Estimated reading time: 4 minutes
We’ve reported on large companies that were hacked recently but either had no cyber insurance, or were underinsured. Could the Qantas Group (Qantas Airlines) be another one? The company’s board has (modestly) cut executive pay over its June hack, which revealed information on 5.7 million customers, according to the Qantas annual report released last month. But we’ve been unable to find references to cyber insurance in that report or related information released by the company. Cyber Insurance News has reached out to the Aussie airline about its cyber liability coverage and will update you if we get any answers.
The Qantas Hack
Unlike other recent hacks and software failures in the aviation, retail and auto sectors, the attack against Qantas, discovered at the end of June, did not produce massive business interruptions, but did result in the loss of customer data. “The names, email addresses and frequent flyer details of four million customers were exposed. The remaining 1.7 million customers had more data taken, including their dates of birth, phone numbers, personal or business addresses, gender and meal preferences, prompting an apology from Qantas boss Vanessa Hudson,” reported the Daily Mail. Qantas has obtained a court injunction against the purloined data “being accessed, viewed, released, used, transmitted or published by anyone, including by any third parties.”
Online criminals, apparently not connected to the original hackers, have been using news about the hack to try to trick Qantas customers. “These scammers are attempting to use the heightened awareness of our situation to entice Qantas customers to click through links or share personal details. This is unfortunately common after incidents like this,” the airline warned in August.
Board Cuts Compensation to Executives
“'(T)he Board decided to reduce annual bonuses by 15 percentage points as a result of the impact the cyber incident had on our customers. This reflects their shared accountability, while acknowledging the ongoing efforts to support customers and put in place additional protections for customers,” said Qantas Group Chairman John Mullen. “While we recognise that the investigations into this incident may not be finalised for some time and there may be other outworkings, we believe it is important for both our executives and shareholders that the remuneration consequences of this incident be dealt with this year. As a result, the Group Scorecard outcome was reduced to 124 per cent for the CEO and Executive Management. This had the effect of reducing the CEO’s 2024/25 STIP outcome by $250,000 [note: app. $USD 167,000.], and the total reduction for Executive Management (excluding the CEO) was $550,000 [note: app. $USD 363,000],” the company revealed last month in its annual report.
Between Painful Cut and Slap on the Wrist?
While no CEO is happy about losing $167,000 in bonus payments, it’s worth noting Qantas’ CEO had her bonus reduced but not eliminated. She also has an app. million US dollar salary, plus share grants and other compensation, none of which was apparently reduced due to the hack.
More from the Annual Report
“Qantas immediately commenced forensic investigations and work continues to learn from the incident and further increase our resilience,” according to the board report. Frequent readers of corporate on hacks expect this kind of information to be accompanied by discussion of the company’s cyber insurance claims and coverage, but not in this report. Qantas may have cyber insurance, but if so it’s not discussing it. Could information on the airline’s cyber insurance be covered by the legal injunction, which includes a “six-month non-publication order over the names of the solicitors and counsel acting for Qantas in the matter.” Again, we’ll try to get answers from the company.
What Qantas Insurance Does Cover
While we couldn’t find information on cyber insurance in the annual report, it did note the company maintains “D&O insurance,” or coverage for Qantas directors and officers. This could come in handy if it turns out Qantas was underinsured for cyber attacks and customers and/or shareholders sue the board and executives.
Ignorance about the need for cyber insurance is probably not a defense for Qantas, given all the headlines and government warnings over recent years, not to mention that one Qantas board member was chair of a company that provides cyber insurance.
Related Posts
