The Biggest Cyber Breaches in Australia

Today, we outline the complete list of major cyber breaches in Australia.

Each year in Australia there are thousands of cyber breaches to businesses. While most of these breaches affect smaller businesses, occasionally there are “major” cyber breaches that impact large organisations and a huge number of people.

For Australian businesses, knowing how these cyber breaches occurred can help them protect their own data by ensuring they don’t allow the same thing happen to them.

Below, we’ve listed the major cyber breaches in Australia that have had the biggest impact on the largest number of people.

Top Australian Cyber Breaches in 2026

Victorian Department of Education: January 2026

The Victorian Department of Education confirmed a significant data breach impacting all 1,700 government schools across the state. An unauthorized third party accessed systems containing the personal information of both current and former students, with data potentially including names, contact details, enrolment records, and other education-related information.

The department stated that containment measures were implemented after detection and that investigations were ongoing to determine the full scope of accessed data. Notifications were issued to affected schools, and support services were made available due to the scale and sensitivity of the incident.

Prosura: January 2026

Australian car rental insurer Prosura disclosed a major data breach exposing the personal and insurance policy information of approximately 300,000 customers. The compromised data is understood to include names, contact details, policy numbers, and claim-related information.

Prosura confirmed the incident followed unauthorised access to its systems and engaged external cybersecurity specialists to assist with forensic analysis and remediation. Affected individuals were advised to remain vigilant for potential phishing or fraud attempts, and regulatory bodies were notified in line with Australian data breach requirements.

Regis Resources: January 2026

ASX-listed gold producer Regis Resources confirmed a cyber incident after threat actors claimed responsibility for breaching the company’s network. While the company did not immediately confirm data exfiltration, it acknowledged that unauthorized activity had occurred and that containment and investigation efforts were underway.

The incident raised concerns due to Regis Resources’ role in Australia’s critical mining sector, where cyber disruptions can impact operational continuity, safety systems, and supply chains. The company stated it was working with cybersecurity experts and relevant authorities to assess operational and data impacts.

Top Australian Cyber Breaches in 2025

University of Sydney: December 2025

The University of Sydney disclosed a cyber incident that resulted in the theft of personal data belonging to more than 13,000 individuals, including current and former staff, donors, and alumni.

The compromised information varied by individual but included names, contact details, and in some cases historical administrative records. The university confirmed the threat actors gained unauthorized access to internal systems before the breach was detected and contained.

Law enforcement and regulators were notified, and impacted individuals were offered identity protection services due to the sensitivity of the exposed data.

BECKS: December 2025

Australian jewellery brand BECKS confirmed it had suffered a cyber incident after ransomware group SafePay claimed responsibility and alleged data theft. While BECKS stated its investigation was ongoing, threat actors claimed to have accessed internal business information and customer-related data.

The incident highlights the growing targeting of retail and luxury brands, where customer trust and brand reputation are tightly linked. BECKS advised customers to be alert to potential scam activity while forensic analysis continued.

IKAD Engineering: December 2025

IKAD Engineering, a contractor operating within Australia’s defence supply chain, confirmed it had been impacted by a cyber incident amid a broader series of attacks targeting defence-linked organizations. The breach raised national security concerns due to IKAD’s involvement in sensitive engineering and maintenance programs.

While specific data types were not publicly detailed, officials acknowledged that systems were accessed without authorization. The incident underscored ongoing risks to defence supply chains, where smaller contractors are increasingly targeted as indirect entry points.

Kelly Legal: November 2025

Queensland-based law firm Kelly Legal was listed by the INC Ransom group following an alleged October cyber intrusion. Threat actors claimed to have stolen more than 400 gigabytes of data, including human resources files and internal legal documents.

Kelly Legal confirmed it was investigating a cybersecurity incident and working with external experts to assess the claims. The incident reflects the continued targeting of legal firms, where sensitive client, employee, and case data presents high extortion value.

IKAD Engineering: November 2025

In a separate development, threat actors alleged they had maintained access to IKAD Engineering’s network for up to five months, claiming to possess sensitive information related to Australia’s Hunter and Collins class defence programs. IKAD confirmed a cyber incident and stated that investigations were underway to determine the accuracy and extent of the claims.

Prolonged dwell time, if confirmed, would represent a serious escalation in supply chain risk, highlighting the challenges of detecting advanced, low-noise intrusions.

SCENT (Sydney Centre for Ear, Nose and Throat): November 2025

The Sydney Centre for Ear, Nose and Throat (SCENT) notified patients of a potential data breach after identifying that one of its email accounts had been compromised. The incident may have exposed patient names, contact information, and limited clinical correspondence. SCENT stated that the breach was contained after detection and that no evidence of further system compromise had been found.

