good example of three converging trends: the rising impact of supply-chain and third-party SaaS compromises, the reputational and regulatory fallout from large-scale data exposures, and growing board-level appetite to link executive pay to cyber resilience. Organisations relying on third-party platforms — especially customer-service SaaS providers — should see this as a reminder to reassess vendor security, monitoring and incident response plans.
For security teams, the incident highlights the persistent threat from organised groups exploiting widely used platforms and the need for strong customer communication strategies and phishing mitigations post-breach.
Why should I read this?
Short version: execs took a pay cut, millions of customers were nudged into extra risk, and it all started with a third-party platform. If you look after customer data, vendor security or incident response, this is worth a quick read — saves you time and flags what to watch for next.
Author’s take
Punchy and plain: small pay cuts won’t erase the reputational hit. This case shows how SaaS/supply-chain weak spots ripple up to the boardroom — and why putting vendors under the microscope is non-negotiable now.
