List of Cyber Attacks and Data Breaches in Australia 

Cyber incidents in Australia ranged from massive ransomware attacks to opportunistic database exposures throughout 2025. This report, produced with the aid of machine‑learning tools, reviews known data breaches that became public between January 2025 and January 2026.

The article is modelled on Bright Defense’s month‑by‑month breach round‑up and is intended for general awareness. It combines open sources, company statements and press reports. Please see the sources section at the end for citations.

Breaches Occurred in Australia in January 2026

1. Prosura “Policy Modification” Email Sparks Breach Claims

Breach Disclosed: 04 Jan, 2026

A Whirlpool forum user reported receiving what appears to be a legitimate Prosura policy modification email that had been altered to include a threat actor’s breach claim, stating Hiccup/Prosura was breached on 01 Jan 2026.

The message referenced access to consumer data such as full names, emails, phone numbers, invoices, and policy details, and warned that broader leakage could follow if the company did not respond. Another forum member reported receiving the same email, while a moderator cautioned it could still be spoofing or a separate email scrape. (Geekzone)

Breaches Occurred in Australia in December 2025

1. University of Sydney Code Library Breach Affects 27k People

Breach Disclosed: 18 Dec, 2025

The University of Sydney disclosed that attackers accessed an online IT code library and downloaded historical test extracts containing personal information. The university said it was alerted the prior week, blocked access, and removed the identified datasets.

It estimates about 27,500 people are affected: around 10,000 current staff and affiliates and 12,500 former staff and affiliates as of 4 Sep 2018, plus about 5,000 alumni and students from 2010 to 2019. Exposed fields include name, date of birth, phone number, home address, and basic job details. 

The university reported no evidence of publication or misuse, notified authorities, and began individual notifications. (Sydney.edu)

2. BECKS Confirms Cyber Incident Amid SafePay Data Breach Claim

Breach Disclosed: 08 Dec, 2025 

BECKS Group Australia confirmed a cyber incident after the SafePay ransomware operation listed the company on its leak site in early December 2025 and alleged data theft. (DeXpose) BECKS said it contained the incident, alerted the ACSC, OAIC, and South Australia Police, and contacted customers and stakeholders with guidance. (Becks)

Its initial review indicates some data, potentially personal information, was likely compromised, while the full scope remained under investigation. (Becks) The company urged anyone who has dealt with BECKS to stay alert for phishing, invoice fraud, or unusual requests for information. (Becks)

3. Chaos Claims 512 GB Stolen in ThinkMarkets Cyber Attack

Breach Disclosed: 08 Dec, 2025

ThinkMarkets was listed on the Chaos ransomware extortion site on 08 Dec 2025, with wider reporting following on 12 Dec. The attackers claimed they stole 512 GB of data and later posted it after negotiations failed.

Reported samples allegedly include HR and legal files, client dispute records, internal trading material, and scans of employee passports and customer KYC documents, which increases the risk of identity fraud and account takeover. ThinkMarkets has not released a detailed public breach notice in available reporting, so the scope remains unverified.

Any email about withdrawals, KYC updates, invoices, or password resets should be treated as hostile, enable MFA, and closely monitor accounts and credit reports. (Ransomware)

4. Netstar Australia Data Breach Claim Risks Fleet GPS Tracking

Breach Disclosed: 18 Dec, 2025

Netstar Australia, a Melbourne fleet management and GPS telematics provider with government and critical-infrastructure customers, was tied to a data-extortion incident after Blackshrantac posted a leak-site entry dated 17 Dec 2025. Public coverage followed on 18 Dec 2025, describing ransomware presence and potential service disruption for fleet tracking users.

Reporting focused on possible exposure of telematics and location data, which can reveal routes, depots, shift patterns, and operational intent. The actor has not provided independently verified proof of full dataset contents, and Netstar has not released a detailed public scope statement. (Cyber News Centre) 

5. Harbour Town Doctors Listed in Rhysida Data Breach Claim

Breach Disclosed: 11 Dec, 2025

Harbour Town Doctors, a Gold Coast medical center, appeared on Rhysida’s leak site on 11 Dec 2025, with a further leak-site update reported on 17 Dec. Rhysida claimed theft of sensitive patient information and posted screenshots that appear to show health summaries, medical record transfer forms, and pathology reports on clinic letterhead.

Reporting also cited a ransom demand of 5 BTC, roughly $137,000 AUD at the time, and a threat to publish data if payment was not made. The clinic has not published detailed confirmation in the same sources, so scope remains claim-based. Patients should treat requests for identity checks, payments, or “record updates” as suspicious.

6. INC Ransom Claims 1 TB Stolen in Avenira Cyber Attack

Breach Disclosed: 18 Dec, 2025

Avenira Limited, a Perth-based mining company, came into public view after Insurance Business reported on 18 Dec 2025 that an INC Ransom affiliate listed avenira.com on a darknet leak site and claimed it removed about 1 TB of data. Leak monitors also logged the victim entry on 17 Dec 2025.

The posted samples were described as internal memoranda, mineral exploration reports, confidentiality agreements, signed correspondence, and NDAs. Avenira had not issued a public statement on scope or impact at the time of reporting, so the claim remains unverified. Partners should treat invoice changes and document requests as suspicious, and watch for phishing tied to project paperwork. (Insurance Business)

Breaches Occurred in Australia in November 2025

1. Medusa Ransomware Targets Oscars Group, Seeks $100,000

Breach Disclosed: 05 Nov, 2025

Oscars Group, an Australian hospitality operator, appeared on Medusa’s extortion site after a claimed ransomware intrusion. Medusa’s leak page is dated 05 Nov 2025, and several trackers logged the listing on 06 to 07 Nov 2025, which is the closest public timeline.