The event illustrates how email-based attacks continue to be a common entry point into healthcare organisations.

Point Lonsdale Medical Group (PLMG): November 2025

Victorian healthcare provider Point Lonsdale Medical Group disclosed that it had suffered a cyberattack resulting in unauthorised access to personal information.

While the full scope of impacted data was not immediately confirmed, the organization acknowledged that patient records may have been affected. The medical group implemented containment measures and notified relevant authorities, reinforcing the ongoing vulnerability of primary care providers to cyber threats.

Western Sydney University: October 2025

Western Sydney University (WSU) disclosed a major cyber incident after hackers accessed highly sensitive personal and administrative data over an extended period between June 19th and September 3rd, 2025. The compromised information included passport details, tax file numbers, payroll records, and health-related information belonging to students and staff.

The university confirmed the breach involved unauthorised access to internal systems and prompted a large-scale forensic investigation, system resets, and regulatory notifications. The incident reinforced long-standing concerns about the scale and impact of cyber risk within large tertiary institutions.

Benedict: October 2025

Australian construction and materials company Benedict confirmed it had been listed by the INC Ransom group following a cyber incident. The company stated that an internal investigation identified that a subset of personal information had been accessed and taken.

While operational disruption was limited, the breach highlighted the exposure of industrial and infrastructure-linked organizations particularly where legacy systems and distributed access models are in place.

VETtrak: October 2025

Melbourne-based software provider VETtrak disclosed a cyber incident after customers experienced service outages across its platform.

The company confirmed unauthorised activity within its network and initiated incident response procedures to restore services and assess potential data exposure. As a provider of education and training management software, the incident raised concerns about downstream impacts on client businesses reliant on the platform for operational continuity.

CBS Tasmania: October 2025

Tasmanian aged care and disability not-for-profit CBS Tasmania confirmed it had been impacted by a ransomware attack attributed to the Lynx group.

Threat actors claimed to have exfiltrated client and staff data prior to encryption. CBS Tasmania acknowledged the breach and began notifying affected individuals, highlighting the heightened risk faced by healthcare and community service providers with limited cybersecurity resources.

Asahi: October 2025

A Qilin ransomware affiliate claimed responsibility for a cyber incident affecting Asahi, alleging the theft of approximately 27 gigabytes of data. The breach reportedly included Australian employee information as part of what the threat group described as a broader global data leak.

Asahi confirmed it was investigating the claims and working with cybersecurity specialists to determine the scope of exposure. The incident reflects continued ransomware targeting of multinational manufacturers operating across multiple jurisdictions.

Western Sydney University: October 2025 (Email)

WSU also warned students and staff of a large-scale email scam in which fraudulent messages falsely claimed that academic degrees had been revoked.

While the scam did not involve direct system compromise, it exploited existing weaknesses in email security and trust mechanisms. University officials described the incident as a serious indicator of persistent security gaps and the increasing sophistication of social engineering campaigns targeting higher education.

BMW: September 2025

BMW confirmed a data breach involving a third-party service provider in the United States, after internal quality management and safety audit documents were leaked online. The company stated that no customer systems were directly compromised but acknowledged the exposure of internal operational materials.

The incident underscored the growing impact of third-party cyber incidents, even when core enterprise environments remain secure.

BMW: September 2025

BMW confirmed a data breach involving a third-party service provider in the United States, after internal quality management and safety audit documents were leaked online. The company stated that no customer systems were directly compromised but acknowledged the exposure of internal operational materials.

The incident underscored the growing impact of third-party cyber incidents, even when core enterprise environments remain secure.

Loyola College: September 2025

Victoria’s Loyola College confirmed a ransomware attack after the Interlock ransomware group published nearly 600 gigabytes of stolen data on the Dark Web.

The compromised information reportedly included passports, financial records, and personal details of staff, students, and parents. The college reset all credentials across its environment and engaged law enforcement, illustrating the severe impact ransomware attacks can have on educational institutions.

iiNet: August 2025

Australian ISP iiNet confirmed a data breach impacting more than 200,000 customers after unauthorized access to its order management system. The compromised data included customer names, contact details, and service-related information, though iiNet stated that financial credentials were not exposed. The company isolated affected systems, launched a forensic investigation, and notified impacted customers.

The incident highlighted ongoing risks within telecommunications providers, where customer identity data is frequently targeted for fraud and credential-stuffing campaigns.

Scotch College: August 2025

Scotch College in Melbourne disclosed a data breach after detecting unauthorised access to its systems over a weekend period. The incident exposed alumni, student, and family records, prompting immediate server shutdowns and account suspensions.

