Treasury employee has been arrested and charged after allegedly accessing and transferring more than 5,600 sensitive government documents including confidential commercial and financial information to an external server, prompting the NSW government to declare a significant cyber incident.

Booking.com has notified customers of a data breach that exposed personal information including names, email addresses, phone numbers, and postal addresses after unauthorised parties accessed booking data across multiple countries, including Australia, with victims now being warned of targeted phishing scams.

A UNSW Institute for Cyber Security audit of nearly 200 school-endorsed apps found that the vast majority begin transmitting telemetry data including device identifiers and location metadata to third parties before users even interact with the app, raising serious child privacy concerns.

ASFA CEO Mary Delahunty outlined the superannuation sector's new SC3 (Superannuation Cyber and Financial Crime Coordination) framework built on four pillars including threat intelligence sharing, an incident response playbook, and sector-wide exercises to strengthen collective cyber and financial crime resilience across Australia's $4 trillion super system.

APRA and ASIC have both stated they are closely monitoring Anthropic's new AI vulnerability-finding model, Claude Mythos developed under Project Glasswing with regulators in Hong Kong and Singapore also taking steps to address the cybersecurity risks the technology poses to the financial sector.

APRA has finalised targeted amendments to the CPS 230 Operational Risk Management standard, introducing a limited exemption from certain contractual requirements for material arrangements with specific non-traditional service providers such as central banks, regulators, and clearing facilities where bespoke contracts are not practicable, effective 1 July 2026.