Mandatory Ransomware Reporting Australia: What the New Law Means for Your Business
On 30 May 2025, the Cyber Security (Ransomware Payment Reporting) Rules 2025 commenced, making Australia one of the first countries in the world to legally require businesses to report ransomware payments to the government within 72 hours. If your business has an annual turnover of $3 million or more, or you are responsible for any critical infrastructure asset, the mandatory ransomware reporting Australia regime now applies to you. Get it wrong and you face fines, regulatory scrutiny, and potentially criminal exposure. Get it right and you unlock “limited use” protections that can shield your business from downstream enforcement. Most Australian SMBs have no idea this law exists. Here is what you need to know. What the Mandatory Ransomware Reporting Australia Law Actually Requires Under Part 3 of the Cyber Security Act 2024 (Cth), reporting business entities must submit a formal report to the Australian Signals Directorate (or another designated Commonwealth body) within 72 hours of: A “reporting business entity” includes: The report must include specific information about the incident, the extortion demand, the payment, and the parties involved. Why the Government Introduced This Obligation The Australian government’s rationale is straightforward. Before the law, the vast majority of ransomware incidents in Australia went unreported, meaning: The law creates a national dataset that the ASD, the National Cyber Security Coordinator, and the Cyber Incident Review Board can use to protect other Australian businesses. The “Limited Use” Safeguard You Need to Understand The law includes an important protection known as “limited use.” Information reported under the mandatory ransomware reporting Australia regime generally cannot be used to investigate or enforce against the reporting business, except for: This means cooperating with the law actually protects your business in most regulatory contexts. Failing to report, however, exposes you to enforcement with no protection. What This Means Practically for Your Incident Response Plan Every Australian SMB with turnover above $3 million needs to update its incident response plan to include: Recommended Link: Business Continuity and Incident Response Planning Should You Actually Pay the Ransom? The mandatory ransomware reporting Australia law does not prohibit paying ransoms, but paying is almost always the wrong decision: The Australian government’s position, and the position of the ASD, is that prevention, tested backups, and structured response are always the better option. Recommended Link: Business Cyber Security Policies and Legal Compliance Is Your Business Ready to Report Inside 72 Hours?The mandatory ransomware reporting Australia regime is now live. Non-compliance carries real penalties and real exposure. Frequently Asked Questions Q: What happens if I do not report a ransomware payment?A: You face civil penalties and potentially criminal exposure, depending on circumstances. You also lose the “limited use” protections that would otherwise apply. Q: Does the mandatory ransomware reporting Australia law apply to small businesses under $3 million?A: Not currently for the turnover threshold, but if you are responsible for a critical infrastructure asset, you must still comply regardless of size. Voluntary reporting is also encouraged for all businesses. Q: Does reporting the payment protect me from OAIC privacy enforcement?A: No. Privacy Act obligations around notifiable data breaches are separate. You may need to report to both the ASD (for the payment) and the OAIC (for the data breach). The mandatory ransomware reporting Australia law marks a significant shift in how ransomware is treated in this country. It is no longer a quiet, negotiated problem handled between victims and criminals. It is a national intelligence matter with formal obligations. Every Australian SMB above $3 million in turnover needs to know the rules, update its plans, and decide now, not during the crisis, how it will respond when the ransom demand arrives. (We are not looking to replace your current provider, just offering an alternative perspective) Written by Neil Frick Sources & References
Read MoreManufacturing Cyber Attack: How Hazeldenes and Metricon Show What Is Coming For Every Australian Maker