The actors alleged access to internal systems, posted sample files, and listed an estimated $100,000 demand. Public reporting has not confirmed the total volume or which records were taken, so scope remains uncertain. Expect targeted phishing toward venue staff and suppliers, invoice diversion attempts, and credential stuffing tied to exposed email addresses. Verify any banking change request through a known phone number. (DeXpose)

2. Cyber Attack Files Posted on Australia’s $7B Redback Program

Breach Disclosed: 10 Nov, 2025

Reports dated 09 to 10 Nov 2025 said Cyber Toufan posted images and technical files tied to the ADF’s Land 400 Redback program after claimed access to Israeli defense contractors through supply chain firm MAYA Technologies. Sources described 3D models, blueprints, and related contractor communications. The posts referenced audits and design material linked to contractors such as Elbit Systems.

Coverage treated it as a supply chain exposure, not direct access to ADF networks, but the files still support phishing, impersonation, and technical intelligence collection. Teams connected to Land 400 should tighten vendor access controls and verify sensitive file sharing. (The defense post)

3. INC Ransom Claims 447 GB Stolen in Kelly Legal Breach 

Breach Disclosed: 13 Nov, 2025

Kelly Legal, a Queensland law firm, surfaced in ransomware reporting after INC Ransom posted a leak-site entry dated 13 Nov 2025 and claimed theft of 447 GB of data. Reported material includes contracts, financial and customer records, and HR files, which may expose staff identity documents and sensitive client work product.

Several reports link the event to an October 2025 IT and phone outage at the firm. No detailed victim notice has appeared publicly, so scope remains claim-driven. Clients and counterparties should verify payment-change requests out of band, reset reused passwords, and watch for targeted phishing.(HR Leader)

4. Brotherhood Claims 4.8 GB Stolen in Nina’s Jewellery Data Breach

Breach Disclosed: 15 Nov, 2025

Nina’s Jewellery, a Western Australia jeweler, appeared on the Brotherhood ransomware leak site on 15 Nov 2025, the earliest verified public disclosure. Reports tied to the listing said the actors claimed theft of about 4.8 GB, including stock and financial records plus website member details such as email addresses and phone numbers.

Leak indexing shows limited technical detail in the post, so scope remains claim-based. As of late Nov 2025, Nina’s Jewellery has not released a detailed public notice confirming impact. Treat unexpected emails as suspicious and verify payment requests through known channels. (Onion Pages, RedPacket Security)

5. IKAD Data Breach Claim Cites 5-Month Defense Access

Breach Disclosed: 09 Nov, 2025

IKAD Engineering, an Australian defense supply chain contractor, became public after the J Group ransomware operation claimed a breach and threatened to publish stolen files. The actors said they held access for 5 months and took material tied to naval programs, including Hunter Class frigates and Collins Class submarines, plus internal corporate documents.

IKAD said an unknown party accessed a small portion of its internal IT systems, and it reported the incident to the ACSC, AFP, and the Defence Industry Security Program. Wider coverage in late November 2025 and on 01 Dec 2025 framed the case as a supply chain warning. (DeXpose)

Breaches Occurred in Australia in October 2025 

1. Western Sydney University Student System Breach 

Breach Disclosed: 23 Oct, 2025

Western Sydney University disclosed a breach of its Student Management System on 23 Oct 2025 after investigators found unauthorized access through external third- and fourth-party systems from 19 Jun 2025 to 03 Sep 2025. WSU spotted unusual activity on 06 Aug 2025 and 11 Aug 2025, told its provider to shut off access, and began forensics.

Exposed data may include names, contact details, dates of birth, IDs, bank details, tax file numbers, passport and visa data, and complaint, health, or disability information. NSW Police asked WSU to delay notification until 23 Oct 2025, and stolen data later fueled fraudulent emails sent on 06 Oct 2025. (Western Sydney)

2. Benedict Industries Ransomware Attack Claim Exposes 270 GB

Breach Disclosed: 09 Oct, 2025

Australian recycling and civil construction supplier Benedict Industries appeared on the INC Ransom leak site on 09 Oct 2025, and the group claimed it posted a 270 GB data dump the same day. Reporting indicates the files include HR and payroll records with salary and workers’ compensation details, workplace incident reports, and employee child-support deduction records, plus Salesforce exports and other internal business documents.

Benedict has not issued a detailed breach notice, so the scope remains based on leak-site claims and sample analysis. Treat any invoice changes, payment requests, or HR outreach as suspicious and expect targeted phishing. Monitor accounts for fraud if you shared data with the firm. (HR Leader)

3. VETtrak Cyber Incident Disrupts Access, 13,866 Files Posted

Breach Disclosed: 17 Oct, 2025

ReadyTech said a cyber incident affected its hosted VETtrak student management system after an outage began 16 Oct 2025, leaving many providers unable to access the platform from 17 Oct 2025. ASQA issued sector guidance on 30 Oct 2025 as the disruption persisted.

ReadyTech later reported that on 31 Oct 2025 a cybercriminal posted 13,866 files from VETtrak, and 23 customer organizations had data in that set. ReadyTech said the dataset may include contact information, financial details, tax file numbers, identity data, and health information, and analysis suggested fewer than 3,000 individuals. It notified OAIC, briefed cyber agencies, and sought a court injunction. (ASQA.gov)

4. CBS Tasmania Listed on Lynx Leak Site 10 Oct 2025

Breach Disclosed: 10 Oct, 2025

Community Based Support Ltd (CBS Tasmania), a not-for-profit aged care and disability provider, surfaced in ransomware tracking after the Lynx group posted cbsaust.org.au to its leak site. Several monitors place the leak post on 10 Oct 2025, with wider tracking updates around 15 Oct 2025. Proof samples describe theft of employee and client records that include home addresses, financial details, and identity documents such as driver licenses.

