Australian cyber attacks in 2025 exposed customer records, health information, court documents, passwords and retirement savings. Qantas, Genea, iiNet, Australian superannuation funds, the NSW Online Registry and universities all disclosed significant incidents.
The clearest business lesson is that cyber risk did not stay inside the IT department. It reached customers, vulnerable patients, court users, members, staff and entire service operations. This review separates confirmed facts from claims, explains what costs were actually made public and turns the incidents into a practical security plan for Australian businesses.
By Compuloop | Evidence reviewed against official notices, Australian Government sources and attributed reporting | Published 14 July 2026
Australian cyber attacks 2025: the short answer
Across these Australian cyber attacks, four patterns repeated: stolen or abused credentials, third-party systems, sensitive data held at scale and recovery processes that had to work under public pressure. The national data supports the same conclusion. The OAIC received 1,205 eligible data breach notifications in calendar 2025—the highest annual total since mandatory reporting began in 2018 and 8% higher than 2024.
Across FY2024–25, ASD received more than 84,700 cybercrime reports, roughly one every six minutes. The average self-reported cost per business report was $80,850, up 50% overall.
Cost warning: most affected organisations did not publish their investigation, recovery, legal, notification or customer-support costs. The only directly quantified loss across the six case studies below is at least $500,000 stolen from four AustralianSuper members. That is a defensible public lower bound—not the total economic cost of the incidents.
The biggest Australian cyber attacks and data breaches of 2025
The Australian cyber attacks selected here have enough public evidence to support useful analysis. This is not a complete register of every Australian cyber event in 2025. Dates refer to public disclosure or detection where available.
| Incident | What was publicly confirmed | Publicly disclosed direct loss or incident cost | Business lesson |
|---|---|---|---|
| Genea February | Patient information was accessed and later published on the dark web. | Not disclosed | Protect sensitive health data, minimise retention and prepare humane notification support. |
| NSW Online Registry March | About 9,000 sensitive court documents were downloaded. | Not disclosed | Authorisation controls must protect documents even after a user reaches a portal. |
| Australian super funds April | Multiple funds faced credential-stuffing activity; up to 600 AustralianSuper member passwords were reportedly used. | At least $500,000 stolen from four members, according to ABC reporting. | Unique passwords, phishing-resistant MFA, fraud analytics and withdrawal controls belong together. |
| Qantas June/July | A third-party customer-service platform exposed data relating to 5.7 million customers. | Not disclosed | Your supplier’s platform is still your customer-data and reputation risk. |
| iiNet August | About 280,000 active email addresses, 20,000 landline numbers and smaller data sets were accessed. | Not disclosed | Older order systems and retained customer data need the same controls as flagship platforms. |
| University of Western Australia August | Password information for thousands of staff and students was exposed; accounts were locked and reset. | Not disclosed | Identity recovery needs rehearsed mass-reset procedures and clear user communications. |
1. Qantas cyber incident: 5.7 million customer records
On 30 June 2025, Qantas detected unusual activity on a third-party platform used by an airline contact centre. Qantas said the compromised data varied by customer and could include names, email addresses, phone numbers, dates of birth, addresses, gender, meal preferences and frequent-flyer information.
Qantas later confirmed that 5.7 million customers were affected. It said credit-card details, personal financial information, passport details, passwords, PINs and login details were not stored in the affected system or were not accessed.
What businesses should learn: third-party software and outsourced service operations remain part of your attack surface. Supplier due diligence should cover identity controls, privileged access, incident notification timeframes, log availability, data minimisation and how quickly access can be contained. A contract cannot transfer the reputational impact away from the organisation whose customers are affected.
Public cost: Qantas did not disclose a direct incident cost in the official notice reviewed for this article. Any legal, forensic, support, monitoring or remediation expense therefore cannot be responsibly added to a total.
2. Genea cyber attack: sensitive fertility data published
Genea said it detected suspicious network activity in February 2025 and later confirmed that information from its systems had been accessed by a cybercriminal and published on the dark web. In its 3 July 2025 update, the fertility provider said it had completed a comprehensive analysis and was contacting affected individuals with tailored findings and support.
This incident was especially serious because fertility and medical information can be intimate, permanent and difficult—or impossible—to replace. The business impact cannot be reduced to a record count. Patient distress, privacy harm, clinical disruption, notification quality and long-term trust all matter.
What businesses should learn: collect only information with a current purpose, set defensible retention periods, separate highly sensitive records, monitor unusual bulk access and prepare notifications that explain the specific data involved. Backups support recovery, but they do not undo data theft.
Public cost: Genea did not publish a complete monetary incident cost in the official updates reviewed. This article intentionally does not reproduce stolen patient records or screenshots from criminal leak sites.