When a cyber attack on Victorian poultry processor Hazeldenes triggered chicken shortages in February 2026, it crossed a line Australian manufacturing had not seen before. This was not just data theft. This was operational technology being weaponised to hit shelves and supply chains. Combined with the Metricon Homes ransomware attack in July 2025, the Pressure Dynamics breach exposing 100GB of hydraulics data, the Natures Organics Medusa attack, and the Panasonic Australia incident, the manufacturing cyber attack pattern is clear: factories, builders, and food producers are now squarely in the crosshairs. If your business runs plant, production lines, or operational technology, the risk is no longer theoretical. Why Manufacturing Cyber Attack Incidents Hit Differently When a law firm gets ransomware, the damage is data and reputation. When a manufacturer gets ransomware, the damage is every unit not shipped, every contract at risk, every customer switching supplier. A manufacturing cyber attack impacts: Metricon Homes, Australia’s largest home builder, saw 128GB of financial documents, architectural plans, and employee details stolen by the Qilin ransomware group in July 2025. The downtime alone cost hundreds of thousands of dollars. The Special Problem of Operational Technology (OT) Australian manufacturers increasingly run operational technology (OT) networks connected to corporate IT. OT includes: These systems were designed for reliability, not security. Many cannot be patched without stopping production. Many still run Windows XP or Windows 7. Attackers know this. The Six Most Common Entry Points for Manufacturing Cyber Attack Incidents Recommended Link: Managed IT Services for Australian Manufacturers Five Steps to Harden a Manufacturing Environment Recommended Link: Business Continuity Planning for Australian Manufacturers Could Your Factory Run Tomorrow If You Were Hit Today?The manufacturing cyber attack surface is growing fast. Attackers have figured out that production downtime forces faster payments than data leaks. Frequently Asked Questions Q: Our PLCs are 15 years old and cannot be patched. What can we do?A: Network segmentation is your answer. If the legacy equipment cannot be patched, it must be isolated from anything that could reach the internet or a compromised workstation. Q: Is cyber insurance enough to cover a manufacturing cyber attack?A: Insurance can help with financial recovery, but it cannot bring your production line back online. Technical controls always come first. Insurance is a backstop, not a plan. Q: How long does it typically take to recover from a manufacturing ransomware attack?A: For Australian SMB manufacturers, average downtime was 24 days in 2025. This assumes tested offline backups. Without them, recovery can take months or may require partial rebuilds. The Hazeldenes chicken shortage, the Metricon Homes data leak, and the Natures Organics breach are not isolated incidents. They are the leading edge of a manufacturing cyber attack wave that will intensify through 2026. Australian makers have a choice: get ahead of it now, or explain to customers why their order will be late. (We are not looking to replace your current provider, just offering an alternative perspective) Written by Neil Frick Sources & References
Read MoreThird-Party Data Breach: The LexisNexis Lesson Every Australian Business Ignores
When LexisNexis confirmed a major cloud breach in March 2026 exposing legal and government client data, it exposed something every Australian business should already know: your cyber security is only as strong as the weakest vendor connected to your systems. A third-party data breach does not need to touch your infrastructure at all. It just needs to touch someone who touches you. From the OracleCMS breach that hit Victorian councils, to the Pareto Phone incident that leaked charity donor data, to MOVEit, Blackbaud, and now LexisNexis, the pattern is identical. If you are not actively managing your vendors, you are not managing your cyber risk. Why Third-Party Data Breach Incidents Dominate the Headlines The Office of the Australian Information Commissioner has repeatedly flagged third-party and supply-chain incidents as one of the fastest-growing breach categories. In the first half of 2025 alone, more than 30% of notifiable breaches in Australia involved a vendor, service provider, or contractor. Recent high-profile Australian examples include: What Exactly Is a Third-Party Data Breach? A third-party data breach occurs when an organisation suffers loss, exposure, or compromise of data through a vendor, supplier, contractor, SaaS provider, or any other external party with access to the organisation’s systems or information. This includes: The Five Vendor Questions Every Australian SMB Must Ask Before you sign any contract that involves a vendor touching your data, your staff, or your systems, you need clear answers to these five questions: Recommended Link: SOC 2 Compliance Services for Australian Businesses Contract Clauses That Actually Protect You Most Australian SMB contracts with vendors contain generic boilerplate security language that does not survive a real breach. Stronger clauses include: Recommended Link: Business Cyber Security Policies and Contract Review Do You Know Which Vendor Will Cause Your Next Breach?Third-party data breach incidents now account for a growing share of Australian notifications. You cannot delegate your risk. Frequently Asked Questions Q: Am I legally responsible if a vendor causes a third-party data breach?A: In most