Top 3 Security Stories of the Month

A look back at what has happened in April 2025 in the Cybersecurity Space in Australia.

This being the last week of the month and this being a lead up to the federal election, it’s a great time as any to take a look back at the top 3 cybersecurity stories in Australia this month. We’ve had a wild ride again, a theme that has continued from the end of last year.

1. Superfunds lost $750K after falling victim to credential stuffing attacks.

Superannuation is the Australian government’s mandatory retirement savings scheme. If you live in in Australia 11.5% (rising to 12% in June) of your income is put into a retirement fund.

Various funds have reported that they suffered successful credential stuffing attacks. Credential Stuffing attacks are where usernames and passwords stolen and sold on the dark web are used against other services. In this case against these superfunds. Australian Super on eof the largest funds has confirmed they lost $750 k. Initial analysis seems indicates that Multifactor Authentication was not implemented on login which could have prevented this attack. This is backed up by the fact that other super organisations that had multifactor implemented did not fall victim.

Our analysis is that Australian Super needs to implement basic application security practices. A great starting point for learning about MFA is to watch our video here:

2. Australian ban on Kaspersky came into effect:

   The Australian government’s ban on Kaspersky came into affect on the 1st of April. All government, critical infrastructure orgs, and any other organisation that does business with the government has been directed to remove any trace of the application from all of their computing devices. The nature of Australia’s business means that this closes of Australia as a market for Kaspersky.
   
   The directive was issued under the government foreign interference prevention powers and highlights the further isolation of Russia and Russian organisations from the rest of the world. Its impact to Kaspersky beyond reputational loss is expected to be minimal. The bans in the US and across the EU are expected to be more consequential.
   

3. Hertz Car Rentals experiences a Data breach

   In our final story of the month, Hertz Australia has notified customers that there third party file sharing platform was breached and data stolen. This impacts the global business and other brands under the Hertz umbrella including dollar and thrifty from October to December 2024. The types of data exposed include name, contact information, date of birth, driver’s license, and payment card information. If you had rented a car from these brands at these times then you should look into getting these things changed.
   
   If you have questions on if you have been affected or what you need to do, you can reach out to IDCare who can help you navigate the zometimes byzantine requirements of government docs.

These are the top three stories, there have been many more including the leak of Canberra’s public transport user data within four months of operation. Remember to sign up to our news letter to receive more alerts and advice on what is happening in the cyber space.