Coldplay kiss cam: When private conduct becomes a governance risk
A viral scandal shows why boards must prepare for reputation-led crises – and ensure culture, conduct and CEO oversight are robust.
Communication key as Qantas navigates cyber breach turbulence
Communication key as Qantas navigates cyber breach turbulence
The attack on Qantas is shaping up to be one of the most significant cybersecurity-related news stories this year, with the personal information of up to six million frequent-flyer customers compromised in what the airline is saying was a breach of its call centre software.
In an era where intrusions by cybercriminals are no longer a surprise, the breach itself is somewhat unremarkable. What makes this case notable is the airline’s response – particularly the speed and structure of its communications in the immediate aftermath, especially under the intense spotlight of media and public scrutiny.
While details of the full scope and cause of the incident remain elusive as Qantas continues its digital forensic investigation, the airline moved quickly to acknowledge the breach, set up mechanisms to contact customers and make public statements.
Within three days of detecting the unauthorised access, the company had established dedicated enquiry channels, updated its website with plain-language information, and issued statements to media outlets. Direct emails to impacted customers followed shortly after.
Chief Executive Vanessa Hudson made early, direct remarks that struck an appropriate tone – calm, clear, and empathetic – in a move demonstrating how the airline was taking ownership of the situation, even as the crisis was still unfolding. Later updates affirmed that Qantas’ systems were secure and no credit card details, personal financial information or passport details were accessed.
Planning is key
A strong initial cyber crisis response doesn’t happen by accident. Directors should note that such a communication approach is likely to be underpinned by a robust cyber crisis communications plan that has been validated through testing and regular review.
In the face of a cyber-attack – particularly one involving sensitive data – the ability to communicate the facts quickly goes a long way in maintaining customer trust, eliminating confusion while limiting the ability of others (unaffiliated commentators, or even the hackers themselves) to sway the narrative.
For boards, this should serve as a prompt to ask whether their own organisations are similarly equipped to communicate swiftly and credibly in the midst of a major cyber crisis.
A high level of preparation is especially important in industries where trust is existential. For an airline, any incident, cyber or otherwise, invites questions about safety, risk and reliability. In this context, Qantas’s decision to front foot its communications is both strategically necessary and reputationally effective. While its brand has endured a year marred by operational complaints, leadership controversies and regulatory scrutiny, the response to this breach suggests a deliberate effort to restore public confidence and reaffirm the airline’s role as a trusted carrier.
What distinguishes Qantas’s response from other high-profile Australian breaches in recent memory, such as the disastrous 2022 Optus incident, is a greater degree of transparency and timeliness. Beyond simply offering an early media statement, business must open a direct line with customers and communicate with them in a way that demonstrates accountability, even when the facts are still emerging. It is a delicate balance, and one that Qantas, thus far, has managed with more agility than Optus, where poor communication became a lightning rod for scathing public and media critiques.
The coming weeks will determine whether this early goodwill can be sustained. Reputational recovery from a cyber breach is rarely linear and it can take months for an investigation and remediation to conclude. As further details emerge, along with the risk of legal retaliation and regulatory attention, the airline will need to maintain its commitment to open, consistent communication. For now, however, Qantas has laid a credible foundation.
Boards should take note, not only of the breach itself, but of the manner in which it has been handled. In an environment where such attacks and breaches are a case of if, not when, being able to deploy fast and effective communications may be the most enduring marker of resilience in the face of intensifying cyber threats.
Find practical advice on the board’s role in a crisis here.
Related content
