This product has already been purchased.
Cyber threats are no longer hypothetical, they’re inevitable. No company is immune. They are operational, reputational and psychological stress tests of leadership. The question for boards is no longer “Are we secure?” It is, “When this happens to us, will we govern it well?”
On 30 June last year, the IT team at Qantas detected unusual activity on a third-party servicing platform used by one of its passenger contact centres. System issues are not unusual, could it have been a glitch? Further investigation confirmed a cyber attack had occurred.
It had exposed customer names, addresses, phone numbers, email addresses and frequent flyer information. Fallout from the breach impacted almost six million customers, whose data was stolen and later released on the dark web. An undisclosed ransom was demanded and refused.
It was the latest in a series of breaches at large Australian corporations, including the Optus and Medibank cyber breaches in 2022, and Latitude Financial in 2023.
In the Optus attack, personal data of 10 million current and former customers was stolen following a hack caused by an unsecured API (application programming interface).
With Medibank, hackers stole personal and health data of 9.7 million current and former customers. They breached the system using stolen credentials, and later dumped data on the dark web after a $15m ransom demand was refused.
In the Latitude attack, the customer records of 14 million Australians and New Zealanders were stolen, including driver’s licence and passport information.
The Qantas attack highlighted inadequate oversight of third-party vendors, outdated and inadequate security controls and a failure to treat cybersecurity as a core strategic risk. The board’s decision to penalise its CEO and top executives with pay cuts emphasised that cybersecurity is now a governance concern requiring management oversight. By linking executive compensation to its cyber response, Qantas tied executive accountability directly to data protection.
A growing threat
“Threat actors have been at this endeavour for a long time, and they keep getting better,” says Anneliese McDowell, executive director of strategy and consulting at cybersecurity company CyberCX.
“The challenge is staying a step ahead. High-profile incidents have made organisations more cognisant that cybersecurity is everyone’s responsibility. Boards and executives now need to understand how the environment is changing to adapt quickly.”
An increasingly digital society has created a playground for cyber criminals. Ransomware, credential theft and supplier compromise have shifted conversations around cyber risks from “if” to “when”.
Richard Addiscott, a vice president analyst with business and tech advisory firm Gartner’s global cybersecurity research and analysis practice, describes cybercrime as a “clear and present danger” and notes that the prevalence of artificial intelligence has enabled malicious actors to execute attacks on a larger scale and at a faster rate.
“Threat actors have become more emboldened and sophisticated through their ability to harness AI to create things like deepfake audio and video, for fraud and to automate multistage attacks,” he says. “They are targeting people, not just technical vulnerabilities, and this makes social engineering very effective.”
Data from IBM shows the global average cost of a data breach reached US$4.4m in 2025. Meanwhile, the latest Microsoft Digital Defence Report shows Australia ranked 10th globally, and fourth in Asia and the Pacific for the frequency of cyber activity impacting customers. Ransomware continued to drive extortion risk in FY2024–25, with the Australian Signals Directorate’s Australian Cyber Security Centre (CSC) responding to 138 ransomware incidents. The CSC’s latest Cyber Threat Report shows data theft commonly occurs after cybercriminals gain access via compromised accounts or by exploiting vulnerabilities, often to enable extortion.
The scale and speed of cyber crime also means that victims can be targeted in multiple locations simultaneously. In the case of the Qantas attack, the airline was one of close to 40 organisations globally to be targeted, including Disney, Google, IKEA, Toyota and airlines Air France and KLM.
.jpg)
Governance under pressure
The Qantas incident demonstrates that responding to a breach is not a single decision, but a crisis that unfolds with incomplete information and external pressure for certainty.
Rachael Falk MAICD is a partner at Ashurst Risk Advisory’s cyber and technology risk team and co-author of Cyber Security Governance Principles and Governing Through a Cyber Crisis, joint publications by the AICD and the Cyber Security Cooperative Research Centre. She likens cyber incidents to icebergs — you see the tip first, but it takes time to understand the full scope. How did a breach happen? What was taken? How many customers were impacted?
“Leaders need to be comfortable making high-stakes decisions in ambiguity,” says Falk. “You won’t have perfect information, not on day one, and sometimes not even six to 12 months later.”
However, with the scale of threats increasing, Mathew Graham, regional chief security officer for APAC at cybersecurity firm Okta, says decisions that used to take weeks must now be made in hours.
“Are you going to engage with the cyber attacker? Who is going to be the spokesperson — is it the CEO or the CSO? There are disclosure obligations in terms of regulators, insurers, police, customers. How quickly can these be met? These are governance decisions. They are ethical and commercial decisions, not technical decisions.”
