Two months after a major data breach thought to impact about six million customers, Qantas has announced a new compensation policy that reduces executive bonuses for the CEO and their team when damaging cybersecurity incidents take place.
The recent data breach will cost Qantas CEO Vanessa Hudson AUD 250,000 of her expected total annual compensation of AUD 6.3 million. The announcement came as Qantas said that the investigation into the data breach, thought to be perpetrated by the combination of the prolific ShinyHunters and Scattered Spider groups, could be expected to continue for some time.
Major breach prompts reduction of executive bonuses
The data breach that prompted the new policy took place on June 30 and involved social engineering of a contact center employee into connecting to a malicious instance of Salesforce, granting the attackers access that was then exploited laterally. All told the incident resulted in the theft of records of some six million customers that included data from their frequent flyer accounts such as member numbers, contact mailing and email addresses, and phone numbers paired with their full name. Qantas says that the breached platform did not contain more sensitive personal or financial information.
Qantas CEOs going forward can now expect hits to their annual executive bonuses, usually in the millions of AUD, when data breaches take place. Hudson is losing about 12.5% of an expected short-term bonus of AUD 2.04 million due to the new policy. However, it remains unclear if this will scale with compensation. Hudson’s total compensation is well below the most ever paid out for the company, which was the AUD 23.9 million package given to former CEO Alan Joyce in 2018. Joyce subsequently saw his exit pay cut by AUD 9.4 million in 2024 as an external review found that the company’s downward performance was largely due to his leadership.
A statement from the company indicated that other executive bonuses might be cut by 15% due to the data breach.
Personal culpability for executives in data breaches remains rare
The move by Qantas is noteworthy as it is relatively rare for organizations to dock CEO pay or executive bonuses in response to a data breach. John Watters, CEO at iCOUNTER, notes that he had to go back over 10 years to find a comparable example: “The last headline I can recall about a CEO being held responsibility for a breach dates back to the Target breach in 2013 when the CEO was forced to step down the following year. It will certainly be interesting to see if this is a once a decade event or if it becomes the norm moving forward.”
While they do not involve executive bonuses being touched, there are some other cases that have set precedent for a CEO or other executive leader being held personally responsible for a data breach. The FTC did this for the first time ever in 2023 when it held Drizly CEO James Cory Rellas personally responsible for failure to implement necessary safety measures that would have likely prevented a mid-2020 data breach that exposed the personal information of some 2.5 million app users. Rellas was held responsible due to failure to act on notifications of likely security vulnerabilities in 2018, storing login credentials insecurely in a GitHub account, failing to regularly monitor the company network for threats, and failing to appoint a senior executive directly responsible for protecting the personal information of app users. While he was not fined or financially penalized by the company, Rellas was hit with an order to implement a specific cybersecurity program that follows him for 10 years to any jobs that involve security responsibilities. Drizly was shut down in March 2024 shortly after being purchased by Uber, and it is unclear what Rellas is doing now.
The FTC is limited in its ability to directly pursue individual executives with financial penalties, but one card that it can play in this area is to refer the case to the Department of Justice who can then file lawsuits against them. This happened to Adobe in June 2024 when the president of the digital media wing and a senior vice president at the company in charge of marketing were sued over allegedly hiding the existence of early termination fees from customers and making it unnecessarily difficult to cancel subscriptions. There has not been a decision in that suit as of yet.
In 2022, D.C. Attorney General Karl Racine also filed a lawsuit alleging Mark Zuckerberg held personal responsibility for Facebook’s Cambridge Analytica data breach. Had the suit gone through Zuckerberg might have been subject to claims of personal financial liability, but a judge dismissed it in June 2023 (several months after Racine had already left office).
Dave Gerry, CEO at Bugcrowd, notes that though it is usually an oversimplification to hold an executive solely responsible for a data breach, the threat of reduction of executive bonuses can be a powerful tool in quickly improving awareness of entrenched security problems and mobilizing necessary change: “Cybersecurity is the responsibility of everyone within the organization and accountability for this starts with the CEO. Oftentimes it’s easy to point the finger at the various technology teams – including the CISO – but the reality is that the accountability for funding, prioritizing and evangelizing security practices sits with the CEO and senior leadership team. Demonstrating that there is a financial impact for the CEO sends a clear message to shareholders that cybersecurity is a business enabler, protecting customers data is of paramount importance, and the CEO is taking ownership of ensuring that the business does everything possible to uphold the trust placed in them by their customers.”