3. Australian super fund attacks: at least $500,000 stolen
In April 2025, multiple Australian superannuation funds faced attempted account takeovers. ABC reported that cybercriminals may have used up to 600 AustralianSuper members’ stolen passwords and that four members lost at least $500,000 in retirement savings. Credential stuffing reuses username and password combinations stolen elsewhere against another service.
The incident put authentication and fraud controls under scrutiny. In June, APRA told regulated entities to address information-security obligations and critical authentication controls. MFA is important, but high-risk transactions also need behavioural monitoring, step-up verification, withdrawal controls and rapid fraud response.
What businesses should learn: password reuse becomes your problem even when the original theft occurred somewhere else. Enforce MFA, block breached passwords, rate-limit suspicious login activity, monitor impossible or unusual behaviour, protect account-recovery channels and require stronger verification for risky changes or payments.
Public cost: at least $500,000 was publicly reported stolen from four members. That figure is direct theft, not the combined investigation and remediation cost across the affected funds.
4. NSW Online Registry breach: about 9,000 sensitive documents
In March 2025, investigators responded to unauthorised access involving the NSW Online Registry. NSW Police said approximately 9,000 sensitive court files had been downloaded, including apprehended violence orders and affidavits. The Department of Communities and Justice said it contained the breach, reported it to Cyber Security NSW and police, and began assessing and contacting affected people.
What businesses should learn: authentication proves who a user appears to be; authorisation decides what that user can view or download. Portals that hold many documents need object-level access checks, bulk-download controls, rate limits, audit logs and alerts for unusual access patterns. Sensitive records also need threat modelling around misuse, not only confidentiality in the abstract.
Public cost: no direct incident cost was disclosed in the official statement reviewed.
5. iiNet data breach: email addresses, phone numbers and modem passwords
iiNet confirmed unauthorised access to its order-management system in August 2025. According to the official iiNet incident notice, the extracted information included about 280,000 active email addresses, about 20,000 active landline numbers, inactive contact data, approximately 10,000 usernames, street addresses and phone numbers, and about 1,700 modem setup passwords.
iiNet said the system did not contain customer identity documents, credit-card details or banking information. That limitation matters, but email addresses and phone numbers can still support targeted phishing and impersonation—especially when criminals can reference a genuine supplier relationship.
What businesses should learn: inventory older operational databases, justify retention, protect service credentials, monitor bulk exports and remove information that no longer has a business or legal purpose. “Limited” data can become more harmful when combined with information from other breaches.
Public cost: iiNet did not disclose a complete direct incident cost in the official notice reviewed.
6. University of Western Australia: thousands of passwords exposed
In August 2025, the University of Western Australia investigated unauthorised access to password information affecting thousands of staff and students. UWA locked accounts and reset passwords across staff, student and visitor populations. At the time of the reporting, the university said there was no evidence that information other than passwords had been accessed and no indication of ransomware.
What businesses should learn: identity systems are recovery infrastructure. Organisations need a tested way to revoke sessions, reset credentials at scale, protect help-desk verification, prioritise privileged users and communicate without relying solely on the affected system.
Public cost: no complete monetary incident cost was disclosed in the reporting reviewed.
What did Australian cyber attacks cost in 2025?
The Australian cyber attacks reviewed here do not have a reliable public combined cost. Five of the six organisations or incident groups did not disclose full direct costs. Adding generic industry averages to each case would create a number that looks precise but is not evidence.
The defensible figures are:
- At least $500,000: publicly reported direct theft from four AustralianSuper members.
- $80,850: ASD average self-reported business cybercrime cost per report in FY2024–25—not an estimate for any named incident.
- $56,571: average for small-business reports in FY2024–25.
- $97,166: average for medium-business reports in FY2024–25.
- $202,691: average for large-business reports in FY2024–25; ASD warns low reporting and outliers can affect this average.
- $2.797 billion: AIC estimate for pure cybercrime affecting Australian businesses in 2023–24—not a total for the six 2025 incidents.
The Australian Institute of Criminology estimated pure cybercrime cost Australian businesses $2.797 billion in 2023–24. This national model is useful context, but it must remain separate from the confirmed event-level figures.
Real incident budgets can include investigation, containment, legal advice, notification, customer support, identity monitoring, system rebuilding, overtime, lost revenue, fraud reimbursement, insurance excess, regulatory action and longer-term security work. Public companies may aggregate some of those costs inside broader operating expenses rather than identify one cyber line item.
The Essential Eight: the basics Australian businesses should implement
These Australian cyber attacks show why the ASD Essential Eight remains a practical baseline for reducing common attack paths. It is most useful when implemented as a coordinated set of controls and assessed against a target maturity level—not treated as eight standalone purchases.
- Application control: prevent unapproved software, scripts and installers from running.