A forensic investigation was launched to determine the scope of accessed data, underscoring the vulnerability of educational institutions holding long-lived personal records across generations.

Belmont Christian College: August 2025

Belmont Christian College in New South Wales confirmed it was investigating ransomware claims after threat actors alleged they had exfiltrated student and employee data. While the school did not immediately confirm data theft, it acknowledged a cyber incident and began containment and recovery efforts.

The case reflects the continued targeting of schools by ransomware groups seeking low-resistance entry points and high-leverage personal data.

Metricon Homes: July 2025

Australia’s largest home builder, Metricon Homes, confirmed a ransomware attack following an IT outage that disrupted operations nationwide. The Qilin ransomware gang subsequently published employee data to the dark web, confirming data exfiltration.

Metricon engaged external cybersecurity specialists and notified affected individuals, highlighting the growing operational and reputational risks ransomware poses to large construction and property firms.

Louis Vuitton: July 2025

Luxury fashion brand Louis Vuitton confirmed that Australian customers were affected as part of a broader cyber attack impacting its global operations.

The company stated that customer contact and purchase-related data may have been accessed, though no payment information was exposed. The breach illustrated how global consumer brands remain attractive targets due to the value of customer identity data and brand trust.

Ingram Micro: July 2025

Global technology distributor Ingram Micro issued a statement confirming the detection of ransomware on certain internal systems. The company isolated affected environments and initiated recovery processes, while assessing potential data exposure.

Given Ingram Micro’s role as a critical supplier within the technology ecosystem, the incident raised concerns about downstream supply chain risk.

United Australia Party: July 2025

The United Australia Party (UAP) confirmed a ransomware attack that exposed personal data and internal email correspondence. The party stated it was impracticable to notify all affected individuals due to the scope of the breach.

The incident highlighted persistent cybersecurity challenges within political organizations, where sensitive personal and political data can be weaponised.

Office of the Migration Agents Registration Authority: July 2025

OMARA disclosed an accidental data breach in which the personal details of six registered migration agents were inadvertently published online.

While limited in scale, the incident underscored the ongoing risk of human error and misconfiguration within government and regulatory platforms handling sensitive professional data.

O&G (Obstetrics and Gynaecology): July 2025

An Adelaide-based women’s health clinic confirmed it had suffered a cyberattack after threat actors claimed to have exfiltrated sensitive patient data.

The clinic initiated containment measures and notified affected patients, reinforcing the high stakes of cybersecurity failures within healthcare environments where privacy and trust are paramount.

Qantas: July 2025

Qantas confirmed a cyberattack affecting up to six million customers after a call centre system was compromised. The stolen data included names, email addresses, phone numbers, dates of birth, and frequent flyer numbers.

While no financial data was exposed, the breach represented one of the largest customer data incidents in Australia, significantly increasing fraud and identity theft risks for affected individuals.

Vertel: June 2025

Australian managed service provider Vertel confirmed it had been hit by a Space Bears ransomware attack after the group listed the company on its leak site. Threat actors claimed to have stolen internal and customer-related data and threatened public release within days.

As an MSP servicing government and enterprise clients, the incident raised concerns about cascading risk to downstream customers relying on Vertel’s network access and managed services.

Pressure Dynamics: June 2025

Western Australia–based engineering firm Pressure Dynamics confirmed a ransomware attack attributed to the DragonForce group.

More than 100 gigabytes of internal data were published online, including operational and commercial information. The breach demonstrated the increasing targeting of industrial and engineering firms whose operational continuity and intellectual property are critical to resource and infrastructure sectors.

Skeggs Goldstien: June 2025

NSW financial services firm Skeggs Goldstien confirmed it was investigating a cyber incident after being listed on the Qilin ransomware leak site.

Threat actors claimed to have accessed internal financial and client-related data. The incident highlighted the ongoing pressure on financial advisory firms, which remain attractive targets due to their access to sensitive personal and financial information.

3P Corporation: May 2025

Melbourne-based financial services aggregator 3P Corporation was listed as a victim of the Space Bears ransomware group, which published more than 200 gigabytes of internal documents and customer data.

While the company denied an April breach, the public release of data confirmed significant exposure. The case underscored the reputational and regulatory risks associated with disputed breach disclosures.

Legal Practice Board of Western Australia: May 2025

The Legal Practice Board of Western Australia confirmed a Dire Wolf ransomware attack that forced several systems offline, including online services.

An investigation was launched to assess potential data exposure. As a legal regulator, the breach raised serious concerns around confidentiality, regulatory oversight, and trust in professional governance systems.

MKA Accountants: May 2025

Victorian accounting firm MKA Accountants confirmed it had suffered a ransomware attack after being listed on the Qilin leak site. Internal documents were published, indicating data exfiltration prior to encryption.

