Consolidated Major Australian Data Breaches Thread

Yeah, sorry, but if you want to take it out on someone, take it out on all the nefarious folk out there who want to rob you of your hard earned money. We (the people giving you this lecture) are the people who have the mop and bucket and are being made to clean up other peoples mess, normally well and truly AFTER telling said people in power to just do it, who then ignored this and hence the mop and bucket.

 

I find it annoying that some MFA requires their own MFA app

 

or that the only options are email/sms
just let me use a time based mfa app ffs

 

I'm annoyed that innane systems like to fill out my timesheet are secured like Fort Knox, yet important things like the bank or MyGov still persist with (optional) SMS-only 2FA.

 

if your timesheet is breached it costs your employer money. if your banking or MyGov details are breached, it costs you money.

 

Unless it's with Frontier Software...

 

used to have a HR/payroll system that was all proud that they encrypted your payslip PDF with your account password. They were rather confused when I asked why are they keeping account passwords in cleartext so that they may use them in their PDF system?

thankfully and somewhat surprisingly after complaining up my CoC said HR system contract was tore up after only a few months. so we do somewhat take security seriously enough.

the fact all our PII is thrown around various outsourced/cloud HR systems every other year doesn't flag any concerns though. and they wonder why I won't fill out any address details in the systems, only bit I can opt out of filling in.

 

https://www.abc.net.au/news/2025-04...passwords-stolen-by-malware-hackers/105196976

 

https://www.abc.net.au/news/2025-04...gence-scams-microsoft-threat-report/105183954

Who can pass 100% on this fake bank UI quiz?

https://www.abc.net.au/news/2023-11-18/bank-bogus-octo-scam-apps-phishing/102992426



JSmith

 

Not I. I don't have an account with either of them. I don't use login pages, I use my fingerprint and phone for banking.

 

Mobile screenshots with no URL, etc, lol.
It's the proper domain used, security cert/SSL indicator, etc in a browser that proves a website's authenticity - not the layout/dummy layout of a page, if it's on some unsecure / random domain...

 

I got all six correct... although the reasons they provided were not the reasons I chose the one I did... Apparently I can sense a scam site

But really, no one is checking that every word on a page is spelt correctly or that the information listed is "up to date" and this is why it works and catches people out. I read recently about how scammers work in teams, one contacting your real bank and one contacting you so they can pass through real questions from the bank, including requests to authenticate things, which of course people do since those are legit requests through legit channels. Scary stuff.

My CC was compromised (again) last month and while I caught it early and it was all sorted, the moment it was cancelled/put on hold by me through the app (I was on hold waiting for the bank at the time) I missed a call from a number which left a message claiming to be the bank. I think that was something like the above scam where they would have tried to do dodgy things. In my case, the replacement card was compromised BEFORE it even arrived or was activated!! Apparently the scammers must have added it to a digital wallet which gets automatically updated when a new card gets issued unless the bank resets the tokens. Apparently the standard process is to only kill tokens for things that get disputed, that way your digital token with the phone company still works and doesn't need updating... although who the fuck knows which institutions might auto update vs which ones do I need to call??

In any case, the process was smooth enough and another replacement was sorted and it's fine for now, but if history tells me anything it will happen again in the next 24 months. I'm still begging for an Australian bank to provide an account which can generate single use numbers.

 

Why not Google pay/apple pay, they use single use numbers/token.... its the whole reason i use them directly...

 

I do that everywhere I can as well as paying through PayPal, but plenty of merchants don't offer an integration for Apple/Google Pay. Or is there some way to use one of them at random merchants because I choose to?

 

another data breach

https://www.websiteplanet.com/news/infostealer-breach-report/

 

I believe Commbank already do so, but only for business accounts. this is the first I have seen for consumer grade. https://www.bankwest.com.au/virtual-cards

 

https://cybernews.com/security/coca-cola-data-breach-employee-data-exposed/

Anyone read this??? Hate to be one of those employees

 

Not at this moment, but in the coming years i've been reading stories about "Numberless" credit cards, and i've seen one or two banks talk about releasing a consumer version, but as to how that connects to "Randomjoescrap.com.au" being able to process that payment, isn't fully developed yet. I suspect it'll work like some kind of "Passkeys" type thing where you scan a QR code to do the payment. That'll be the next way sites get hacked for payment details, replace said vendor payment QR code with "dodgysite.com" payment details... yes it'll only work once as it'll be tokenised, but how many people will notice until its too late anyway?

 

it'll probably end up more like Visa and Mastercard will set up their own PayPal equivalents. Where your account deets are kept centrally, and all randomjoescrap.com.au gets is, yeah bcann sent you $50, it's on the way. there's nothing to hack* from the vendor sites. and MC/Visa etc. have much more invested in being secure than Joe who hasn't updated the myeshop plugin on his site since whenever it was first put together.

not a stretch as Visa/MC already do all the middleman work for a CC transaction, they just then take over the front end as well.


* in terms of payment deets, they'll still of course poorly collect and store your name, and addresses.

 

bankwest and commbank = same

so i guess they're using bankwest as a trial before taking it to commbank customers