- within Technology topic(s)
- within Technology, Transport, Media, Telecoms, IT and Entertainment topic(s)
- with Inhouse Counsel
The cyber and data security landscape continues to evolve at pace. It can be challenging to keep up, so we have collated our "top 10" cyber stories from the last month, so you don't have to. We are also releasing Part 2 our latest Cross Examining Cyber podcast – the cross examination of the former head of the UK Cyber Security Centre, Professor Ciaran Martin CB.
News from HSF Kramer
New Podcast: Cross Examining Ciaran Martin (Part 2)
What makes a great lawyer in a cyber incident response? This is a key question that we explore during part 2 of our podcast with Professor Ciaran Martin, a world leading cyber thought leader.
The questions challenged Ciaran but he answered it succinctly as "one do and one don't". The best incident leaders loosen control (the "do"), rather than tighten it (the "don't"). A damaging instinct in a crisis (often driven by impractical lawyering) is locking everything down and keeping help out for fear of liability. In practice, faster recovery usually comes from working openly with the broader cyber response community. Most people genuinely want to help. This is worth a save and watching or listening on your commute to / from work.
Watch this episode
Listen to this episode
Upcoming webinar: The Cyber Simulation – Move from Plan to Planning
With the kind support of the Australian Signals Directorate (ASD), the National Office of Cyber Security (NOCS) and the Australian Federal Police (AFP), we bring you a webinar not to be missed.
In 2025, the HSF Kramer team moderated well over 100 cyber incident simulation exercises, ranging from fully immersive crisis management team exercises to high-level board simulations.
Meanwhile, ASD and the NOCS coordinated comprehensive cyber incident simulation programs involving Australia's most significant companies and sectors, while the AFP's cybercrime division has established itself as a global leader in cyber law enforcement response.
We would like to share our collective learnings with you. This webinar will comprise a panel of senior representatives from HSF Kramer, ASD, NOCS and AFP.
For anyone involved in cyber incident response or in building organisational cyber resilience, this one is for you!
Please join us by registering through the link here.
First ASIC penalty for cybersecurity failures: Federal Court imposes $2.5m penalty on FIIG
This article highlights ASIC's first successful civil penalty for cybersecurity failures, with the Federal Court ordering FIIG Securities to pay $2.5 million after a 2023 breach exposed highly sensitive client information. The decision found FIIG had failed for several years to maintain fundamental cyber controls, underscoring ASIC's expectation that AFS licensees must properly resource, implement and maintain effective cyber-risk measures.
You can read our full article here.
Cyber Top 10
1 |
There have been reports that the newly emerged 0APT ransomware group is claiming around 200 victims, but researchers say there is no evidence any attacks actually occurred, suggesting the group is inflating numbers to gain attention or attract affiliates. Despite the likely bluff, analysts warn that 0APT's ransomware tooling is technically sound, with cryptographically strong, fully operational binaries and a well-built affiliate panel. This means the group still poses a real risk if its malware is deployed. Read more here. |
2 |
A new Commonwealth cyber posture report shows that most federal agencies are still not reporting their cyber incidents to the ASD, with only 35% reporting at least half of the incidents they detected in 2024 – 2025. ASD meanwhile responded to 408 agency-related incidents and directly alerted departments 233 times about malicious activity picked up through its own monitoring. The low reporting rate limits ASD's ability to help agencies mitigate threats, raising concerns about compliance and visibility across government. Read more here. |
3 |
Australia's Administrative Review Tribunal has partially reversed an earlier OAIC finding that Bunnings' use of facial-recognition technology breached privacy laws. While the tribunal accepted that Bunnings was permitted to use the technology to address serious threats such as violence and organised retail crime, it also found the company failed to take reasonable steps to notify customers that their biometric information was being collected. Bunnings has since discontinued the technology, and the OAIC is considering whether to appeal. Read more here and here. |
4 |
ElevenLabs has become the first company to earn the new AIUC-1 certification, which lets them offer insurance for how their AI voice agents behave in the real world. To get there, they had to run more than 5,000 adversarial tests covering things like safety, security, reliability, privacy, and real-world failure cases. With this certification in place, insurers can now underwrite the behaviour of AI agents. That means companies can get coverage for risks like bad or inaccurate answers, data leaks, or unauthorised actions, removing a big hurdle for rolling out AI at scale. Read more here. |
5 |
It is reported that thousands of North Korean IT operatives are infiltrating Western companies by using stolen identities, AI-manipulated photos, deepfakes and fabricated resumes. These workers often appear highly skilled and productive, making detection difficult, and can number in the thousands across Fortune 500 networks. Experts warn employers to watch for mismatched IP addresses, inconsistent location details, and reused personas, noting that many North Korean operatives run multiple identities simultaneously, often from bases in China. Read more here. |
6 |
A new Cyber Wardens report reveals that Australia's hospitality industry faces escalating cyber threats, driven by outdated systems, high staff turnover, and reliance on third-party vendors. The sector's expanding digital footprint (spanning booking systems, POS platforms and guest Wi-Fi is creating more entry points for attackers), with social-engineering scams and ransomware identified as key risks. The findings emphasise that many small and mid-sized operators still lack basic cyber practices, leaving them particularly exposed. Read more here. |
7 |
Cisco and Sharon AI have partnered with NVIDIA to launch Australia's first Cisco Secure AI Factory, delivering sovereign, high-performance AI infrastructure with all data processing kept onshore. The initiative aligns with Australia's National AI Plan and is designed to accelerate responsible AI adoption across government and industry. Read more here. |
8 |
A former Australian intelligence officer has been jailed in the US for more than seven years after selling powerful cyber-exploit tools to a Russian broker. Prosecutors say these tools could have given access to millions of devices. The case is a sharp reminder that insider threats remain one of the most damaging risks in cybersecurity, especially when highly sensitive capabilities are involved. Read more here. |
9 |
Cybersecurity experts are warning that Western organisations should brace for a wave of retaliatory cyber activity after US-Israeli strikes on Iranian targets. Analysts say Iran and its affiliated hacktivist groups have a long track record of answering military escalations with disruptive cyber operations – typically targeting critical infrastructure, government systems, and high-profile commercial networks. Read more here. |
10 |
The Federal Court's $2.5m penalty against FIIG has attracted plenty of attention as ASIC's first civil penalty against an AFSL holder for cybersecurity failings, but it's worth keeping the significance in perspective. The conduct was historic, spanning 2019-2023, and because FIIG and ASIC agreed on both liability and penalty, the Court didn't need to test the facts or explore what "adequate" cyber risk management should look like in practice. That means the decision doesn't offer much guidance to the broader market beyond illustrating outdated deficiencies at one organisation. The penalty itself is relatively modest, raising questions about its deterrent value, and the case suggests ASIC's focus remains on pursuing AFSL holders over basic cyber hygiene rather than directors personally. Read more here. |
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
