In 2024 alone, Australian businesses and government agencies reported a record number of 1,113 data breaches, according to the Office of the Australian Information Commissioner (OAIC).

We are almost halfway through the year, and multiple data breaches have already affected Australian businesses, leading to huge losses of thousands of dollars.

In this post, we will share some of the biggest Australian Cyber Breaches so far.

Are Cyber Breaches on the Rise in Australia?

The short answer is yes. Research from the Australian Cyber Security Centre (ACSC) shows that about 164 cyber breach reports are made in Australia every day, or about one report every ten minutes.

Only about 60,000 cyber attack reports were received in Australia between July 1, 2019, and June 30, 2020. This shows that cyber breaches in Australia are constantly on the rise, with fraud attacks in the form of phishing campaigns being one of the most popular formats.

5 Biggest Australian Cyber Breaches

Here are 5 of the biggest cyber breaches that have occurred in Australia in 2025.

1. Australian Human Rights Commission – April, 2025

On April 10, 2025, the Australian Human Rights Commission experienced a data breach involving unauthorized disclosure of complaints that were submitted on the website via the complaint form. The breach affected files attached to filed complaints on the commission’s website between 24th March and 10th April. These documents probably contained a wide range of personal information such as addresses (residential and email), employer information, schooling information, mobile numbers, personal health data, etc.

The attachments were publicly exposed and accessed between third and tenth April. The breach also affected documents that were uploaded on the website via web forms associated with other projects like Speaking from Experience Project, Human Rights Awards, etc. Unfortunately, the commission could not determine how many people were directly affected by this breach.

 

2. Nine Newspapers – March, 2025

In a major cybersecurity breach, 16,000 of Nine Newspapers subscribers subscribed to The Sydney Morning Herald, The Age, and The Australian Financial Review had their personal data exposed online. The exposed information included names, postal addresses, and email addresses. Nine released a statement stating that the breach came from a third-party provider that failed to uphold the company’s stringent data security standards.

The issue came to light when a security researcher discovered the vulnerability. Nine clarified that no financial data or passwords were involved in the breach. “Our internal systems remain secure, and the issue was isolated to an external supplier,” a company representative confirmed. The data is no longer publicly accessible, and Nine has since worked closely with the vendor to address and fix the issue. The company is also in the process of notifying all affected individuals.

3. NSW Department of Communities and Justice – April, 2025

The NSW Department of Communities and Justice experienced a major data breach where 9000 sensitive court documents were downloaded. The NSW police states that this accessed information includes affidavits and apprehended violence orders.

Michael Daley, the NSW Attorney-General stated the government was assessing the situation and taking all measures to protect sensitive data on the online registry website. Lawyers also expressed serious concern over this breach as very personal information belonging to victims could have been exposed, leaving them vulnerable to attack.

4. Fullerton Hotels and Resorts – April, 2025

The Fullerton Hotels and Resorts fell victim to the Akira ransomware gang where over 140GB of sensitive corporate data was stolen. The cybercriminal group named the company on its darknet site, saying it accessed confidential files including NDAs, contracts, identification documents, financial records, and more. In a post dated April 8, Akira alleged it was prepared to publish over 148GB of the stolen data.

The group, known for its lack of transparency regarding ransom demands or deadlines, often frames its attacks as security audits. “Think of our actions as an unplanned audit. There’s a price to fix this,” the gang stated on its leak site. The breach was limited to The Fullerton Hotel in Sydney and did not affect its sister properties in Singapore or Hong Kong. The hotel group, owned by Hong Kong’s Sino Group, confirmed the incident has been reported to the Office of the Australian Information Commissioner and pledged full cooperation.

5. University of Notre Dame, Australia – February, 2025

The University of Notre Dame Australia has been targeted in a cyberattack where the Fog ransomware group took credit for the breach. In a post dated February 11 on its darknet site, the gang claimed to have stolen 62.2GB of data from the university’s systems. The group alleges the compromised data includes personal contact information for students and staff, medical records, and sensitive internal documents such as NDAs. As of now, the attackers have not disclosed any ransom amount or deadline.

The university first reported a cybersecurity incident to the Australian Cyber Security Centre in late January and stated that an investigation was underway. At the time, officials declined to provide additional details due to the ongoing inquiry.University representatives have since acknowledged awareness of the hackers’ claims, but no further comment has been made.

5 Biggest Australian Cyber Breaches In the last 6 years

 

Here are 5 of the biggest cyber breaches that have occurred in Australia over the last 6 years.

• Canva – May 2019

Affected Users: 137 million

Canva, one of Australia’s most successful tech startups, experienced a major cybersecurity incident in May 2019 that compromised data belonging to 137 million users. At the time, Canva had approximately 55 million monthly active users.

The breach was executed by a hacker known as “Ghosticplayers,” who infiltrated Canva’s system and accessed sensitive customer information, including usernames, full names, email addresses, encrypted passwords, location data, and partial payment details.

Although Canva detected and halted the suspicious activity mid-attack, some damage had already been done. The attacker later boasted about the breach to media outlet ZDNet, which was a rare move since most cybercriminals avoid mainstream exposure and flaunt their exploits on underground forums instead.

