October 2025
Cyberattack threat grows as geopolitical tensions rise
In the Australian Prudential Regulation Authority’s (APRA) 2025-2026 corporate plan, the authority warned that increased geopolitical tensions could result in increased cyberattacks targeting Australia. “The risk environment for cyberattacks could worsen further in the context of escalating geopolitical tensions,” said APRA chair John Lonsdale. According to cybersecurity firm CrowdStrike’s 2025 Threat Hunting Report, nation-state activity rose sharply over the last 12 months – sharper even than regular, financially motivated cybercrime. Operational technology security firm Dragos’ Industrial Ransomware Analysis: Q2 2025 report also noted hacktivism had driven a surge in ransomware attacks during the quarter.
Heightened bushfire risk this spring
The Australian and New Zealand Council for fire and emergency services (AFAC) indicated parts of Australia’s east and west face heightened bushfire risk this spring as long-term rainfall deficiencies persist in southern SA, Victoria, Tasmania and western WA. The Seasonal Bushfire Outlook for spring identified a heightened risk of fire for the Dampier Peninsula, Derby Coast and the Central Kimberley, Little Sandy Desert, and south-eastern Pilbara in Western Australia, the south-eastern agricultural areas of the Murraylands in South Australia, and the south, southwest, central, and southwest Gippsland regions in Victoria.
Re-drawn flood maps spark calls for cyclone pool to be expanded
Following Brisbane City Council’s decision to revise its flood mapping next year, the Australian Consumers Insurance Lobby (ACIL) called on the Federal Government to widen its reinsurance pool to include flood risks. From 19 September, more than 17,000 properties were either added to or reclassified within the flood overlay. The flood mapping update affects 17,246 properties, with 10,129 added for having some risk, 400 removed and others subject to risk changes (including more than 2,000 moved into higher flood-risk categories). A paper from the Actuaries Institute notes that replicating a cyclone pool for flood may be less effective on reducing premiums.
$174 million lost to scams
The National Anti-Scam Centre reported that Australian consumers and businesses reported losses from scams of almost $174 million in H1 2025. The Scamwatch data showed more than 108,000 scams had been reported. While the total number of reports were down 24%, reports involving losses increased 40.5%. The value of recorded losses was 26% higher than the same period the previous year, with the average loss sitting at $12,212.
ATO has GST fraud in its sights
Identifying and preventing fraud is one of the Australian Tax Office’s (ATO) priorities for FY26. “Fraud and serious organised crime are on the increase, fuelled by advancements in technology and digital services, data breaches and fraudsters who can rapidly evolve their tactics and ways of infiltrating the tax system,” the ATO said. The ATO had noted a rise in GST fraud, particularly within the property and construction industries, and issued a warning to businesses. The commitment follows the revelation made by the ABC’s Four Corners program (28 July) that an ATO loophole had allowed tens of thousands of Australians to commit GST fraud, stealing a total of $2 billion. The ATO responded saying it would continue its role to ensure all taxpayers paid the correct amount of tax, regardless of their size or profile. The ATO also issued an alert warning against committing GST fraud. On 5 September a mining company executive was sentenced to seven years and 10 months in prison after committing GST fraud.
One telco sued as another reports breach
On 8 August, the Office of the Australian Information Commissioner (OAIC) announced it had initiated civil penalty proceedings against Optus in relation to the September 2022 cyber incident that resulted in the exposure of the personal information of around 9.5 million customers. The OAIC alleges that Optus did not take adequate measures to safeguard personal data from misuse, interference, loss, or unauthorised access, and that its cybersecurity was inadequate. On 19 August, internet service provider iiNet disclosed it had been the victim of a cyberattack that had impacted the personal data of more than 200,000 of its customers. Based on initial investigations, TPG believes the hackers gained access using the stolen credentials of a single employee. Credential-based attacks have also been suffered by other telcos including Telstra, and Tangerine Telecom, Cyber Daily reported.
