The chain reaction: third party breaches and the rise of cyber litigation

24 September 2025

Jehan Mata
Partner
Sparke Helmore Lawyers

Jehan Mata
Partner
Sparke Helmore Lawyers
t: +61 3 9291 2374

Jehan is an experienced insurance litigator with a strong background in professional indemnity, professional negligence, casualty line and health law claims. She is passionate about health law, medical and professional ethics, legislative and contractual interpretation and works with insurers and corporations on a wide range of general liability claims. Jehan also provides coverage advice to insurers and pursues recovery actions for first party property losses. She is known for her clear and succinct advice, strong negotiation skills and highly strategic and proactive approach to dispute resolution.

Recent high-profile cyber incidents involving Louis Vuitton and a major Australian airline (Australian Airline) have underscored the growing exposure of personal data through routine transactions. These breaches demonstrate a broader trend of sophisticated cybercrime that increasingly targets large organisations via indirect and persistent methods, often exploiting vulnerabilities in third-party systems.

Supply chain vulnerabilities

The Louis Vuitton breach resulted in the exposure of customers’ personal information including names, contact details, and purchase histories. It remains unclear how many customers were affected by the attack, as the breach stemmed from weaknesses in customer relationship management platforms rather than a direct compromise of Louis Vuitton’s core infrastructure. Similarly, the Australian Airline breach involved unauthorised access to a third-party contact centre, resulting in the exposure of sensitive data belonging to 5.7 million Australians.

As cyber threats continue to evolve, vulnerabilities with supply chains and outsourced service providers are becoming increasingly critical. These risks demand stronger safeguards and oversight. The legal and operational consequences of such breaches are significant, particularly when organisations fail to implement adequate protections or maintain effective supervision of third-party vendors. Some key takeaways are as follows:

Organisations must assess and strengthen cybersecurity across their entire supply chain, including third-party platforms and service providers.
Failure to manage these risks can result in significant legal liability, including regulatory investigations and class actions.
The growing number of data breach cases has prompted calls for reform. For example, the new serious invasions of privacy tort of privacy, which allows individuals to seek compensation for serious invasions of privacy, even in the absence of a breach of existing legislation.
Breaches can disrupt business operations, damage reputations, and erode customer trust.
Cyber insurance and robust vendor management frameworks are essential tools for mitigating exposure and ensuring rapid response to incidents.

This topic was previously addressed in greater detail in our earlier edition, accessible via the following link: Sparke Bytes - June 2025: Sparke Helmore.

Legal action and regulatory scrutiny

In just three major cyber incidents involving major local companies namely Optus, Medibank, and most recently the Australian Airline, more than 25 million customer accounts have been exposed. This trend highlights the growing scale and impact of data breaches in Australia.

The Australian Airline data breach has prompted a class action filed in July 2025 by Maurice Blackburn, alleging breaches of the Privacy Act 1988 (Cth). This case marks the latest development in Australia’s expanding cyber litigation landscape. While details continue to emerge, the action reflects a rising trend of affected individuals seeking collective legal redress. The claim seeks compensation for those impacted and raises broader concerns about the Australian Airline’s data governance and privacy practices.

The Medibank data breach class action is ongoing and stems from the 2022 Medibank incident. The Federal Court has recently ruled on privilege claims concerning investigation reports related to this breach. The class action is being funded by Omni Bridgeway on a no-win, no-fee basis, with Slater and Gordon representing the affected individuals. The case is still developing, with key procedural issues yet to be resolved.

The Optus data breach class action, also arising from a 2022 incident, involves the exposure of personal data belonging to nearly 10 million customers. This matter remains active, along with regulatory proceedings initiated by the Office of the Australian Information Commissioner.

Together, these actions highlight the multifaceted legal consequences of large-scale data breaches.

Key takeaways

For businesses

The recent breaches demonstrate the urgent need for improved cybersecurity practices across all sectors. Businesses should actively assess cybersecurity frameworks and data protection strategies, ensuring that third party vendors are subject to stringent contractual obligations. Cyber insurance is an essential safeguard to ensure rapid and effective breach response.

For insurers

Insurers should closely monitor developments in privacy law and supply chain risk. As regulatory scrutiny intensifies, insurers must refine their understanding of risk and ensure that policy wording adequately addresses indirect exposures.

For underwriters

The increasing frequency of third-party breaches highlights the need for underwriters to evaluate how insureds manage vendor relationships and data governance.

We would like to acknowledge the contribution of Dinah Amrad and Maxwell Watson.

13-02-2026 | Safety by design

06-02-2026 | Bunnings use of facial recognition - Appeal Panel decision decided collection is authorised

18-12-2025 | 2025 year end cyber reflections

16-12-2025 | Ex tempore decision in Services Australia v Anatoly Kern

11-12-2025 | 12 Days of (Christmas) FOI

08-12-2025 | FOI Secondees – letters 'home' for Christmas

Media room