That figure is based on Cyble dark web researchers’ investigations of significant data breaches claimed by threat actors on data leak sites and is thus a proxy rather than a complete measure of all data breaches, which is almost certainly higher. Globally, claimed data breaches recorded by Cyble dark web researchers are up 18% so far in 2025 to 1,684 – a significant increase in itself, but one that makes Australia’s surge stand out all the more. 

Cyble dark web researchers recorded 71 claimed data breaches involving Australian organizations through October 3 – 48% higher than the 48 recorded in the same period of 2024, and already higher than the 66 Australian data breaches recorded by Cyble for all of 2024. 

About 50 of the breaches thus far in 2025 have been claimed by ransomware groups, suggesting that ransomware groups may be getting more effective at exfiltrating sensitive data, as the percentage of Australian data breaches attributed to ransomware groups has surged this year, from roughly 42% in 2024 to 71% in 2025. 

A significant increase in supply chain attacks may also be contributing to the increase in data breaches, as each supply chain attack can lead to multiple breaches of downstream customers. 

The most targeted sectors for data breaches in Australia were Professional Services, IT, Healthcare, Energy & Utilities, Banking and Financial Services, Education, Construction, Real Estate, Telecom, Transportation, Hospitality, and Manufacturing. 

Significant Australian Data Breaches 

Below are a dozen of the more significant Australian data breaches recorded by Cyble dark web researchers this year. 

A threat actor (TA) on a private Telegram channel advertised documents allegedly sourced from a major Australian airline carrier. The TA claimed to possess approximately 2TB of sensitive documents. 

A threat actor on BreachForums offered a database allegedly pertaining to an Australian telecommunications provider offering broadband and SIM-only mobile plans. In the post, the TA offered two different databases containing a total of 236,000 records. The first database consisted of personally identifiable information (PII) such as ID, Name, E-mail, Password, Account ID, and Last name. The other database consisted of the following fields: ID, User ID, Mobile, Home phone, Date of birth, Card holder, Card type, Current UUID token, Card number, Expiry date, Token IP address, Bill account number, Address, City, Postal code. 

A TA on the English-language cybercrime forum DarkForums leaked source code belonging to an Australian SaaS company offering a Loan Management System (LMS) and an electronic document signing tool. According to the TA, the leaked source code includes authentication modules, document generation components, administrative and dashboard interfaces, API endpoints, and database administration access. 

The SpaceBears extortion group claimed responsibility for breaching an Australian-based ICT and telecommunications services provider. The group did not disclose the exact volume of data stolen but stated that the compromised materials include databases, financial documents, and personal information of clients. 

A threat actor on the cybercrime forum XSS offered data allegedly about a large Australian construction company. The TA offered 71 GB of confidential data acquired from an internal portal, which included geotechnical reports, design blueprints, construction specifications, planning and coordination documents, and plans related to Safety and Risk. The documents also allegedly contained sediment and erosion control plans. 

A TA on the English-Language cybercrime forums Leakbase and DarkForums offered a database allegedly about an Australian trading platform offering trading activities related to forex, stocks, indices, commodities, and cryptocurrencies. In the post, the TA claimed that the database contains 27,000 records and shared a few samples consisting of the following fields: ID, Currency, Created at, Funding ID, Updated at, Funding method, Funding source, Ref code, ID status, KYC state, PP status, Account ID, User email, Account type, User country, User fullname, Account currency, Account leverage, Account platform, Trading report URLs, User transaction ID, Receiver Email, Sender Country, Receiver Country, Sender Full Name, Receiver Full Name. 

Multiple Australian pension funds were hit by coordinated hacking that compromised thousands of member accounts. The threat actors accessed thousands of these accounts using stolen passwords. The unauthorized access led to some members losing money through their pension accounts. 

A threat actor on the English-language cybercrime forum DarkForums advertised data allegedly about a wholesale broadband network infrastructure project in Australia. The TA claimed to have approximately 306 GB of data, consisting of network maps and designs, cable details, equipment documentation, information on implementation and installation methods, field inspection reports, drilling reports, work order forms and execution files, as-built checklists, and technical performance test reports. To corroborate their claims, the TA shared a few sample images comprising various network maps and designs. 

The World Leaks extortion group leaked 696 GB of data comprising more than 5.1 million files allegedly stolen from an Australia-based petroleum distribution and logistics company. A review of the file tree indicates structured access to internal server directories and includes folders that suggest the attackers accessed sensitive operational data, including shared drives and potentially financial and client logistics information. 

A threat actor on the English-language cybercrime forum Darkforums advertised unauthorized access to a portal belonging to an Australian telecommunications company. The TA claimed to have gained access to a portal that provided access to domain administration tools and other critical network information. The TA quoted USD $750 for access. 

The Killsec hacking group claimed responsibility for compromising an Australia-based company that offers IT and telecom solutions. Leaked content included backup data, licensing and application configuration files, software license types, hashed credentials, and other critical infrastructure-related datasets. 

A threat actor on the Russian cybercrime forum Exploit offered unauthorized access to a large Australian retail chain. The TA claimed that the hosting server has 250 GB of data, including a 30 GB SQL database that contains a user table with about 71,000 records. The TA auctioned the access at a starting price of USD $1,500. 

Conclusion

With organizations in Australia and elsewhere under assault by ransomware groups, supply chain attacks and data breaches, strong cyber defenses and hygiene are essential for stopping cyberattacks and limiting damage from any that do occur. 

A risk-based vulnerability management program should be at the heart of those defensive efforts. Other cybersecurity best practices that can help guard against a wide range of threats include segmentation of critical assets; removing or protecting web-facing assets; Zero-Trust access principles; ransomware-resistant backups; hardened endpoints, infrastructure, and configurations; network, endpoint, and cloud monitoring; and well-rehearsed incident response plans. 

Cyble’s comprehensive attack surface management solutions can help by scanning network and cloud assets for exposures and prioritizing fixes, in addition to monitoring for leaked credentials and other early warning signs of major cyberattacks.