The incident reflected the continued targeting of professional services firms with limited security resources but high-value financial data.

Australian Human Rights Commission: May 2025

The Australian Human Rights Commission disclosed that more than 600 submissions were accidentally exposed online due to a data handling error. The leaked material included sensitive personal information provided to the Commission between early April and May.

The incident reinforced the risks posed by misconfiguration and human error within public sector data systems.

Watkins Steel: May 2025

Australian steel subcontractor Watkins Steel confirmed an Akira ransomware attack after the group claimed to have stolen approximately 17 gigabytes of data.

This incident disrupted operations and exposed commercial information, illustrating how ransomware groups continue to target construction and manufacturing firms embedded within critical infrastructure supply chains.

Hertz: April 2025

Car rental giant Hertz disclosed that customers’ personal data, including driver’s licence details, had been stolen following a cyberattack on a third-party service provider.

The breach occurred between October and December 2024 but was confirmed publicly in April 2025.

The Fullerton Hotel Sydney: April 2025

The Fullerton Hotels and Resorts confirmed a cyber incident impacting its Sydney property after threat actors published approximately 148 gigabytes of stolen data.

Exposed information reportedly included passports and driver’s licences belonging to hotel guests. The breach underscored the sensitivity of identity documents collected in the hospitality sector and the long-term fraud risks associated with their exposure.

Vroom by YouX: March 2025 (reported April)

Australian fintech firm Vroom by YouX was found to have exposed a non-password-protected database containing driver’s licences, banking documents, and personally identifiable information.

The exposure was identified by a security researcher and quickly remediated. The case illustrated how misconfigured cloud infrastructure can lead to large-scale data exposure without an external attacker.

Department of Communities and Justice (NSW): March 2025

NSW Police launched an investigation after a significant breach was identified on a secure government platform operated by the Department of Communities and Justice.

Thousands of court documents were reportedly downloaded by unauthorized parties. The incident raised serious concerns around access controls and data segregation within government-managed digital services.

CI Scientific (CISCAL): March 2025

Laboratory supplier CI Scientific was listed by the Lynx ransomware group, which claimed to have exfiltrated approximately 81 gigabytes of data.

Leaked materials reportedly included human resources documentation and internal business records. The incident highlighted the increasing targeting of specialised suppliers supporting healthcare and research sectors.

Wendy Wu Tours: March 2025

Sydney-based travel company Wendy Wu Tours was listed by the KillSec ransomware group, which claimed to have exfiltrated sensitive customer data, including scanned passports.

The incident reinforced ongoing risks within the travel sector, where identity documents are frequently collected and retained across booking and verification processes.

Australian New Zealand Clinical Trials Registry (ANZCTR): March 2025

The ANZCTR confirmed that a cyberattack disrupted its website for approximately one week, delaying access to clinical trial data relied upon by researchers and healthcare professionals.

While no large-scale data theft was confirmed, the outage demonstrated how attacks on research infrastructure can impact public health and scientific collaboration.

Riverina Medical and Dental Aboriginal Corporation: February 2025

The Riverina Medical and Dental Aboriginal Corporation confirmed it was investigating a cyber incident that may have involved unauthorised access to personal data. The organisation stated the incident had been contained, but acknowledged the sensitivity of the information involved.

The breach raised concerns about the targeting of Aboriginal and Torres Strait Islander healthcare providers, where patient data is both highly sensitive and often limited in redundancy protections.

Pound Road Medical Centre: February 2025

Hackers published alleged patient data and CCTV footage following a cyber incident at Pound Road Medical Centre in Victoria.

The leaked materials reportedly included personal and medical information, escalating privacy and safety concerns. The incident underscored the growing use of data extortion tactics against healthcare providers, particularly smaller clinics with limited security resources.

Genea Fertility: February 2025

Major IVF provider Genea Fertility confirmed a cyberattack that disrupted operations and delayed patient treatments.

While investigations were ongoing, the incident demonstrated how cyber events can directly impact patient care, not just data confidentiality. Fertility and reproductive health providers continue to face elevated risk due to the deeply personal nature of the information they hold.

Brown and Hurley: February 2025

Queensland-based truck dealership Brown and Hurley was listed by the Lynx ransomware group, which claimed responsibility for a cyberattack.

Hackers alleged the theft of internal business data, though the company had not publicly confirmed the full scope of the breach at the time. The incident reflected continued ransomware targeting of automotive and logistics-related businesses.

Albright Institute of Language and Business: February 2025

The Albright Institute confirmed it was investigating a cyberattack after the KillSec ransomware group claimed to have stolen personal and business data. As an education provider serving international students, the incident raised concerns around the exposure of passport, visa, and financial information commonly stored within student administration systems.

