Search

Quality and consistency through collaboration

All.FirmWide services.Cyber and Privacy

As we farewell 2025, it’s timely to reflect on events that shaped the cyber landscape over the past year. Across Australia, organisations continued to face persistent targeted ransomware attacks, significant data breaches and the ongoing threat of cyber-enabled fraud. Sectors like healthcare and retail experienced sustained pressure. Approximately 85% of Australian enterprises suffered a materially impactful cyberattack and 41% were hit multiple times.

Some of the major cyber incidents in 2025 include the Louis Vuitton data breach and a major Australian airline breach, which exposed the personal information of approximately 5.7 million Australians.  Separately, the spotlight is currently on two major ongoing class actions being the Medibank data breach class action and the Optus data breach class action, both arising from breaches in 2022.  These major incidents along with commentary relating to the ongoing class actions have previously been discussed in greater detail in the September edition of our Sparke Bytes publication, which you can view here.

The following changes that came into effect this year have reshaped the privacy and regulatory landscape:

  • Statutory tort for serious invasions of privacy was introduced on 10 June 2025 under the Privacy Act 1988, providing individuals with a direct right to sue for significant privacy breaches, such as unauthorised surveillance or malicious information misuse, creating new legal avenues beyond existing privacy rules.
  • On 2 October 2025, in the matter of Kurraba Group Pty Ltd & Anor v Williams [2025] NSWDC 396, the District Court of NSW granted an interlocutory injunction for an alleged serious invasion of privacy, representing the first judicial consideration of the new tort.
  • The class actions have paved the way for expanded powers for the Office of the Australian Information Commissioner (OAIC) and the courts, to include public enquiries, consultations and reports as well as increased investigative and monitoring powers.

2026 promises to be another year of significant developments in the cyber and privacy space as we look ahead to:

  • The OAIC’s development of the Children’s Online Privacy Code under the Privacy and Other Legislation Amendment Act 2024, which will be registered on 10 December 2026.
  • The recent decision of AYN and Fortrend Securities Pty Ltd (Privacy) [2025] AICmr 167, which indicates a tightening of the employee records exemption’s scope by the OAIC; organisations relying on automated decision-making in their business will soon be required to disclose key information about these processes in their privacy policy, signalling an ongoing shift toward greater transparency and accountability in how personal information is handled.
  • The rise of third-party breaches will no doubt increase the number of claims made by insureds, therefore highlighting the need for insurers to evaluate how insureds manage vendor relationships and data governance.

We will be back with more insights next year! Until then we wish you all a cyber-risk-free end to the year and a happy new year!

We would like to acknowledge the contribution of Dinah Amrad and Kaylee Nguyen.
Return To Top
Related articles
Media room