CBS said core services continued while incident response and forensics progressed. Clients and staff should expect phishing and invoice scams, and watch accounts for misuse, since exposed data can target vulnerable people.(DeXpose, Fortian)

5. Qilin Claims 160 GB Stolen in Malibu Boats Cyber Attack

Breach Disclosed: 29 Oct, 2025

Malibu Boats Australia was named on the Qilin ransomware leak site on 29 Oct 2025, which appears to be the first public disclosure of the incident. Qilin claimed theft of 160 GB across 148,538 files and threatened publication unless talks started.

Public reporting has not offered a verified breakdown, but the claim points to business documents plus possible personal data tied to staff, partners, or customers. Malibu Boats Australia has not issued a detailed breach statement, so scope remains unconfirmed. Treat invoice changes, password resets, and unsolicited support calls as high risk. Partners should review activity and stop credential reuse. (Teiss)

6. Point Lonsdale Medical Group Email Breach May Expose Patient Data

Breach Disclosed: 31 Oct, 2025

Point Lonsdale Medical Group said a reception and administration email account was compromised after phishing emails were sent from that mailbox. An external forensic review found evidence that a small, confined set of emails was accessed without authorization, but the practice could not identify the specific messages involved. The clinic stated its patient database and other systems were not affected.

Emails in the account may have contained referrals, health summaries, or treatment plans, with details such as names, dates of birth, addresses, medical history, diagnoses, and sometimes Medicare or health fund numbers. The clinic secured the account, notified the OAIC, and warned patients about scam attempts. (Cyberdaily)

7. Brotherhood Claims 45 GB Stolen in Kevmor Data Breach

Breach Disclosed: 10 Oct, 2025 

Kevmor Trade Supplies, a Belmont, WA flooring and trade supplier, was listed on the Brotherhood ransomware leak site on 10 Oct 2025, with some sources citing 09 Oct 2025. The group claimed exfiltration of about 45 GB, including sales and payment records, spreadsheets, and other internal documents. Reporting also cites scans of a senior employee’s passport and driver license, raising identity theft risk alongside invoice fraud.

Kevmor has not published a detailed notice, so scope remains based on leak-site claims. Customers and partners should treat payment-change requests and unexpected password resets as suspicious, verify via known numbers, and reset any reused credentials. (Onion pages)

Breaches Occurred in Australia in September 2025 

1. BMW Supplier Breach Claim 600,000 Lines of Audit Data

Breach Disclosed: 14 Sep, 2025

BMW Group appeared on the Everest ransomware leak portal on 14 Sep 2025, with attackers claiming “critical BMW audit documents” and threatening publication within 48 hours. A follow-up post on 17 Sep 2025 said about 600,000 lines of internal data were taken, including safety and quality audits, emails, and other records that reference BMW staff and supplier personnel.

BMW later confirmed a breach at a U.S. third-party provider, widely reported as Change2Target, and said its own internal systems were not directly compromised. The supply-chain angle matters for global operations, including Australia, since audit artifacts can support targeted fraud against plants, partners, and procurement teams. This AI-written summary reflects public reporting.(INCIBE)

2. Akira Claims 10 GB Theft From Perth OT Firm Intellect Systems

Breach Disclosed: 18 Sep, 2025

Perth-based operational technology and engineering firm Intellect Systems, part of Quanta Services, appeared on Akira’s leak site on 18 Sep 2025, with some trackers logging discovery on 19 Sep. Akira claimed theft of about 10 GB and threatened to publish corporate and personal files. Threat intel summaries say the haul may include employee passports, driver license data, medical records, contracts, financial documents, and project materials tied to resources and infrastructure work. Late September reporting noted no detailed public confirmation from Intellect Systems. Customers and partners should watch for invoice fraud, impersonation, and credential reuse fallout. (Ransomware.live, Gridware) 

3. Kairos Ransomware Claim Targets The Property Business, 164 GB at Risk

Breach Disclosed: 17 Sep, 2025

The Property Business, a Sydney real estate and property management firm, surfaced in ransomware reporting after Kairos posted it to a leak site and threatened release of about 164 GB of data. Some trackers timestamp the first listing on 16 Sep 2025, while the first widely cited write-ups appeared on 17 Sep 2025, so the public disclosure window spans those dates.

Reported samples point to landlord, tenant, and agent records, including ID scans, tenancy agreements, credit card details, and internal operational files. The firm has not published detailed confirmation, so scope remains claim-driven. Expect phishing, rental payment diversion attempts, and ID fraud. This AI-written summary relied on public reporting. (Cyber News Centre)

4. Asahi Group Qilin Claim Alleges 27 GB Theft

Breach Disclosed: 29 Sep, 2025

Asahi Group Holdings disclosed a cyberattack on 29 Sep 2025 after system failures disrupted orders, shipments, and customer support in Japan. On 03 Oct 2025, Asahi said responders confirmed ransomware and signs of possible unauthorized data transfer, then on 08 Oct 2025 it reported suspected stolen data had surfaced online.

On 07 Oct 2025, Qilin claimed responsibility and alleged theft of about 27 GB of files, including employee personal data, contracts, financial documents, and forecasts. Australian tracking later flagged that the stolen set may include Australian employee records. Asahi has not confirmed the full contents, so downstream fraud and phishing risk remains the primary concern for staff, partners, and customers. (Asahi group)

Breaches Occurred in Australia in August 2025

1. Belmont Christian College Ransomware Attack Risks Student Records

Breach Disclosed: 07 Aug, 2025

Belmont Christian College in New South Wales faced ransomware claims after Qilin listed the school on its leak site on 07 Aug 2025, alleging it had dumped “all internal information.” The college acknowledged a cyber incident on 09 Aug 2025 and said an unauthorized third party may have accessed a limited part of its systems, with external incident responders engaged.