- Patch applications: prioritise exploited and internet-facing vulnerabilities.
- Configure Microsoft Office macros: restrict macro execution and risky content.
- User application hardening: reduce dangerous browser, Office and PDF behaviours.
- Restrict administrative privileges: separate normal work from privileged administration.
- Patch operating systems: maintain supported systems and close known vulnerabilities.
- Multi-factor authentication: protect remote, privileged and important business access.
- Regular backups: protect, test and retain recoverable copies of important data and configurations.
Compuloop has a plain-English guide to the Essential Eight for Australian businesses and provides Essential Eight assessment and implementation support.
Essential Eight is a baseline, not the whole program. The 2025 incidents also demand supplier risk management, data minimisation, fraud controls, security monitoring, incident response, privacy processes and executive ownership.
A practical 30-day response for Australian businesses
For businesses learning from these Australian cyber attacks, the next step is to convert the headlines into assigned work. A useful first month focuses on evidence and high-impact controls rather than a long policy document nobody tests.
- Days 1–5—identify: list critical systems, sensitive data, suppliers, administrators and internet-facing services.
- Days 1–5—remove: disable stale accounts, unsupported software, public services and data with no justified purpose.
- Days 6–10—secure identity: enforce MFA, review privileged access, separate admin accounts and protect password resets.
- Days 11–15—patch: remediate exposed and exploited vulnerabilities across endpoints, servers, firewalls and cloud applications.
- Days 16–20—prove recovery: restore a representative backup and record the real time, people and dependencies required.
- Days 21–25—improve detection: centralise important identity, endpoint, firewall, email and cloud audit logs.
- Days 26–28—review suppliers: confirm access, data holdings, breach notification terms and available evidence.
- Days 29–30—exercise: run a tabletop incident with management, IT, operations, legal/privacy and communications roles.
Use the ACSC incident response planning guidance to formalise responsibilities, evidence handling, communications, containment and recovery. Pair the exercise with a real backup restore test, not a dashboard screenshot.
Questions Australian business owners ask
What was the biggest Australian data breach in 2025?
By publicly confirmed customer count among the incidents reviewed here, Qantas was the largest: 5.7 million customers were affected. “Biggest” can mean more than record count, however. Genea involved highly sensitive health information, the NSW Registry involved court documents, and the super-fund attacks produced confirmed direct financial theft.
How much did Australian cyber attacks cost in 2025?
There is no reliable public combined total for the named incidents. At least $500,000 was publicly reported stolen from four AustralianSuper members, while most organisations did not disclose their full response and recovery costs. ASD reported an average self-reported business cybercrime cost of $80,850 per report in FY2024–25, but that average should not be assigned to individual incidents.
Will the Essential Eight stop every data breach?
No. The Essential Eight materially reduces common attack paths, but businesses also need supplier oversight, data governance, monitoring, fraud controls, privacy readiness, incident response and tested recovery. The correct goal is reduced likelihood and impact—not a promise that incidents become impossible.
What should a business do first after discovering a cyber incident?
Activate the incident response plan, preserve evidence, contain affected access, involve authorised decision-makers and obtain qualified technical and legal/privacy advice. Avoid random deletion or rebuilding before evidence is secured. Reporting obligations vary by incident, data, sector and organisation.
Turn the 2025 lessons into a practical security plan
Compuloop can review identity, Microsoft 365, endpoints, firewalls, backups, suppliers and Essential Eight maturity, then prioritise fixes around the systems your business actually depends on.
Review cybersecurity services | Review Microsoft 365 security | Review backup and recovery
Do you know which control would fail first?
Book a practical cyber security review for your Australian business.
Request a cyber security review | Call 1300 007 613 | Email sales@compuloop.com.au
Sources, methodology and corrections
Our Australian cyber attacks analysis prioritises official incident notices, Australian Government and regulator sources. ABC reporting is used where an official page did not publish the relevant count or direct loss. We distinguish confirmed organisational statements from allegations and avoid assigning generic cost averages to named incidents.
- ASD Annual Cyber Threat Report 2024–25
- OAIC: 2025 data breach notifications reach an all-time high
- Australian Institute of Criminology: costs of serious and organised crime 2023–24
- Qantas cyber incident notice and ABC confirmed-customer reporting
- Genea cyber incident updates and support resources
- ABC reporting on superannuation fund attacks and APRA authentication-control action
- NSW DCJ Online Registry statement and ABC/NSW Police document count
- iiNet cyber incident notice
- ABC reporting on the UWA password incident
- ASD Essential Eight and incident response planning guidance
Editorial cutoff: 14 July 2026. This is general information, not legal advice or a forensic finding about any affected organisation. Compuloop will correct material factual errors or update confirmed figures when reliable primary evidence changes.