A Qantas spokesperson told Company Director the airline has a “long-standing and mature governance framework that ensures cyber risk is treated as a whole-of-enterprise issue, not just a technology challenge”.
When the data breach was detected, the airline took immediate steps to secure the system and worked closely with the Australian Federal Police, the National Cyber Security Coordinator and the CSC.
“We also notified the Office of the Australian Information Commissioner (OAIC), as well as privacy and data protection regulators in relevant overseas jurisdictions.”
The airline implemented additional security measures to further restrict access and enhance system monitoring and detection across the business. In the months following the incident, Qantas reorganised its executive team, placing cybersecurity under the remit of its chief risk officer, Andrew Monaghan.
The CRO position was created in 2023 as part of structural changes linked to Vanessa Hudson’s appointment as Group CEO. A Qantas spokesperson says the role brings together risk management for the group as a whole to provide the highest level of oversight and governance.
Trust at risk
In instances such as the Qantas crisis, systems can be secured relatively quickly, but trust remains the key asset at risk. Recovery is often measured by how quickly stakeholders believe an organisation is in control, transparent and acting in good faith.
Qantas’ communication with customers was prompt. It publicly announced the cyber breach on 2 July and informed customers whose data may have been stolen. It offered access to a dedicated support line as well as specialist identity protection advice and services for customers who enquired or required additional support. An injunction was also granted to Qantas by the NSW Supreme Court to prevent the stolen data from being accessed or published by any third parties.
Cameron Whittfield, a partner in cyber, data and emerging technologies at law firm Herbert Smith Freehills Kramer, says good communication is not compliance-driven. “Transparency builds trust, even when information is incomplete. Organisations must be realistic about what can be shared and empathetic toward those affected. The process may be time-consuming, but clear, consistent communication maintains credibility and protects relationships.”
However, John Macpherson, leader of Ashurst’s cyber and technology risk team, who co-authored Governing Through a Cyber Crisis, notes communication during a cyber attack is a key area where many boards go wrong. He says there is a risk of directors overstepping into operational roles.
“They get stuck with the red pen redrafting comms that the crisis management team or communications team have developed. It’s not an effective use of their time and it’s also not great governance. In the cyber governance principles we established, a board should look at communications through a prism of, ‘Are we being timely, transparent and accurate? Have we considered the necessity of legal professional privilege to manage downstream risk?’ This gives boards a principles-based way of governing communications, rather than actually doing the communications.”
Lessons for boards
Cyber extortion brings significant pressure to the boardroom, but the question for directors is no longer, “Are we secure?” Boards need to be asking, “When a cyber threat happens to us, will we govern it well?” In these moments, rehearsed governance outweighs technical capability.
Boards should have a clear, well-tested understanding of both prevention and response. Macpherson says this includes a ransom payment playbook.
“Governance isn’t just about the payment decision, it’s also about the decision to engage with the cyber attacker in the first place. That step should be clearly carved out and handled at the most senior levels.”
Falk adds that when it comes to paying a ransom, the central question for boards is, will paying be the most effective way to mitigate the risks we’re facing?
“If sensitive data is stolen, will payment actually protect customers? If there’s a major outage, will payment accelerate recovery? Most of the time, the answer is no, but cybercriminals are very persuasive. They try to create urgency and push you into a rapid decision. Good governance deliberately slows that down. It ensures the decision is purposeful, considered and aligned with stakeholder interests. We often see boards shift from initially thinking payment might help, to recognising it’s not an effective risk mitigation tool.”
Board reporting is another critical issue for cyber risk management, says Macpherson. “Too often, it’s highly technical and metric-heavy, but doesn’t clearly articulate organisational vulnerability or cyber risk exposure. Boards need reporting that enables governance, not confusion.”
Beyond incident response, McDowell says organisations must constantly improve their security posture. “Directors must understand the organisational context, such as customer-facing versus non-customer-facing, so resources focus on the right priorities. Cybersecurity should be targeted. Buying all the tools is unnecessary if priorities are clear.”
The Qantas cyber crisis is a clear lesson – cyber risk is not just a tech problem. The airline invested heavily in cybersecurity and still faced extortion, data risk and prolonged uncertainty. “We must recognise we can’t presume digital crime will be fully preventable,” says Whittfield. “Boards need to build their cyber resilience so that when an incident occurs, which it probably will, they are as prepared as possible.”
This article first appeared under the title 'Hacked' in the April/May 2026 Issue of Company Director Magazine.
Latest news
Already a member?
Login to view this content