Australian National University: February 2025

Australian National University disclosed it was investigating an alleged cyberattack following claims by threat actors.

While details remained limited, ANU’s history of being targeted by sophisticated attackers heightened concern around the potential exposure of research, staff, and student data. Universities remain high-value targets due to their open networks and intellectual property.

Regency Media: February 2025

The Akira ransomware group claimed responsibility for a cyberattack on Regency Media, a now-closed Australian media company.

Although operational impact was limited due to the company’s closure, the breach highlighted ongoing risks associated with legacy systems and residual data stored after business wind-downs.

Clutch Industries: January 2025 (reported February)

Australian automotive manufacturer Clutch Industries confirmed it had been impacted by a cyberattack affecting its operations.

While limited details were disclosed, the incident contributed to a broader pattern of cyber threats targeting manufacturing environments reliant on interconnected operational technology and supply chain systems.

JB Hi-Fi: January 2025

JB Hi-Fi was named by a threat actor claiming to possess data from approximately 12 million customer records. The retailer publicly denied that a breach had occurred, stating there was no evidence its systems had been compromised.

The incident highlighted the growing issue of false or exaggerated breach claims being used to generate panic, extort organisations, or fuel phishing campaigns targeting customers.

Novati Constructions: January 2025

Sydney-based construction firm Novati Constructions was listed by the Lynx ransomware group, which claimed to have stolen contracts, financial records, and incident reports.

The attack reflected the growing ransomware focus on construction and infrastructure companies, where operational disruption can rapidly escalate into financial and contractual risk.

University of New South Wales: January 2025

The RipperSec group claimed responsibility for a cyberattack on a University of New South Wales physics-related website. While the university confirmed awareness of the incident, investigations were ongoing.

Academic institutions continue to face persistent targeting due to publicly accessible research systems and distributed access controls.

Globelink: January 2025

The Qilin ransomware operation claimed it had stolen nearly 30,000 files from freight forwarder Globelink International following an alleged December breach.

Logistics and freight firms remain high-risk targets due to their role in global supply chains and reliance on interconnected partner systems.

ARDEX Australia: January 2025

ARDEX Australia confirmed it was investigating a cyberattack after the Medusa ransomware group claimed responsibility.

Hackers alleged access to internal company data, adding to a pattern of ransomware attacks affecting Australian manufacturing and building materials suppliers.

Volkswagen: January 2025

Volkswagen disclosed that data associated with nearly 800,000 electric vehicle owners had been exposed through a third-party system.

The incident demonstrated how automotive manufacturers increasingly face data security risks beyond traditional vehicle systems, particularly through connected services and external vendors.

SquareX / Cyberhaven: January 2025

SquareX revealed a critical breach affecting the Cyberhaven browser extension, where attackers targeted Chrome extension developers to compromise trusted tools.

The incident underscored the rising risk of supply chain attacks within browser ecosystems and developer platforms.

Top Australian Breaches in 2024

CellOPark: December 2024

CellOPark responded to concerns over a potential data breach after customers of a Brisbane council parking app received unusual emails suggesting their information may have been exposed.

While investigations continued, the incident raised concerns about third-party software providers used by local governments and the risks posed by misconfigured or poorly secured customer communication systems.

Ainsworth Game Technology: December 2024

The Medusa ransomware group claimed responsibility for an attack on Ainsworth Game Technology, alleging the theft of more than 850 gigabytes of internal data.

As a manufacturer of gaming machines, the incident raised concerns around intellectual property exposure and operational disruption within the gaming and entertainment technology sector.

Nicholsons Solicitors: December 2024

A ransomware gang alleged that unprotected data belonging to Queensland law firm Nicholsons Solicitors had been accessed and exfiltrated following the firm’s closure.

The breach highlighted ongoing risks associated with data retention and security controls when organizations cease operations or transition systems.

Equinox: November: December 2024

Equinox disclosed a data breach involving the personal and health information of clients and staff.

The organization confirmed unauthorized access to sensitive records, reinforcing concerns about the growing frequency of healthcare-related data breaches and the long-term privacy implications for affected individuals.

MOVEit-Related Breaches (Multiple Organizations): December 2024

The exploitation of the MOVEit file transfer vulnerability continued to impact businesses globally, including Australian entities.

Sensitive employee and customer data from multiple companies was exposed, reinforcing the risks posed by widely deployed third-party software and delayed patching cycles.

Coroners Court of Victoria and Tasmanian Chamber of Commerce and Industry: November 2024

The NoName ransomware group claimed cyberattacks against multiple Australian organisations, including the Coroners Court of Victoria and the Tasmanian Chamber of Commerce and Industry.

