2026 Data Breach lists
The Complete List of Data Breaches in Australia
January 2026
February 2026
March 2026
April 2026
May 2026
June 2026
January 2026
| No | Affected Company | Industries | Data breach Details | Threat Actor |
|---|---|---|---|---|
| 1 | Regis Resources | Mining and natural resources | A cyber intrusion was detected, but forensic investigations found no data exfiltration or ransom demand. | Lynx ransomware group |
| 2 | Prosura Pty Ltd | Financial services and insurance | Personal and policy data of approximately 300,000 customers was exfiltrated and is being sold online. | Unknown cybercriminals |
| 3 | Victorian Department of Education | Government and education sector | Student names, school emails, year levels, and encrypted passwords were accessed by an unauthorised party | Unknown threat actor |
February 2026
| No | Affected Company | Industries | Data breach Details | Threat Actor |
|---|---|---|---|---|
| 1 | Seagrass Boutique Hospitality Group | Hospitality (restaurants & dining brands) | Unauthorized network access with suspected data exfiltration; investigation ongoing | Kairos ransomware group |
| 2 | youX (Australian fintech platform) | Fintech / Financial Services | Unauthorized access to MongoDB database with ~141GB data leak impacting ~600,000 loan applications and exposing personal & financial data | Unknown hacker (from a hacking forum platform) |
| 3 | Aeromedical Society of Australasia (ASA) | Healthcare / Aeromedical Services (Non-profit) | Alleged ransomware attack with potential data theft; no confirmed data exposure yet | LockBit 5.0 ransomware group |
| 4 | Hazeldenes | Poultry / Food Processing | Cyber attack causing production and delivery disruptions; investigation ongoing, no confirmed data exposure | Unknown |
March 2026
| No | Affected Company | Industries | Data breach Details | Threat Actor |
|---|---|---|---|---|
| 1 | LexisNexis | Legal, Government, Corporate sectors | 2GB data leaked exposing 21,000+ client accounts, 400,000 user profiles, and cloud infrastructure details | FulcrumSec |
| 2 | Smile Team Orthodontics | Healthcare (Dental / Orthodontics) | Ransomware leak exposing staff personal data, patient payment plans, and treatment histories | SafePay ransomware group |
April 2026
| No | Affected Company | Industries | Data breach Details | Threat Actor |
|---|---|---|---|---|
| 1 | Bendigo & District Aboriginal Co-operative (BDAC) | Community Services (Health, Education, Social Services) | Cyber incident with limited impact; claimed ransomware breach with possible data exposure | INC Ransom |
| 2 | Booking.com | Travel, Hospitality, Online Booking Platforms | Customer data (names, emails, addresses, booking details) exposed via third-party breach, enabling targeted phishing attacks | Unknown (linked to compromised hotel partner credentials and infostealer malware) |
| 3 | Mastercom | Telecommunications, Government, Emergency Services, Transport & Logistics | Ransomware leak exposing customer, HR, financial data, and sensitive infrastructure details | INC Ransom |
| 4 | NSW Treasury | Government / Public Sector | Over 5,600 confidential government documents were allegedly accessed and transferred externally by a staff member. | Insider Threat – NSW Treasury staff member (45-year-old employee) |
| 5 | Genealogy SA | Non-Profit / Genealogy Research / Family History Services | SafePay allegedly stole and published business, financial, insurance, and personal data from Genealogy SA systems. | SafePay ransomware group |
| 6 | Gelatissimo | Retail / Food & Beverage / Hospitality | DragonForce claimed to have stolen 352GB of company data after unauthorised access to Gelatissimo’s systems. | DragonForce ransomware group |
May 2026
| No | Affected Company | Industries | Data breach Details | Threat Actor |
|---|---|---|---|---|
| 1 | Gregory Jewellers (Australian fine jewellery retailer) | Retail, Jewellery & Luxury Goods | Allegedly 574 GB of data stolen, including customer information, purchase history, internal documents, and personal identification records | Kairos ransomware group |
| 2 | Champion Homes (Sydney-based home builder) | Construction, Residential Home Building, Real Estate | 44 GB of data allegedly stolen, including tender documents, quotes, payroll records, and limited employee and customer data | DragonForce ransomware group |
| 3 | Queensland Department of Education (via Instructure’s QLearn platform) | Education, Government, Cloud Learning Services | Names, email addresses, school locations, and potentially student IDs and messages were compromised through Instructure’s Canvas platform | ShinyHunters cyber extortion group |
| 4 | Scope Systems (Western Australia-based software deployment and cloud services provider) | Information Technology, Software, Cloud Services | Cyber incident disrupted hosted services, but investigations confirmed no data loss or data exfiltration occurred | Unknown (no threat actor has claimed responsibility) |
| 5 | Instructure Canvas (impacting multiple Australian universities and educational institutions) | Education, Higher Education, EdTech, Cloud Learning Services | Personal information, student/staff messages, names, email addresses, and student IDs may have been accessed; no passwords or financial data were compromised | ShinyHunters cyber extortion group |
| 6 | Goodstone Group (Tasmanian hospitality provider) | Hospitality, Hotels, Restaurants, Bars & Retail Liquor | Cyber criminals exfiltrated data, including employee passport scans, confidentiality agreements, and financial records | CMD Organization ransomware group |
| 7 | Kennedy McLaughlin & Associates (Queensland-based accounting firm) | Accounting, Financial Services, Tax & Business Advisory | Unauthorised access exposed client financial, banking, and company data, which was later published online | Qilin ransomware group |
June 2026
| No | Affected Company | Industries | Data breach Details | Threat Actor |
|---|---|---|---|---|
| 1 | Melbourne International Film Festival (MIFF) | Arts, Entertainment, Events & Ticketing | 26,782 customer records were compromised, including names, email addresses, phone numbers, addresses, and customer IDs; no financial or credit card data was exposed | Hacker using the alias “2019” |
| 2 | Mackay Sugar (Australia’s second-largest sugar manufacturer) | Agriculture, Food & Beverage Manufacturing, Energy | Cyber incident disrupted operations, forcing the shutdown of the Farleigh and Racecourse sugar mills; no confirmed data breach reported | Unknown (no threat actor has claimed responsibility) |
| 3 | Ochre Medical Centre Tuggeranong (Ochre Health) | Healthcare, Medical Services | Over 25,000 patient records, including Medicare/DVA numbers, personal details, appointment, and billing information, were potentially compromised via a third-party platform | Hacker using the alias “2019” |
| 4 | Elina Medical Weight Loss Clinic (Victoria) | Healthcare, Weight Loss & Medical Services | Over 28,000 patient records were allegedly stolen, including personal details, Medicare information, and appointment records via compromised HotDoc accounts. | Hacker using the alias “2019” |
| 5 | NSW Rural Fire Service (NSW RFS) | Government, Emergency Services, Public Safety | Historical files may have been accessed, but no evidence of sensitive personal data compromise or operational impact | Unknown (no threat actor has claimed responsibility) |
| 6 | Generation Life (Australian investment firm) | Financial Services, Investment Management | Personal information of a limited number of customers was compromised; investments, funds, and core systems were unaffected | Qilin ransomware group |