May 30, 2025 3 Minute Read

• Australian hospitality is facing rising cyber threats as ransomware attacks, third-party breaches, and AI-enhanced phishing campaigns increase in frequency and sophistication.
• New regulations, including the Privacy Act reforms and critical infrastructure laws, are reshaping compliance expectations—but enforcement gaps and limited sector coverage remain vulnerabilities.
• High-profile breaches at Pizza Hut Australia, TFE Hotels, and ClubsNSW reveal systemic risks, especially around third-party vendors, legacy systems, and insufficient preventative controls.

The hospitality industry’s cybersecurity posture is approaching an inflection point.

Businesses are increasingly having to balance cost pressures in a challenging economic environment, while balancing technological innovation with escalating threats.

Australia’s regulatory reforms, including heightened penalties and critical infrastructure protections, provide a framework for resilience; yet enforcement gaps will remain. These enforcement gaps pose a risk of legitimizing poor behaviors from a cybersecurity perspective since there is little disincentive otherwise.

From an attacker’s perspective, ransomware attacks continue to represent the best return on investment strategy, and so it is expected that they will continue to grow in frequency over time.

As AI continues to evolve at a rapid rate, the breadth of delivery channels (e.g., email, SMS, social media) to gain initial access is expected to increase, as well as the reliability and believability of that content when delivered.

Ultimately, this will increase the likelihood of successful attacks against Australian hospitality businesses unless further investment is made in improving preventative capabilities such as MDR, mail protection, and employee awareness training.

In Australia, legislative reforms such as the Privacy and Other Legislation Amendment Act 2024 and the Security of Critical Infrastructure Act 2022 have reshaped compliance requirements.

Meanwhile, high-profile breaches at entities like Pizza Hut Australia, TFE Hotels, and The Fullerton Hotel Sydney have underscored systemic vulnerabilities in the hospitality sector.

Compared to global trends, Australia’s regulatory framework emphasizes stricter penalties for privacy violations and expanded oversight of third-party vendors. Yet, the sector remains a prime target for ransomware groups like Akira.

Australia’s Privacy Act 1988 underwent significant reforms in 2024, introducing a statutory tort for serious privacy invasions (effective June 2025) and empowering the OAIC to issue penalties of up to AUD 3.3 million for non-compliance.

The Security of Critical Infrastructure Act 2022 mandates risk management programs for entities in sectors such as energy and transportation. However, its applicability to hospitality remains limited unless integrated into critical supply chains. Additionally, APRA CPS 234 requires financial institutions, including hospitality payment processors, to maintain stringent information security controls.

Ransomware groups like Akira and Conti affiliates are increasingly targeting the Australian hospitality sector by leveraging third-party vendors to infiltrate networks. The 2025 TFE Hotels breach disrupted operations for weeks, forcing manual check-ins and diverted phone systems. Similarly, the 2024 ClubsNSW breach, originating from IT provider OutABox, exposed the driver’s licenses and membership data of 1 million individuals.

Over the last five years, there have been a number of confirmed incidents that specifically impact the hospitality sector and its customers:

• Pizza Hut Australia (2023) - In September 2023, the ShinyHunters hacking group exploited misconfigured Amazon Web Services (AWS) buckets to access 193,000 customer records, including delivery addresses, encrypted passwords, and masked credit card numbers. Despite claims of encryption, forensic analysis revealed vulnerabilities in credential management, prompting the Office of the Australian Information Commissioner (OAIC) to mandate third-party vendor audits under Privacy Act reforms.

• Fullerton Hotel Sydney (2025) - The Akira ransomware gang exfiltrated 148 GB of corporate and guest data, including passports, driver’s licenses, and financial audits, marking Australia’s largest hospitality breach by data volume. Akira’s darknet post taunted the hotel’s inability to recover without paying the ransom, leveraging legacy vulnerabilities in the hotel’s document management systems. The breach triggered OAIC scrutiny under the Notifiable Data Breaches (NDB) scheme, with potential penalties exceeding AUD 50 million under the amended Privacy Act.

• TFE Hotels (2025) - A months-long outage at TFE Hotels, which manages Adina, Vibe, and Travelodge brands, originated from unpatched vulnerabilities in cloud infrastructure. While credit card data remained tokenized, threat actors accessed historical booking records and employee credentials, forcing manual check-ins and diverted reservations. The incident highlighted gaps in APRA CPS 234 compliance, as third-party vendors lacked real-time intrusion detection systems.

• ClubsNSW and OutABox Breach (2024) - A third-party breach at IT provider OutABox exposed 1.05 million records from 17 NSW pubs and clubs, including facial recognition biometrics, driver’s licenses, and slot machine usage data. The incident, linked to unpaid offshore developers, led to the arrest of a Fairfield West man and prompted NSW Cybercrime Squad investigations into supply chain due diligence failures. ClubsNSW faced criticism for non-compliance with NSW Liquor Act 2007 data retention protocols, which mandate encrypted storage of patron IDs.

In addition, there have been suspected or rumoured breaches that fit the modus operandi utilized by these groups:

• Reward Hospitality (2024) - The BlackSuit ransomware gang claimed the theft of 385 GB of data from Reward Hospitality, including HR records, customer contracts, and SQL databases. While the company declined to confirm the breach, leaked samples on darknet forums included employee tax file numbers and supplier NDAs. The incident raised concerns about Security of Critical Infrastructure Act applicability, as Reward Hospitality supplies commercial kitchen equipment to critical infrastructure sites.

• Merivale Venues (2024) - Unspecified Merivale venues were implicated in the OutABox breach, though the group denied data exposure. Cybersecurity analysts identified inconsistent data sanitization practices across Merivale’s legacy systems, suggesting potential unreported compromises of loyalty program data.