The Coroners Court confirmed a cyber incident affecting parts of its systems, highlighting the ongoing targeting of public sector institutions that manage sensitive legal and personal records.

Finsure: November 2024

Australian mortgage broker Finsure confirmed a cyber incident after nearly 300,000 unique email addresses linked to customers and brokers appeared on the data breach monitoring site Have I Been Pwned.

While the company stated its core systems were not compromised, the incident underscored the exposure risks faced by financial services firms and their partner ecosystems.

Telstra: November 2024

A threat actor claimed to be selling the personal data of more than 44,000 Telstra employees on an underground forum.

Telstra acknowledged awareness of the claims and initiated an investigation, reinforcing the persistent risk of employee data exposure through third-party or credential-related compromises.

Snow Brand Australia: November 2024

Snow Brand Australia confirmed it had suffered a ransomware attack attributed to the SafePay group.

The company reported that limited employee data was affected, illustrating how ransomware groups increasingly target subsidiaries of multinational organisations to exploit local operational weaknesses.

ASIC / Waive: November 2024

The RansomHub ransomware group claimed an attack on Waive, a compliance platform used by Australian Securities and Investments Commission (ASIC)-regulated entities.

The incident raised concerns about the security of regulatory technology providers and the downstream risk posed to regulated organisations.

Cisco: November 2024

Cisco confirmed it had experienced a cyber incident but stated that its core systems were not breached.

The disclosure followed claims circulating online, highlighting the reputational and operational challenges organisations face even when attacks are contained.

Nokia: November 2024

Nokia disclosed that source code was allegedly stolen during a third-party cyber incident.

The breach highlighted the risks posed by supplier access to sensitive development environments and the long-term implications of intellectual property exposure.

ANU Enterprise: November 2024

Australian not-for-profit ANU Enterprise confirmed it had been affected by a ransomware attack, resulting in system disruptions and data security concerns.

The incident underscored the vulnerability of research-adjacent organizations operating with constrained security resources.

IBM – October 2024

Threat actors alleged that employee data was stolen during a cyber incident affecting IBM, with information reportedly published online.

IBM stated that it was investigating the claims and that there was no evidence customer data had been impacted, highlighting the ongoing risk of employee-focused breaches even within mature security environments.

Ultra Tune: October 2024

Australian automotive servicing chain Ultra Tune confirmed it had suffered a cyber incident following claims by threat actors.

While the full scope of the breach was not immediately disclosed, the incident added to a series of attacks targeting automotive and franchise-based businesses.

NAB, Vodafone & Microsoft (Cisco-linked claims): October 2024

Threat actors claimed that data belonging to major organisations including NAB, Vodafone, and Microsoft had been exposed as part of an alleged Cisco-related breach.

Cisco acknowledged a security incident but stated there was no evidence its production systems were compromised, underscoring the ripple effects of third-party breach claims across interconnected enterprises.

Internet Archive: October 2024

The Internet Archive suffered a series of cyber incidents throughout October, including what the organisation described as a “catastrophic” data breach impacting approximately 31 million users.

The attacks disrupted services and exposed user account data, illustrating the compounded risk of repeated intrusions during prolonged incident response efforts.

Qantas: October 2024

Qantas acknowledged a cyber incident affecting its frequent flyer systems, with customer passport details potentially exposed.

The disclosure reinforced the ongoing challenges airlines face in securing high-value personal data across complex digital ecosystems.

Deloitte: October 2024

Deloitte acknowledged that internal communications were allegedly leaked following a cyber incident but stated that client data remained secure.

The event illustrated the reputational impact of breaches involving professional services firms, even when core client systems are unaffected.

Fortinet: September – October 2024

Fortinet disclosed a third-party data breach affecting Asia-Pacific customers, following multiple incidents earlier in the year.

The breach highlighted persistent risks associated with supplier environments and credential reuse across large security technology vendors.

Ticketmaster: September 2024

Ticketmaster confirmed it was investigating claims that customer data had been stolen following a breach of a third-party cloud data services provider.

Threat actors alleged access to names, contact details, and ticketing information. The incident reinforced the growing risk posed by SaaS and data platform dependencies, where compromise of a single vendor can impact millions of users globally.

Optus: September 2024

Optus disclosed a cyber incident involving unauthorised access to internal systems after detecting suspicious activity.

While the company stated that customer data was not affected, the incident drew heightened scrutiny given Optus’ prior large-scale data breach and underscored the ongoing reputational impact of repeat cyber events.

Medibank: September 2024

Medibank confirmed additional fallout from its earlier breach after threat actors continued to reference stolen health data on underground forums.

