This Isn't Just a Warning!
It's Already Happening

Estimated Exposure: 223,000 patients. $5.8 million penalty.

What Happened: Australian Clinical Labs got breached in 2022. Hackers walked through the front door — no multi-factor authentication, firewall logs kept for only one hour, no proper incident response plan. 223,000 patient health records stolen. Medication histories that reveal mental illness, fertility treatment, gender transition. All posted for sale on the dark web. The Federal Court didn’t just fine them — they broke it down: $4.2 million for not securing data. $800,000 for not investigating. $800,000 for not reporting it fast enough. First civil penalty ever imposed under the Privacy Act. The court said they “failed to act with sufficient care and diligence.”

Message: Australian regulators: ignorance is not a defence. Negligence has a price tag.

Source: Federal Court of Australia [2025] FCA 1224, OAIC prosecution

Estimated Exposure: The AI Attack Explosion — Australia Is Getting Hit Harder Than Anyone

What Happened: 36% of all cyber attacks against Australian businesses in 2024 were AI-generated. That’s a higher rate than the US and UK. Ransomware incidents surged 149% in early 2025. 80% of ransomware attacks now use AI tools. One in five Australian SMBs that got hit filed for bankruptcy or closed permanently.
54 billion malicious requests blocked by Wordfence in one year — billion, not million. 84,700 cybercrime reports in Australia per year. One every six minutes. Average cost per SMB incident: $56,600. That’s a new ute. The internet hasn’t lit up yet. The 5 million professional scammers haven’t found the AI
tutorials on YouTube. When they do, these numbers won’t rise. They’ll detonate.

Source: Cyble Threat Intelligence Report 2024

Estimated Exposure: 114 organisations hit across 3 continents. Still active.

What Happened: I writes the malware. Every variant is unique — never been seen before, so antivirus software can’t detect it. Disguised as legitimate software. 114 organisations hit. Manufacturing, government, and healthcare. Campaign still running. AI finds the targets. AI writes the code. AI deploys the attack. AI moves to the next target. Thousands per hour. No human required. The internet hasn’t lit up yet. This is the spark.

Source: Trend Micro Research, Sept 2025

Estimated Exposure: 34 GB exfiltrated, 3-day total shutdown

What happened: Sarcoma ransomware. 34 GB taken. Three-day complete shutdown. Their FOURTH cyber incident. Same company. Four times. They got hit, cleaned up, got back to work. Got hit again. Because they never actually locked the doors. Once you’ve been breached you go on a list. Other groups buy that access.  Without proper hardening and ongoing monitoring, you’re just waiting for the next one.

Source: Cyber Daily exclusive, Nov 2024

Estimated Exposure: Full client data published on dark web – even crypto wallets!

What Happened: Perth-area family law firm hit by Anubis ransomware. The attackers didn’t just encrypt and demand money. They moved in. Lived inside the systems long enough to copy everything. Divorce records. Superannuation forms. Crypto wallets. Tax data. Then published it all. Every Perth business owner who’s ever used a family lawyer can picture their own files up there.

Source: Cyber Daily / Lawyers Weekly, 2025

Estimated Exposure: €220,000

What happened: The employee received a phone call from the CEO. Sounded exactly like him. Tone, pacing, everything. Requested an urgent €220,000 wire transfer. The employee authorised it immediately. It was AI-generated audio cloned from publicly available recordings. Your voice is on your voicemail. On your website. On every Zoom you’ve ever been on. “Hey mate, transfer $15K to the supplier, I’m driving, sort the paperwork later.” That’s all it takes. And it sounds exactly like you.

Source: Wall Street Journal / Trend Micro, 2019

Aus Numbers

84,700 cybercrime reports per year in Australia. Once every 6 minutes. — ACSC 2024-25

$56,600 average cost per SMB incident. Up 14%. — ACSC 2024-25

309,000 Australian small businesses targeted. — Mastercard

$152,600,000 lost to business email compromise in Australia in 2023-24. — AFP

138 ransomware incidents handled by ACSC in one year. — ACSC 2024-25

$56,600 average. That’s a new ute. Or an apprentice’s annual wages. Gone in one incident.

Statistics:

$202,700 avg cost for large business incidents — up 219% YoY (ASD 2024-25)

334 million malicious domains blocked by ASD — up 307% (ASD 2024-25)

1,200+ cyber incidents responded to — up 11% (ASD 2024-25)

Healthcare ransomware incidents doubled in FY2024-25

Estimated Exposure: Client financial data breached. $2.5 million penalty.

What Happened: Fiig Securities — a financial services firm — ran “inadequate cybersecurity measures” for more than four years. Then they got hacked. ASIC took them to the Federal Court. Not the privacy regulator — the financial regulator. First time ever the Federal Court imposed civil penalties for cybersecurity failures under Australian Financial Services licence obligations.

The message: if you hold a licence, you hold a duty. Four years of knowing your security was shit and doing nothing about it now has a $2.5 million price tag. And ASIC has said publicly there are more actions coming.

Source: ASIC v Fiig Securities, Federal Court of Australia 2025

Estimated Exposure: 106+ GB corporate and employee data exfiltrated and published on the dark web.

What Happened: Pressure Dynamics International — a WA-based hydraulics and industrial company servicing oil, gas, offshore, and defence — got hit by DragonForce ransomware in 2025. The attackers didnt just encrypt. They exfiltrated over 106 gigabytes of corporate and employee data before locking the systems. Then they published it. Employee records. Corporate documents. Client details. All of it — available to anyone who knows where to look. This is the kind of business Perth tradies work around every day. Supplying rigs, maintaining equipment, servicing the industries that keep WA running. If they can get hit, your business is not too small to be a target.

The Message: Automated scanners dont care what industry youre in. They scan every IP, every domain, every exposed service. If your website or systems have a known vulnerability, youre on the list. The only question is when.

Source: Cyber Daily Exclusive, 2025