2026 Data Breach lists
The Complete List of Data Breaches in Australia
January 2026
February 2026
March 2026
April 2026
January 2026
| No | Affected Company | Industries | Data breach Details | Threat Actor |
|---|---|---|---|---|
| 1 | Regis Resources | Mining and natural resources | A cyber intrusion was detected, but forensic investigations found no data exfiltration or ransom demand. | Lynx ransomware group |
| 2 | Prosura Pty Ltd | Financial services and insurance | Personal and policy data of approximately 300,000 customers was exfiltrated and is being sold online. | Unknown cybercriminals |
| 3 | Victorian Department of Education | Government and education sector | Student names, school emails, year levels, and encrypted passwords were accessed by an unauthorised party | Unknown threat actor |
February 2026
| No | Affected Company | Industries | Data breach Details | Threat Actor |
|---|---|---|---|---|
| 1 | Seagrass Boutique Hospitality Group | Hospitality (restaurants & dining brands) | Unauthorized network access with suspected data exfiltration; investigation ongoing | Kairos ransomware group |
| 2 | youX (Australian fintech platform) | Fintech / Financial Services | Unauthorized access to MongoDB database with ~141GB data leak impacting ~600,000 loan applications and exposing personal & financial data | Unknown hacker (from a hacking forum platform) |
| 3 | Aeromedical Society of Australasia (ASA) | Healthcare / Aeromedical Services (Non-profit) | Alleged ransomware attack with potential data theft; no confirmed data exposure yet | LockBit 5.0 ransomware group |
| 4 | Hazeldenes | Poultry / Food Processing | Cyber attack causing production and delivery disruptions; investigation ongoing, no confirmed data exposure | Unknown |
March 2026
| No | Affected Company | Industries | Data breach Details | Threat Actor |
|---|---|---|---|---|
| 1 | LexisNexis | Legal, Government, Corporate sectors | 2GB data leaked exposing 21,000+ client accounts, 400,000 user profiles, and cloud infrastructure details | FulcrumSec |
| 2 | Smile Team Orthodontics | Healthcare (Dental / Orthodontics) | Ransomware leak exposing staff personal data, patient payment plans, and treatment histories | SafePay ransomware group |
April 2026
| No | Affected Company | Industries | Data breach Details | Threat Actor |
|---|---|---|---|---|
| 1 | Bendigo & District Aboriginal Co-operative (BDAC) | Community Services (Health, Education, Social Services) | Cyber incident with limited impact; claimed ransomware breach with possible data exposure | INC Ransom |
| 2 | Booking.com | Travel, Hospitality, Online Booking Platforms | Customer data (names, emails, addresses, booking details) exposed via third-party breach, enabling targeted phishing attacks | Unknown (linked to compromised hotel partner credentials and infostealer malware) |
| 3 | Mastercom | Telecommunications, Government, Emergency Services, Transport & Logistics | Ransomware leak exposing customer, HR, financial data, and sensitive infrastructure details | INC Ransom |
| 4 | NSW Treasury | Government / Public Sector | Over 5,600 confidential government documents were allegedly accessed and transferred externally by a staff member. | Insider Threat – NSW Treasury staff member (45-year-old employee) |
| 5 | Genealogy SA | Non-Profit / Genealogy Research / Family History Services | SafePay allegedly stole and published business, financial, insurance, and personal data from Genealogy SA systems. | SafePay ransomware group |
| 6 | Gelatissimo | Retail / Food & Beverage / Hospitality | DragonForce claimed to have stolen 352GB of company data after unauthorised access to Gelatissimo’s systems. | DragonForce ransomware group |