Breach monitors reported the leaked material may include student and staff personal details, immunization and incident records, payment histories, donation records, and Working With Children ID data. Expect phishing and identity fraud attempts aimed at families, staff, and donors. (Ransomware)

2. 280k Emails Exposed in iiNet Order System Data Breach

Breach Disclosed: 19 Aug, 2025

TPG Telecom disclosed unauthorized access to iiNet’s order management system after investigators linked the intrusion to stolen employee credentials. The activity was detected and contained on 16 Aug 2025, then publicly disclosed on 19 Aug 2025, with customer updates on 20 Aug 2025.

Data accessed included about 280,000 active email addresses, roughly 20,000 landline numbers, around 10,000 usernames with street addresses and some phone numbers, plus about 1,700 modem setup passwords. The system held historical records, so some former customers were affected. iiNet said no payment card data, government IDs, or identity documents were stored. Expect phishing and scam calls. (Reuters)

3. Scotch College Melbourne Reports Weekend Cyber Incident

Breach Disclosed: 12 Aug, 2025

Scotch College Melbourne disclosed a cyber incident on 12 Aug 2025 after an unknown party gained unauthorized access to its IT systems over the weekend of 09 to 10 Aug 2025. The school shut down servers, disabled user accounts, and postponed non-essential online events while forensic specialists investigated.

Letters to families and Old Scotch Collegians warned of phishing and suspicious emails. Public reporting suggests the exposed data may involve contact details and other personal information stored in community databases, but the school has not published record counts and has not confirmed specific fields. The school engaged external responders and involved the ACSC. (Beyondmachines)

4. Wine Works Australia Dire Wolf Claim Alleges 22 GB Data Theft

Breach Disclosed: 26 Aug, 2025

Wine Works Australia, a South Australian logistics provider for the wine industry, appeared on Dire Wolf’s leak site on 25 Aug 2025, with public reporting on 26 to 27 Aug 2025. Dire Wolf claimed theft of about 22 GB of data and said it would publish material in early September 2025.

Reported samples suggest customer information, sales records, financial data, and operational documents such as picking slips, vehicle service histories, licenses, and login credentials. As of late 2025, coverage treats this as an extortion claim, since Wine Works has not released confirmation. Partners should treat invoices and login prompts as high risk and reset reused passwords. (Cyber News Centre) 

5. Interlock Claims 591 GB Stolen in Loyola College Cyber Attack

Breach Disclosed: 30 Aug, 2025

Loyola College in Watsonia, Victoria, notified its community on 30 Aug 2025 after Interlock listed the school on 29 Aug 2025 and claimed a ransomware attack. Monitoring reports cite a 591 GB leak across 430,000+ files.

Samples shown online include passports for current and former staff, student and staff records with contact, medical, and incident details, plus financial and legal documents such as tax records and court orders. The college reset staff, parent, and student passwords and brought in external forensic support. In September 2025, families received warnings after students circulated dark web screenshots. Treat outreach as suspicious. (Cyber Daily)

Breaches Occurred in Australia in July 2025

1. O&G Adelaide Ransomware Leak Claims 77 GB of Patient Data

Breach Disclosed: 01 Jul, 2025

O&G Adelaide Pty Ltd, an obstetrics, gynecology, and fertility clinic, reported a ransomware incident after detecting suspicious activity on 01 Jul 2025. Trackers timestamp the first public Kairos leak-site listing late 30 Jun 2025 (UTC), which is 01 Jul 2025 in Australia.

Leak monitors estimate about 77 GB of stolen data, and samples suggest highly sensitive patient information such as medical histories, Medicare details, and contact data. Public detail remains claim-driven and the full dataset has not been independently verified. Patients should treat outreach as high risk, change reused passwords, and monitor Medicare and financial accounts for misuse. Consider fraud alerts and watch for identity scams tied to medical claims. (Ransomware)

2. UAP Hit in Ransomware Cyber Attack, Emails and Member Records at Risk

Breach Disclosed: 17 Jul, 2025

Clive Palmer’s United Australia Party and Trumpet of Patriots disclosed a ransomware incident tied to unauthorized server access identified on 23 Jun 2025, with possible data exfiltration. The parties warned that the exposed material may include all emails sent to and from the organizations (including attachments) and other electronically stored documents and records. 

Follow-up reporting described potential exposure of email addresses, phone numbers, identity records, banking details, and employment history for members, staff, and contacts. Public disclosure peaked on 17–18 Jul 2025, after the parties posted a formal notice and issued email alerts, while stating individual notifications were impracticable due to record limitations. (United Australia Party)

3. OMARA Portal Data Breach Exposed Documents for 6 Migration Agents

Breach Disclosed: 14 Jul, 2025

Australia’s Office of the Migration Agents Registration Authority said a flaw in the OMARA Portal search feature could expose internal documents linked to 6 registered migration agents. The issue began on 06 May 2025, when a portal user query for an agent’s name could surface records meant for internal access, including names and business contact details.

Home Affairs said the portal was shut down and the search function disabled, with technical review confirming a small, isolated incident and no evidence of visa applicant data exposure. Public updates surfaced on 14 Jul 2025, which drove July breach tracking. No malicious actor has been reported. (Homeaffairs.gov)

4. UAP Cyber Attack May Expose Trumpet of Patriots Emails

Breach Disclosed: 17 Jul, 2025

United Australia Party and Trumpet of Patriots reported that on 23 Jun 2025 they detected unauthorized access to party servers in what they describe as a ransomware attack. A public breach notice posted 17 Jul 2025 warned that attackers may have accessed or taken broad data stores, including all email traffic and attachments, plus server-held documents and member records.

Potentially exposed details include email addresses, phone numbers, identity documents, banking information, and employment history. The parties said they restored systems from backups and reported the incident to national cyber and privacy bodies, while noting limits on individual notification. Expect phishing and impersonation attempts. (United Australia Party)

5. 3.5 TB Theft Claim Follows Ingram Micro Ransomware System Outage

Breach Disclosed: 05 Jul, 2025

Ingram Micro reported a multi-day outage starting 03 Jul 2025, then confirmed on 05 Jul 2025 that ransomware affected some internal systems. The company took key platforms offline, disrupting ordering, shipping, and licensing services used by partners worldwide, creating supply-chain risk for Australian resellers. Ingram Micro said external incident response teams and law enforcement were engaged while restoration progressed.

