The third quarter of 2025 was a wake-up call for some Australian organisations. From aviation to education and healthcare, cyber-attacks hit hard exposing sensitive data, disrupting operations and damaging trust.
Here are ten of the most significant breaches this quarter based on scale, sensitivity and financial fallout.
In July Qantas suffered a breach that exposed the personal data of up to six million customers. Attackers accessed the airline’s call centre systems leaking names, emails, phone numbers, birth dates and frequent flyer numbers. The incident caused national-scale reputational damage and heightened fraud risk with high costs tied to response, compensation and regulatory fallout.
August brought a breach at iiNet where over 200,000 customers were affected after unauthorised access to the company’s order management system. The incident raised serious privacy concerns and increased the risk of phishing attacks. Financial impact is expected to be high, driven by customer churn and compliance obligations.
In September the Interlock ransomware group leaked nearly 600GB of data from Loyola College in Victoria. The stolen files included passports, financial records and student information. The breach poses a severe risk to minors and families and carries long-term reputational and legal consequences for the school.
Australia’s largest home builder was hit by a ransomware attack in July, resulting in IT outages and the leak of employee records. The Qilin group claimed responsibility. The breach disrupted operations and damaged employee trust, with substantial costs expected due to service delays and internal impact.
Also in July, Louis Vuitton confirmed that Australian customer data was affected in a global breach. While details remain limited, the incident has drawn regulatory attention and raised consumer privacy concerns. The financial impact is expected to range from moderate to high depending on regional exposure.
In July ransomware was detected on internal systems at Ingram Micro, a global distributor. The breach had the potential to disrupt supply chains and partner operations across Australia. The incident highlights the risks to business continuity through vendor networks and moderate to high costs are expected.
The United Australia Party confirmed a ransomware incident in July involving personal data and internal emails. Officials stated it was “impracticable to notify individuals,” raising concerns about transparency and privacy. While the direct financial cost may be moderate, the reputational impact could persist through future elections.
An Adelaide-based women’s health clinic reported a cyber-attack in July that exposed sensitive patient data, including medical records. The breach is particularly critical due to the intimate nature of the information involved. High costs are expected, driven by privacy law compliance and emotional distress among patients.
In August hackers claimed to have stolen student and staff data from Belmont Christian College in New South Wales. The investigation is ongoing but the breach has already raised serious safeguarding concerns. Depending on the outcome of forensic analysis, the financial impact could be moderate to high.
September saw a third-party breach at BMW that leaked internal quality management documents and safety audits. While customer data was not affected, the exposure of internal processes raises questions about supply chain transparency and safety. The estimated cost is moderate with long-term implications for brand trust.
Let’s take these incidents as a call for action and recognise cybersecurity as something more than just a technical issue. It’s a business-critical priority that underpins continuity, trust and compliance. Many of these breaches could have been prevented with the right foundations in place.
If your current setup isn’t built for resilience, scalability or security, it’s time to rethink it.
Book your complimentary IT Health Check today and find out where your vulnerabilities lie before someone else does.