Canva responded by advising affected users to reset their passwords, especially those whose credentials hadn’t been updated in six months.

• ProctorU – July 2020

Affected Individuals: 444,000

Online exam monitoring service ProctorU became part of a massive data dump in July 2020 that affected several companies globally. For ProctorU, the breach resulted in 444,000 user records being leaked on a dark web forum.

The stolen data included email addresses from major Australian universities such as the University of Sydney, University of Melbourne, and the University of Queensland, as well as elite institutions in the U.S. like Harvard, Yale, and Princeton. While no financial data was exposed, the breach raised serious concerns about the safety of online education platforms during the COVID-19 era.

• Optus – September 2022

Affected Individuals: 9.8 million

In one of the most high-profile cyber attacks in Australian history, telecommunications giant Optus suffered a data breach that exposed the personal information of nearly 10 million customers, which is roughly 40% of the country’s population.

The breach was allegedly orchestrated through a misconfigured API that did not require authentication, giving cyber criminals access to personal details, including names, birthdates, phone numbers, physical addresses, passport details, driver’s license numbers, and even Medicare IDs.

Shortly after the incident, a hacker demanded a ransom of AU$ 1.5 million in cryptocurrency before withdrawing the demand under apparent pressure from authorities and claiming to have deleted the data. The breach triggered widespread criticism of national data security standards and led to a class-action lawsuit involving over a million affected customers.

• Medibank – December 2022

Affected Individuals: 9.7 million

Australia’s largest health insurer, Medibank, fell victim to a ransomware attack that compromised sensitive medical and personal data of nearly 10 million customers. The attack was attributed to the Russian-linked REvil group, which demanded a US$10 million ransom.

Leaked information included customer names, birthdates, passport numbers, and detailed medical claims. Despite the risks, Medibank chose not to pay the ransom. Although they later posted the stolen data on the dark web, there have been no confirmed reports of financial fraud as a result.

The breach prompted an investigation by the Office of the Australian Information Commissioner (OAIC), which could result in penalties and legal action if it found Medibank did not adequately protect its customers’ data.

• Latitude Financial – March 2023

Affected Customers: 14 million

Latitude Financial is a consumer lending and financial services firm that was affected by one of the most significant data breaches in Australia’s history. Initially, it was believed that only 328,000 individuals were affected, but later assessments revealed the breach impacted around 14 million people across Australia and New Zealand.

The attackers gained access using stolen employee credentials, exposing personal data such as full names, residential addresses, birth dates, phone numbers, driver’s licenses and passport numbers, some of which dated back nearly two decades.

This outdated data storage sparked public debate on data retention policies and whether companies should store customer data for extended periods. Latitude is currently facing regulatory scrutiny and a class-action lawsuit concerning its cybersecurity measures and breach response.

How to Protect Your Business From Cyber Breaches

The best way to protect your business from cyber breaches in 2025 is to implement a data breach prevention and control plan. This will ensure your systems are shielded from malicious attacks and that you can recover sensitive data in the event of a breach.

In Australia, the Australian Signals Directorate (ASD) recommends businesses implement the Essential Eight framework as a minimum data protection standard to increase their security. While this is a great starting point, businesses that want thorough, 24/7 protection need to go further, and this is where getting a cybersecurity provider becomes necessary.

A cybersecurity provider for businesses like Otto IT will provide a wide range of services to protect your business from malicious attacks. Some of these services are:

• Risk Assessment & Security Audits

They evaluate your existing IT systems, identify vulnerabilities, and assess the likelihood and damage of a cyber attack to your business.

• Cybersecurity Strategy & Planning

They design a security strategy tailored to your business needs, budget, and risk profile, often aligned with best-practice frameworks like the Essential Eight or ISO 27001.

• Implementation of Security Tools

They set up and manage tools such as Firewalls, Antivirus and anti-malware software, Intrusion detection systems, Multi-factor authentication (MFA), Endpoint protection, and Encryption tools.

• Employee Training & Awareness

Since human error is a major cause of breaches, they often provide staff training to help employees spot phishing emails, create strong passwords, and follow data handling best practices.

• 24/7 Monitoring & Threat Detection

They monitor your systems 24/7 for suspicious activity and respond quickly to potential threats or breaches before they cause damage.

• Incident Response & Recovery

If a cyber attack happens, they help you contain the threat, minimise damage, investigate what happened, and recover your data and operations as quickly as possible.

• Compliance & Reporting Support

They ensure your business meets legal and industry regulations (like the Privacy Act or GDPR) and can assist with breach reporting, documentation, and audits.

Protect Your Business From Cyber Attacks With Otto IT

At Otto IT, we stay ahead of cyber threats so your business remains protected. Our round-the-clock Security Operations Centre (SOC) is the core of your digital defence, staffed by experienced IT analysts who constantly monitor your systems for unusual activity, stop threats in their tracks, and fine-tune your security posture.

Using live threat intelligence, automated security tools, and deep compliance expertise, we build a tailored shield around your organisation, identifying risks before they escalate. Whether it’s ransomware, phishing, or insider threats, Otto IT keeps your business a step ahead with proactive, always-on protection.

Explore our security solutions today, and let’s determine how to protect your business best!