Subsequent reporting said the SafePay group claimed double-extortion tactics and alleged theft of about 3.5 TB of data that could include internal documents plus partner or customer records, though Ingram Micro has not confirmed the claim. This AI-written summary reflects public statements and media reporting. (The Register, Ingram Micro)

Breaches Occurred in Australia in June 2025

1. Qilin Leak Site Lists Skeggs Goldstien in Alleged 500 GB Breach

Breach Disclosed: 12 Jun, 2025

Skeggs Goldstien, a New South Wales financial services firm providing accounting, tax, business and wealth advice, confirmed it was investigating a cyber incident after the Qilin ransomware group listed the company on its leak site on Jun 12, 2025. Threat actor posts and ransomware trackers claim roughly 500 GB of data was exfiltrated, with samples allegedly showing client-facing documents and advisory material. 

Reporting described the exposed data as client details, tax returns, business records, and other sensitive financial information, consistent with double-extortion pressure tactics. Skeggs Goldstien said it engaged external cyber specialists and notified Australian authorities, including the ACSC and OAIC, while assessing scope, impact, and potential client exposure. (Cyberwarriors)

2. DragonForce Leak Site Lists Pressure Dynamics in Alleged Data Breach

Breach Disclosed: 17 Jun, 2025

Western Australia engineering services firm Pressure Dynamics was publicly tied to a ransomware incident after the DragonForce group listed the company on its leak site on Jun 17, 2025, with several trackers recording that date as the earliest verified disclosure. 

DragonForce claimed theft of about 106.84 GB of data and described the dump as engineering documentation, operations reports, technical drawings, and historical project material, with some reporting also citing employee and medical records. 

Pressure Dynamics later confirmed it was responding to a cyber incident, but most public detail still comes from threat actor posts and monitoring sources rather than a full victim notice. This creates elevated risk for client impersonation, contract fraud, and exploitation of exposed technical information. (National Cyber Security)

3. Vertel Cyber Incident Confirmed After Space Bears Ransomware Claim

Breach Disclosed: 18 Jun, 2025

Sydney-based telecommunications carrier and managed ICT services provider Vertel confirmed a ransomware incident after the Space Bears group listed the company on its leak site in mid-June 2025. 

Multiple sources tie the first public listing to Jun 18, 2025, with some breach trackers recording discovery on Jun 17, 2025. Space Bears claimed it exfiltrated SQL databases, client personal information, and financial documents, and threatened to publish the stolen data before the end of June if payment was not made. 

No verified volume figure was released publicly. Given Vertel’s public-sector and critical-infrastructure customer base, this incident raised concern for downstream exposure and targeted follow-on attacks against clients. (National Cyber Security)

Breaches Occurred in Australia in May 2025

1. AHRC Data Breach Exposes 670 Webform Uploads Online

Breach Disclosed: 14 May, 2025

The Australian Human Rights Commission (AHRC) disclosed that a webform misconfiguration accidentally made around 670 uploaded attachments publicly accessible on the open internet, with about 100 documents confirmed as accessed through search engines. 

AHRC said it first became aware on 10 Apr 2025 and disabled the complaint form attachment function immediately, then later confirmed on 8 May 2025 that additional webforms were affected. 

The exposed documents were accessible between 3 Apr and 5 May 2025, and could include names, contact details, health information, photos, and addresses tied to complaints, consultations, awards nominations, and policy work. AHRC notified the OAIC and began contacting impacted individuals. (Human rights.gov)

2. MKA Accountants Hit With Qilin Data Breach Claim (185+ GB)

Breach Disclosed: 16 May, 2025

MKA Accountants, a Victorian accounting and business advisory firm in Moonee Ponds, disclosed it was investigating a Qilin ransomware incident after suspicious activity was detected around 15–16 May 2025. 

Breach monitoring sources indicate Qilin posted proof on its leak site, including internal correspondence, financial statements, and insurance information, and later reporting referenced 185+ GB of data exposed. 

While the leak-size figure remains difficult to independently confirm, multiple trackers place the threat actor’s public listing on May 14–15, 2025, which appears to mark the earliest public disclosure timeline. The firm reported the matter to the ACSC and OAIC, and clients face elevated risk of fraud, phishing, and sensitive financial document misuse. (Kirbyidau.com)

3. Dire Wolf Claims 300 GB Stolen in WA Legal Practice Board Data Breach

Breach Disclosed: 27 May, 2025

The Legal Practice Board of Western Australia (LPBWA) disclosed a major cyber incident in late May 2025 after taking systems and online services offline and switching to manual workarounds for key functions such as practising certificate renewals. 

Public reporting indicates the Dire Wolf ransomware group claimed responsibility and alleged exfiltration of about 300 GB of data, including bank account details, contact information, and internal correspondence tied to legal practitioners, with concerns extending to judges and senior lawyers.

The Board’s public updates confirmed active investigation and engagement with external experts, while media reporting noted court injunction steps to limit dissemination of disclosed material. Attribution remains claim-based, but the exposure risk is significant. (Lpbwa.org)

4. 3P Corporation Data Breach Leak Publishes 200+ GB After Space Bears Listing

Breach Disclosed: 30 May, 2025

Melbourne-based 3P Corporation, a financial services aggregator, was linked to a major ransomware-related data exposure after the Space Bears group listed the company in early April 2025 and later published more than 200 GB of material online. Coverage and dark web monitoring peaked in late May 2025, which is why this incident appears in many May 2025 Australia breach roundups.

