A Cyber Security Review of 2025

In 2025, Australian organisations across both the public and private sectors continued to face escalating cyber threats. According to the Office of the Australian Information Commissioner (OAIC), 532 notifiable data breaches were reported in the first half of 2025 alone. Malicious or criminal attacks, such as targeted hacking, credential theft, and ransomware, accounted for 59% of reported breaches, according to OAIC data. Other attack types included credential stuffing, insider risk, and social engineering. Notably, breaches caused by human error rose by 37%, highlighting the persistent challenge of misconfigurations and accidental disclosures, even in well-secured systems.

OAIC data shows that cyber breaches affected sectors unevenly. Health services experienced the highest proportion of breaches (18%), reflecting the value of sensitive personal records. Finance and banking followed at 14%, and then Australian Government agencies at 13%, demonstrating that even well-regulated public institutions remain vulnerable. These trends align with global patterns, where attackers target industries with valuable data and complex technology environments.

Industry data and regulatory enforcement trends indicate that a major cyberattack can cost Australian businesses millions of dollars, including direct breach costs, operational disruption, remediation, and regulatory fines. Reputational damage further increases these losses as public trust is fragile. High-profile breaches in 2025 that received extensive media coverage undermined confidence and brand value long after the incidents were resolved.

Ultimately, Australia’s cyber security landscape reflects global trends of increasing volume and sophistication of breaches. Sectors managing sensitive data and significant assets remain primary targets, and the impact on organisations is considerable. Even those with strong cyber security systems faced incidents in 2025, underscoring that resilience depends on technology, people, processes, and ongoing adaptation.

‍

Notable Cyber Breaches in 2025

As we’ve touched on, Australian cyber breaches occurred across a wide range of industries with no sector proving immune. Some of the most notable examples included:

• ‍Superannuation Funds: In late March 2025, a coordinated credential stuffing attack targeted multiple major Australian superannuation funds, including AustralianSuper and Hostplus. Attackers used stolen passwords, likely sourced from prior data breaches and dark-web lists, to attempt to gain access to super fund member portals. As many of these portals didn’t have strong multi-factor authentication enabled across all accounts, it proved worryingly successful. By 4 April 2025, Australian media reported the attacks, with data and account access issues emerging publicly. Several of the funds reported increases in suspicious activity, unusual login attempts, and account access issues. However, it was AustralianSuper that was the worst hit, with 600 accounts accessed and a small number of members suffering fraudulent lump-sum withdrawals, which represented a significant privacy and trust impact.‍
• Australian Human Rights Commission: In April 2025, the Australian Human Rights Commission became aware of a data breach involving the unauthorised public disclosure of attachments uploaded through its online webforms. The breach was caused by an internal misconfiguration that exposed confidential documents to the public. During the breach, around 670 documents were potentially accessible, and at least 100 were confirmed to have been accessed online. In response, the Commission disabled the affected webforms, notified impacted individuals and the OAIC, and worked to remove exposed documents from search engines. While not a deliberate external cyberattack, the breach fits the rising pattern, where mistakes and misconfigurations are becoming a significant source of data exposure‍
• Qantas: In June 2025, Australia’s flag carrier and leading airline found itself targeted via a third-party customer service platform used by one of its call centres. While the breach fortunately didn’t occur in the company’s core operational or flight systems, the external platform breach still caused significant damage. Personal customer data of around 6 million customers was compromised, including names, email addresses, phone numbers, dates of birth and frequent flyer numbers. Qantas discovered unusual activity and began its investigation and response at the end of June, by mid July investigations continued, customer contact continued, and authorities were notified. However, despite these efforts, in October, hackers released some of the stolen data onto the dark web, escalating the incident and prompting public scrutiny and reactions from government officials.‍
• IKAD Engineering: In November 2025, Australian engineering firm IKAD Engineering confirmed a cyber incident after the J Group ransomware gang claimed responsibility for gaining unauthorised access to part of the company’s internal network. The ransomware gang first emerged earlier in 2025 and has been linked to multiple victims on dark-web leak sites. J Group reportedly began infiltrating IKAD’s systems back in May by exploiting an outdated VPN vulnerability, allowing lateral movement across its network. During the time the breach remained undetected, J Group claimed to have exfiltrated around 800 GB of data, including project files, internal correspondence and records relating to defence-related contracts. IKAD publicly stated that the breach affected only a portion of its internal IT systems and that the impacted material appeared limited to non-sensitive information.  However, the incident acts as a supply-chain and defence contractor risk case study, as even data labelled as “non-sensitive” can have strategic value in a complex defence ecosystem‍
• University of Sydney: In December 2025, the University of Sydney confirmed a cyber and data breach after unauthorised actors gained access to part of its IT environment. The breach affected personal information relating to current and former staff, as well as alumni. While the University stated there was no indication that the data had been misused at the time of disclosure, those impacted were advised to remain vigilant for phishing or impersonation attempts. In response, the University engaged external cyber security specialists, notified relevant authorities, and implemented additional monitoring and security controls while investigations continued.