Although no new systems were compromised, the ongoing circulation of previously stolen data highlighted the long-term consequences of healthcare breaches and the difficulty of fully containing post-incident risk.

Sydney Airport: September 2024

Sydney Airport confirmed it was responding to a cyber incident affecting third-party systems used for operational support.

While flight operations were not disrupted, the incident highlighted the interconnected nature of airport ecosystems and the reliance on vendor platforms to maintain critical services.

Canva: September 2024

Canva addressed renewed attention around historical breach data after user information resurfaced in credential-stuffing campaigns.

Although no new compromise occurred, the incident illustrated how legacy breaches continue to create downstream security risk years later when users reuse credentials across platforms.

Australian Electoral Commission: September 2024

The AEC confirmed it was investigating suspicious activity targeting online systems ahead of electoral processes.

While no voting infrastructure was impacted, the incident reinforced the sensitivity of democratic institutions and the heightened threat environment surrounding election-related systems.

Healthscope: September 2024

Private hospital operator Healthscope acknowledged a cyber incident affecting administrative systems.

Although patient care continued, the incident underscored the persistent risk to healthcare providers managing both operational technology and sensitive medical records.

Meta (Facebook and Instagram): September 2024

Meta warned users of increased phishing activity after attackers leveraged past data leaks and account recovery workflows.

The company reiterated that no new breach had occurred, but the incident demonstrated how trust in platform communications can be exploited to drive account takeovers.

AT&T: August 2024

AT&T confirmed a data breach affecting nearly 110 million customers after a dataset containing call and text metadata appeared for sale online.

While message content was not exposed, the scale of the incident raised serious concerns about surveillance risk, social engineering, and the long-term sensitivity of metadata. The breach underscored how telecommunications providers remain high-value targets due to the volume and persistence of customer data they retain.

Dell: August 2024

Dell confirmed that customer data had been accessed following a breach of a third-party system used to manage customer information. The exposed data included names, physical addresses, and purchase details.

The incident highlighted ongoing third-party risk for global technology manufacturers and the downstream impact of vendor compromises.

CDK Global: August 2024

Automotive software provider CDK Global continued to experience operational disruption following a ransomware attack that forced dealerships across North America and Australia to revert to manual processes.

The incident demonstrated how attacks on SaaS platforms can create immediate, industry-wide operational paralysis when critical systems are centralised.

Boeing: August 2024

Boeing confirmed it was investigating claims that internal documents had been stolen following a cyber incident at a third-party supplier.

The breach highlighted the persistent supply chain risks faced by aerospace and defence manufacturers reliant on complex global partner ecosystems.

Change Healthcare (Ongoing Impact): July 2024

UnitedHealth Group confirmed continued fallout from the Change Healthcare ransomware attack, including further disclosures about the scale of data exfiltration.

The incident remained one of the most disruptive healthcare cyberattacks on record, highlighting the national-level impact of attacks on healthcare infrastructure intermediaries.

Dell Technologies (Credential Abuse Campaigns): July 2024

Dell warned customers of increased phishing and credential abuse campaigns following exposure of customer contact data earlier in the year.

The activity highlighted how even limited data exposure can fuel extended social engineering and fraud campaigns long after the initial incident.

Bank of Queensland: July 2024

The Bank of Queensland disclosed a cyber incident affecting internal systems after detecting suspicious activity.

While customer funds were not impacted, the incident reinforced the financial sector’s ongoing exposure to credential-based and third-party attacks.

Brisbane City Council: July 2024

Brisbane City Council confirmed it was investigating a cyber incident affecting select digital services.

While critical systems remained operational, the incident highlighted the ongoing targeting of municipal governments and the potential impact on public-facing services.

Ascension Healthcare (US, Global Impact): June 2024

US-based Ascension Healthcare suffered a ransomware attack that forced hospitals to shut down electronic health record systems and divert patients.

While not Australia-based, the incident had global significance, illustrating how cyberattacks on healthcare providers can directly disrupt patient care and safety.

Australian Department of Defence (Contractor Exposure): June 2024

Reports emerged of sensitive Defence-related data being exposed through a contractor environment.

While the Department of Defence stated no classified systems were compromised, the incident highlighted the exposure created by complex defence supply chains and contractor access.

UK NHS (Service Disruption via Synnovis): June 2024

A ransomware attack on pathology provider Synnovis caused widespread disruption across NHS hospitals in London.

Diagnostic services were delayed or cancelled, demonstrating how attacks on healthcare suppliers can cripple frontline services without directly targeting hospitals themselves.

Ticketek (Cloud Platform Exposure): May 2024

Ticketek disclosed a cyber incident linked to an external cloud-based platform used for customer services. While core ticketing systems were not compromised, customer contact information was potentially exposed.