Reports described leaked content as database exports, internal financial documents, and personal information tied to employees and clients. Notably, 3P initially disputed that any customer data had been compromised, but subsequent leak-site activity and third-party reporting suggested significant data exposure. Affected parties faced heightened risk of fraud and targeted impersonation.

Breaches Occurred in Australia in April 2025 

1. Hexicor Listed in KillSec Ransomware Data Breach Sale Claim

Breach Disclosed: 01 Apr, 2025

Hexicor, a Brisbane-based IT services firm that provides cybersecurity, unified communications, and network services, appeared on the KillSec leak site around 01 Apr 2025 after the group claimed a ransomware intrusion and data theft. Reporting indicates the actors posted screenshots of client folders and offered stolen material for sale, including Mitel MiCollab backups, hashed passwords, digital certificates, and other internal security artifacts.

Public coverage in early April 2025 suggests the disclosure originated from the threat actor’s leak listing rather than a victim-issued notice, so scope remains claim-driven. If accurate, this exposure could create downstream compromise risk for Hexicor customers through credential reuse, internal configuration leakage, and targeted follow-on attacks. (Cyber security)

2. $500,000 Stolen After Cyber Attack on Australian Super Funds

Breach Disclosed: 04 Apr, 2025

Multiple Australian superannuation funds, including REST, Hostplus, Australian Retirement Trust, AustralianSuper, and Insignia Financial, confirmed credential-stuffing attacks against member portals in early April 2025. Attackers reused stolen usernames and passwords from older breaches to gain access to some accounts.

AustralianSuper reported suspicious activity on about 600 accounts, with 4 members losing a combined $500,000. REST said around 20,000 accounts were probed and personal data for about 8,000 members was accessed, with no confirmed fraud at that time. Other funds detected and blocked large-scale login attempts, with more limited confirmed compromise. (ABC .net)

3. Western Sydney University SSO Breach Exposes Data of 10,000 Students

Breach Disclosed: 15 Apr, 2025

Western Sydney University (WSU) disclosed on 15 Apr 2025 that attackers abused one of its single sign-on (SSO) systems and accessed data for about 10,000 current and former students. WSU’s update said impacted people received individual notifications and the exposed information included demographic, enrollment, and progression details, plus contact data.

Media reporting indicated the unauthorized access occurred during late January 2025 through late February 2025, and some of the stolen information later appeared on the dark web, increasing the risk of phishing and identity misuse. WSU said it was responding to persistent targeted attacks, working with external specialists, and rolling out stronger authentication controls. (Western sydney)

4. 148 GB Stolen in Fullerton Sydney Data Breach, IDs Exposed

Breach Disclosed: 08 Apr, 2025

The Fullerton Hotels and Resorts was linked to a major ransomware incident after the Akira group listed the organization on its leak site around 08 Apr 2025, with multiple trackers recording that date as the first public claim. 

Reporting tied the impact in Australia to The Fullerton Hotel Sydney, with an estimated 148 GB of stolen data that allegedly includes passports, driver licenses, employee records, financial audits, and internal corporate files, plus some payment card-related information.

Sources also noted exposure risk for high-profile guest ID documents. Public details remain largely threat actor driven, so the full dataset and affected individuals are not independently verified. Incident tracking continued through 10 Apr 2025 as additional monitoring sites posted updates. (Ransomware)

5. Cleo-Linked Vendor Breach Triggers Hertz Data Exposure

Breach Disclosed: 14 Apr, 2025

Hertz, Dollar, and Thrifty notified customers in April 2025 after confirming that a file-transfer vendor, Cleo Communications, suffered a cyberattack between October and December 2024 that exposed Hertz data. Hertz said it confirmed the unauthorized acquisition on Feb 10, 2025, then completed impact analysis on Apr 2, 2025, which drove broader customer notifications and media coverage in mid-April. 

Exposed data included names, contact details, dates of birth, and driver license details, with some records also containing Tax File Numbers, passport data, and payment card information. Reporting commonly linked the Cleo exploitation campaign to the Clop ransomware group. (Reuters)

Breaches Occurred in Australia in March 2025

1. Zurich Insurance Hit With 1,400-File Leak Claim

Breach Disclosed: 03 Mar, 2025

Zurich Insurance Group was pulled into breach reporting after a threat actor using the handle “Rey” claimed access to 1,400+ internal files and began sharing samples on cybercrime forums in early March 2025. Multiple sources describe the data as confidential financial documents, contracts, internal communications, and some client and staff-related reports. 

Reporting suggests the intrusion likely occurred sometime in February 2025, but Zurich had not publicly confirmed a full compromise or detailed scope at the time those claims surfaced. Since the disclosure originated from the actor rather than a formal notification, assume elevated risk for extortion, targeted phishing, and internal process exposure while validation and containment continue. (Darkweb informer)

2. Wendy Wu Leak Exposes Passport Scans

Breach Disclosed: 04 Mar, 2025

Wendy Wu Tours, a Sydney-based tour operator, was linked to an extortion incident after the KillSec ransomware group listed the company on its leak site on Mar 4, 2025, then issued a 7-day deadline and shared sample data online. 

Reporting indicates the exposed material included Australian and UK passport scans, pre-travel forms containing personal details and emergency contacts, and frequent flyer numbers, which creates immediate identity fraud and account takeover risk. 

Follow-on coverage over Mar 6–12, 2025 reported the listing and noted Wendy Wu Tours acknowledged awareness of the incident while investigating scope and impact. This appears threat actor-driven, so the full dataset remains unverified. (VPN ranks)

3. CI Scientific Named in Lynx Data Breach Claim (81 GB)

Breach Disclosed: 13 Mar, 2025

CI Scientific, a laboratory and industrial equipment supplier now rebranding as CISCAL, was linked to a ransomware incident after the Lynx operation listed the organization on its leak site around Mar 11–13, 2025. Several sources converge on Mar 13, 2025 as the clearest public disclosure date, although some trackers record discovery on Mar 11–12. 