These examples illustrate the breadth and complexity of the cyber threat environment in Australia. Breaches are rarely caused by one factor alone: credential reuse, weak authentication controls, third-party dependencies, outdated systems and human error all play a role. In several cases, the most significant harm occurs weeks or months later, when data is misused or publicly released. Collectively, these breaches highlight a shift away from purely technical failures towards systemic and organisational vulnerabilities.

‍

Regulatory Responses and Policy Developments

In response to the scale and impact of cyber incidents throughout 2025, the Australian Government introduced several regulatory measures aimed at improving visibility, accountability and national cyber resilience:

1. ‍Security of Critical Infrastructure Act 2018 (SOCI Act) Amendments - effective progressively across 2025 - enhancements included expanding the range of assets covered under SOCI, including certain data storage and processing systems, requiring regulated entities to implement and maintain a critical infrastructure risk management program, and strengthening incident reporting and government visibility over assets of national significance.‍
2. Scams Prevention Framework (SPF)  - effective February 2025 - requiring designated businesses, including banks, telecommunications and digital platforms, to take active steps to prevent, detect, disrupt, respond to and report scams. It sets out overarching principles and enables sector-specific codes of practice for regulated entities in key parts of the economy.‍
3. Smart Device Security Standards (Cyber Security Rules 2025) - effective March 4, 2025 - requiring most smart devices manufactured for personal, domestic or household use, excluding devices like desktop computers, laptops, smartphones and tablets to meet core security requirements, including unique credentials, vulnerability reporting mechanisms and security update transparency. Manufacturers and suppliers must also provide a statement of compliance confirming adherence to the standards.‍
4. Mandatory Reporting Regime - effective May 30, 2025 - requiring businesses and organisations with an annual turnover of more than $3 million, as well as certain critical infrastructure entities, to report ransomware payments and related incidents to the Australian Government.‍
5. Cyber Incident Review Board (CIRB) - effective May 30, 2025, establishment of a statutory body that conducts independent, no-fault reviews of significant cyber incidents to identify lessons learned and improve future resilience.
6. APRA CPS 230 Operational Risk Standard - effective July 1, 2025 - requires all APRA-regulated entities, including banks, insurers and superannuation trustees to identify, assess and manage operational risks and ensure continuity of critical services through severe disruptions, including cyberattacks and service-provider failures.

Collectively, these measures are implemented through a combination of statutory obligations, regulatory oversight and sector-specific guidance. Compliance is monitored by relevant authorities, including APRA, the OAIC, the Australian Cyber Security Centre and portfolio regulators, using a mix of mandatory reporting, supervisory reviews, post-incident analysis and enforcement powers.

‍

Strengthening Your Organisation’s Cyber Resilience

The cyber security landscape in Australia is characterised by persistent, sophisticated threats affecting organisations of all sizes and across all sectors. High-profile breaches throughout 2025 demonstrated that cyber risk is no longer confined to technical failures alone, but is shaped by human behaviour, third-party dependencies and organisational preparedness.

To learn from the cyber incidents of 2025 and align with emerging regulatory expectations, organisations should focus on the following actions:

1. Test and validate defences through regular penetration testing to identify exploitable vulnerabilities before attackers do.
2. Strengthen preventive controls by implementing continuous threat exposure management (CTEM), improving data security, and embedding staff security awareness training to reduce human-error risk.
3. Embed cyber security into governance and risk management with expert consulting and advisory support to align security strategy with business objectives and regulatory requirements.
4. Improve detection and response capability by leveraging a managed Security Operations Centre (SOC), including managed detection and response and incident response services, to ensure rapid identification and containment of threats.

Infotrust is committed to guiding your organisation in developing a resilient security posture, proactively mitigating risks, and staying ahead of emerging cyber threats. If you would like to strengthen your cyber resilience, contact the experts at Infotrust for a security planning session.

‍