The incident highlighted how peripheral systems can become high-value targets even when primary platforms remain secure.

ClubsNSW and Merivale (Third-Party Data Breach): May 2024

Multiple NSW clubs and hospitality venues were caught up in a third-party data breach that exposed sign-in records for more than one million patrons.

The data, collected for compliance purposes, included names, contact details, and visit histories, reigniting debate around data minimisation and retention obligations.

Australian Human Rights Commission (Accidental Disclosure): May 2024

The AHRC disclosed that more than 600 sensitive submissions were accidentally exposed online due to a configuration error.

The breach highlighted that data exposure incidents are not always malicious but can be equally damaging when sensitive personal information is involved.

Legal Practice Board of Western Australia (Dire Wolf Ransomware): May 2024

The Legal Practice Board of WA disclosed a ransomware attack that forced several online services offline during its investigation.

The breach emphasized the growing focus on professional services regulators and legal institutions as ransomware targets.

REST and AustralianSuper (Coordinated Industry Attack): April 2024

Two of Australia’s largest superannuation funds confirmed they were affected by a coordinated cyberattack targeting the financial services sector. While investigations remained ongoing, the incident raised alarms about systemic risk across critical financial infrastructure.

Brydens Lawyers: March 2024

Sydney-based law firm Brydens Lawyers disclosed a serious cyber incident following a February network intrusion.

A ransomware group claimed responsibility and alleged the exfiltration of approximately 600GB of sensitive data, including client files and internal legal documents. The incident highlighted the continued targeting of law firms due to the high value and sensitivity of legal records.

Zurich Insurance: March 2024

Threat actors alleged a cyberattack against Zurich Insurance Group, claiming access to sensitive corporate data.

While Zurich stated investigations were ongoing and did not confirm customer data exposure, the claim reinforced the attractiveness of large insurers to extortion-focused threat actors.

Canberra Medical Centre: January 2024

A Canberra-based medical centre confirmed that patient data was accessed during a cyber incident affecting its systems.

The compromised information was reported to include personal and health-related data, reinforcing ongoing concerns around cybersecurity resilience in small and mid-sized healthcare providers.

Quantum Radiology: January 2024

Sydney radiology provider Quantum Radiology disclosed a cyber incident after patient information was accessed. Internal communications later revealed staff were initially instructed to describe the breach as a “technical fault,” drawing scrutiny over transparency and incident response practices in healthcare organisations.

Australian Labor Party (Federal): January 2024

Government departments linked to the Australian Labor Party were affected by a significant data breach that resulted in millions of files being stolen.

The incident raised national security and governance concerns, with investigations launched into the scope of sensitive information accessed.

MediSecure: January 2024

Further details emerged confirming MediSecure as the company at the centre of one of Australia’s largest healthcare data breaches.

The incident ultimately impacted approximately 12.9 million Australians, with prescription and personal data exposed.

Conclusion

Cyber incidents in Australia have shifted from isolated IT events to systemic, cross-sector crises affecting government, education, healthcare, finance, retail, logistics, critical infrastructure, and the supply chain.

What began years ago as sporadic breaches tied to misconfigurations and basic credential compromise has evolved into persistent, industrialized cybercrime, dominated by ransomware, extortion, and large-scale data theft.

Several recurring attack patterns appear consistently:

• Ransomware and extortion have become the dominant threat model, with groups such as LockBit, Qilin, Medusa, RansomHub, Akira, and Rhysida repeatedly targeting Australian organizations of all sizes

• Third-party and supply chain compromise is a major fault line, impacting airlines, universities, government agencies, healthcare providers, and retailers even when their own core systems were not directly breached

• Identity-based attacks such credential stuffing, phishing, MFA fatigue, and email compromise remain the most common initial access vectors, often leading to lateral movement and data exfiltration

• Sensitive data exposure increasingly includes passports, driver’s licences, medical records, payroll data, and legal documents, significantly increasing long-term harm and regulatory risk

• Education, healthcare, and government sectors are disproportionately affected, reflecting both high data value and constrained security maturity

From 2023 onward, the volume and severity of incidents accelerate sharply, with record-breaking breach counts, multi-million–record exposures, and prolonged attacker dwell time becoming common.

The period from 2024 to early 2026 shows a marked rise in the following across Australia:

• Multi-stage attacks

• Public leak-site pressure

• Delayed breach disclosure

• Secondary scams exploiting breach notifications themselves

The cybersecurity threat landscape now rewards attackers who exploit trust, shared infrastructure, and operational complexity rather than sophisticated zero-day exploits.

For organizations, the takeaway is that resilience, identity security, third-party risk management, and incident readiness are foundational to operating in Australia’s modern digital economy.