The group claimed theft of roughly 81 GB of data and described the exposed material as HR-related information and internal business documents. No detailed victim notification or independently verified dataset breakdown was publicly available at the time of reporting, so impact remains claim-based and should be treated as potentially understated or overstated until validated. (VPN ranks)

4. Brydens Lawyers Cyber Attack Linked to 600+ GB Stolen Files

Breach Disclosed: 13 Mar, 2025

Brydens Lawyers, a prominent Sydney law firm, disclosed a serious cyber incident after unauthorized access to firm servers occurred in late February 2025. Reporting linked the intrusion to a ransomware-style extortion attempt and alleged theft of more than 600 GB of sensitive data, including case files, client records, and staff information. 

The firm’s principal said Brydens treated the incident as significant and potentially damaging, took systems offline, and engaged specialist cyber advisers to determine scope and impact. Brydens also notified the Australian Cyber Security Centre and the Office of the Australian Information Commissioner. As of March reporting, no threat actor had been publicly confirmed, so attribution remained unresolved. (7 News.com)

5. Booking Disrupted in TFE Hotels Cyber Incident

Breach Disclosed: 01 Mar, 2025

TFE Hotels Group disclosed an active cyber incident on Mar 1, 2025, impacting parts of its network and causing operational disruption across brands including Adina, Vibe, and Travelodge. In the days that followed, the group worked to restore systems, with some backend platforms remaining offline into early to mid-March, affecting bookings, internal processes, and some customer-facing services. 

Public statements emphasized that investigations had not identified misuse of payment card data, which helped narrow the immediate fraud risk, but the possibility of data exfiltration remained under assessment. No threat actor was publicly named at the time, and TFE’s updates focused on containment, recovery progress, and ongoing forensic review.

Breaches Occurred in Australia in February 2025

1. 279K Patient Records Exposed in Sydney Radiology Ransomware Attack

Breach Disclosed: 15 Feb, 2025

Spectrum Medical Imaging, a Sydney radiology and medical imaging provider, reported a cyberattack detected on 14 Jan 2025 that may have exposed highly sensitive patient data. The potentially affected information includes names, addresses, dates of birth, medical histories, and imaging records, with later reporting linking the incident to a leak of about 279,834 medical files. 

The intrusion has been attributed to the INC Ransom ransomware group, which listed Spectrum on its leak site around the time the attack was detected. Spectrum said it launched an internal investigation and engaged cyber specialists, while patients faced risk of identity fraud, phishing, and medical privacy harm if stolen images and reports were accessed or shared. (CSIDB)

2. Medusa Leak Dumps 142.85 GB From Natures Organics

Breach Disclosed: 11 Feb, 2025

Natures Organics, an Australian sustainable personal care and household products manufacturer, was listed as a victim of the Medusa ransomware group after attackers claimed exfiltration of 142.85 GB of data. Multiple ransomware tracking sources place the public leak-site exposure in mid-February 2025, with dates clustering around Feb 11–12, 2025, depending on the monitor. 

Reported stolen content includes passport and driver license scans, bank transaction histories, employee payslips, internal communications, and other business documents. This pattern fits Medusa’s double-extortion model, which pressures victims through public exposure threats. At the time of reporting, independent verification of the full dataset remained limited. (Redpacket security)

3. Akira Leak Exposes Regency Media

Breach Disclosed: 14 Feb, 2025

Regency Media, an Australian media production company that reportedly shut down in 2023, was listed on the Akira ransomware gang’s leak site in mid-February 2025. Ransomware reporting and breach monitors indicate the group leaked about 16 GB of data, despite the company no longer operating. 

The exposed materials were described as NDAs, driver licenses, passport scans, contact details, and financial records such as audits and payment documentation. 

Since the public disclosure came from Akira’s leak site rather than a company notification, the full scope and affected individuals remain unclear. Even for defunct businesses, retained systems and legacy servers can still expose sensitive information years later. (Ransomware)

4. ANU Appears on FSociety Leak Site

Breach Disclosed: 16 Feb, 2025

The Australian National University (ANU) said it was investigating an alleged ransomware incident after the FSociety group listed the university on its darknet leak site on Feb 16, 2025. 

Threat actor claims suggested access to student and staff data, but early reporting noted no public evidence of successful encryption, so the immediate risk centered on possible data exposure rather than operational disruption. 

ANU confirmed it was working with the Australian Cyber Security Centre to assess the situation and validate the claims. The incident remained largely actor-driven at the time of disclosure, which matters for triage because threat actor statements often exaggerate impact. (Teiss)

5. Albright Hit With Student Records Theft Claim

Breach Disclosed: 10 Feb, 2025

Albright Institute of Language and Business, an Australian private education provider, surfaced in ransomware reporting after the KillSec group listed the organization on its leak site around Feb 10, 2025. Multiple monitors tied to that listing describe theft of highly sensitive student documentation, including passport scans, visa application files, offer letters, payment plans, and detailed student records such as names, student IDs, emails, and results. 

This incident appears driven primarily by threat actor claims and monitoring sources rather than a full public statement from the institution, so the exact scope remains unverified. If confirmed, the exposure presents high risk for identity fraud, visa scams, and targeted extortion attempts against affected students. (Ransomware)

6. Truck Dealership Faces 170 GB Ransomware Claim

Breach Disclosed: 12 Feb, 2025

Brown and Hurley, an Australian truck and trailer dealership group, was publicly linked to a ransomware incident after the Lynx operation listed the company on its leak site in mid-February 2025. Multiple ransomware-tracking sources reported Lynx claimed theft of about 170 GB of data, describing the haul as HR documents, business contracts, customer information, and financial records. 

Coverage framed the event as an extortion-driven disclosure, with limited independent verification of the dataset contents beyond what the actors advertised. The incident’s main risk centers on identity exposure, customer-targeted fraud, and invoice or payment diversion scams that often follow dealer and logistics-sector breaches. (Ransomware)

7. Genea IVF Hit With Massive Data Theft Claim

Breach Disclosed: 21 Feb, 2025

Genea, a major Australian IVF provider, disclosed a cyber incident on Feb 21, 2025 after detecting suspicious network activity on Feb 14 and taking systems offline. Attackers later claimed theft of roughly 700 to 940 GB of data, including fertility and treatment records plus identifiers such as dates of birth and Medicare details. 

The Termite group claimed responsibility on Feb 24, and reporting said stolen data was published on Feb 26, which drove scam warnings and a court injunction.  In Dec 2025, some threat briefings revisited Genea as ongoing fallout, not a new breach. (The Guardian)

Breaches Occurred in Australia in January 2025

1. Everest Ransomware Claims 50 GB Data Theft From Evidn

Breach Disclosed: 09 Jan, 2025

Evidn, a Queensland-based applied behavioral science and consulting firm that works with government and private-sector clients, was listed as a victim on the Everest ransomware gang’s leak site in early January 2025. Reporting indicates the operators claimed theft of about 50 GB of data and issued a deadline for the company to make contact, consistent with double extortion tactics. 

At the time of reporting, the claim appeared actor-driven, with no public confirmation from Evidn and no independent validation of what specific datasets were taken. If verified, the exposure could affect sensitive project materials, client communications, and personally identifiable information connected to program delivery and consulting work. (Cyber security)

2. ARDEX Australia Ransomware Attack Claims Internal Data Theft

Breach Disclosed: 27 Jan, 2025

ARDEX Australia, a construction products manufacturer focused on tiling, flooring, and waterproofing systems, was named as a victim of a Medusa ransomware attack in late January 2025. Multiple breach trackers and ransomware monitoring sites show ARDEX appearing on Medusa’s leak site between Jan 27 and Jan 29, with claims of data exfiltration alongside extortion. 

Public reporting describes the stolen material as confidential business documents and sensitive internal information, with potential personal data exposure, although no verified leak size has been published. As of the initial disclosure window, the incident appeared based on threat actor claims rather than a formal customer notice, so the confirmed impact remained unclear. (1300 Intech)

3. Globelink International Data Theft Claim Involves 22 GB of Logistics Records

Breach Disclosed: 03 Jan, 2025

Globelink International, an Australian freight forwarding and logistics provider, was named by the Qilin ransomware operation after actors claimed theft of about 22 GB of company data. Threat actor posts and ransomware reporting indicate the stolen material included internal documents plus sensitive debtor and creditor information, with some sources also referencing bank statements. 

Public timelines point to an early January 2025 leak-site listing, with a stated publish date of Jan 3, 2025 for the full dataset. At the time of reporting, the disclosure remained largely actor-driven, with no detailed public statement from Globelink confirming the scope. Organizations tied to the exposed records should watch for invoice fraud, targeted phishing, and identity misuse. (Blackfog)

4. DBG Health Ransomware Claim Alleges 2.5 TB Stolen 

Breach Disclosed: 07 Jan, 2025

DBG Health, which includes Arrotex Pharmaceuticals, was pulled into public breach reporting after the Morpheus ransomware group claimed responsibility in early January 2025 for an intrusion that DBG said it detected on 25 Aug 2024. Coverage tied to the leak-site posting cited nearly 2.5 TB of stolen data and suggested it included patient-related records, employee information, and internal business material such as payroll and confidential documents. 

The initial public exposure appears to come from the threat actor’s leak site and follow-on media reporting rather than a first-time company disclosure. That matters for response planning, since the safest assumption is that stolen data may already be circulating or for sale. (The Nightly)

5. UNSW Physics Site Hit in RipperSec Incident

Breach Disclosed: 13 Jan, 2025

The University of New South Wales reported a cyber incident affecting a School of Physics website after the RipperSec hacking group publicly claimed responsibility in mid-January 2025. Public reporting describes the activity as website-focused and consistent with RipperSec’s broader campaign, which often centers on disruption and reputational impact rather than confirmed large-scale data theft. At the time of disclosure, there were no verified figures for records accessed or data exfiltrated, and the incident appeared limited to a specific web property rather than core university systems. Even so, university web platforms can expose credentials, admin access, and downstream risk through reused passwords or compromised accounts, so monitoring and credential hygiene remain critical. (Darkweb informer)

What Australia’s Breach Regulator Saw in 2025?

For Jan to Jun 2025, OAIC received 532 notifiable data breach reports. 59% involved malicious or criminal attacks (308), and human error accounted for 37% (193). OAIC also reported the average people affected per cyber incident was just over 10,000.

Examples of major publicly reported incidents in 2025

• Qantas (June 30 to July 2, 2025): Qantas reported unauthorized access to a third-party contact center platform, with around 6 million customer records potentially affected. Reported data types included names and contact details, dates of birth, and frequent flyer details. (Qantas) 
• Qantas later said customer data was released by criminals, and it sought a NSW Supreme Court injunction. (Qantas)
• United Australia Party and Trumpet of Patriots (June 23, 2025): The parties posted a breach notice stating unauthorized server access and a ransomware attack with possible data exfiltration. (United australia party)
• State-linked activity noted in 2025: ASD’s ACSC referenced a May 2025 international advisory about a Russian GRU campaign targeting Western logistics and technology entities, using tactics such as spearphishing and password spraying. (Cyber.gov)

Patterns that show up across 2025 reporting

• Credential theft and fraud remain common themes in ACSC reporting, with identity fraud the top reported cybercrime type in FY2024–25. (Cyber.gov)
• Service disruption rose sharply, especially DoS or DDoS activity. (Cyber.gov)
• Ransomware continues to appear regularly in incident response. (Cyber.gov)

FAQs