cases, yes. Under the Privacy Act, the organisation that collected the personal information usually remains accountable, even if the breach occurred at a processor or vendor. Q: How often should I review my vendors?A: At minimum annually. For vendors handling sensitive data or with privileged access, a six-month review cycle is strongly recommended. Q: What is the first vendor I should review?A: Any vendor with access to your email environment, your customer database, your payroll system, or your financial records. These are your crown jewels. The LexisNexis breach, the OracleCMS incident, and every other third-party data breach on the Australian record share one common feature: the victim organisations trusted their vendors without verification. Trust is not a control. Verification is. (We are not looking to replace your current provider, just offering an alternative perspective) Written by Neil Frick
Read MoreQantas Data Breach 2025: What Scattered Spider Teaches Every Australian SMB
In July 2025, Australia woke up to news that up to 6 million Qantas customer records had been stolen through a single phone call to a third-party call centre. The Qantas data breach was not the result of zero-day exploits or state-sponsored malware. It was social engineering. A hacking group known as Scattered Spider convinced a help-desk operator they were a legitimate employee, bypassed multi-factor authentication, and walked out with names, emails, phone numbers, dates of birth, and frequent flyer numbers. If Australia’s flag carrier can be taken down by one phone call, your SMB needs to understand exactly how this happened and what to do about it. How the Qantas Data Breach Actually Unfolded The Qantas data breach began on 30 June 2025, when attackers targeted a third-party contact centre used by the airline. Using a technique known as voice phishing (vishing), the attackers impersonated a staff member needing urgent access recovery. The help-desk operator followed standard verification questions. The attackers had already harvested those answers from LinkedIn, data broker sites, and previous breaches. Within minutes, credentials were reset and MFA was reregistered to a device controlled by the attacker. The lesson for Australian SMBs is brutal. Your weakest link is rarely your firewall. It is the human being answering the phone when someone sounds stressed and authoritative. Who Is Scattered Spider and Why Are They Targeting Australia? Scattered Spider is a loose collective of native-English-speaking cybercriminals specialising in social engineering attacks against help desks, IT support functions, and outsourced service providers. The Australian Signals Directorate issued a formal advisory on the group in July 2025. Their preferred playbook includes: Security Awareness Training for Australian Businesses Why SMBs Are Just as Exposed as Qantas Most Australian small businesses outsource something: bookkeeping, IT support, payroll, or customer service. Every one of those relationships is a potential Scattered Spider entry point. The Qantas data breach happened through a third party, not through Qantas’ own systems. Ask yourself: Five Controls That Would Have Stopped Scattered Spider Business Cyber Security Policies for SMBs Is Your Help Desk a Hacker’s Front Door? The Qantas data breach shows that even $20 billion companies fall to one phone call. Your SMB has less margin for error. Frequently Asked Questions Q: Was the Qantas data breach caused by a Qantas system failure?A: No. The breach occurred through a third-party contact centre. This is exactly why vendor risk management is now a front-line cyber security control for every business. Q: Would MFA alone have stopped this attack?A: Not by itself. Scattered Spider specifically targets MFA re-enrolment. Phishing-resistant MFA combined with strict help-desk verification processes is required. Q: How quickly should my business act on this?A: Immediately. Scattered Spider is actively targeting Australian organisations across retail, hospitality, financial services, and professional services right now. The Qantas data breach is not an airline problem. It is a wake-up call for every Australian SMB that relies on people, phones, and third-party vendors. The attackers are already here, and they are calling. The only question is whether your team knows what to say when they do. (We are not looking to replace your current provider, just offering an alternative perspective) Written by Neil Frick Sources & References
Read MoreSupply Chain Cyber Attacks: The SMB Blind Spot You Cannot Afford to Ignore
Supply chain cyber attacks are now one of the most dangerous and underestimated threats facing Australian SMBs. In October 2025, ASIO Director-General Mike Burgess warned that Chinese hacking groups including Volt Typhoon and Salt Typhoon had probed Australian networks — including airports, telecommunications, and energy grids — with capabilities sufficient to shut down power or pollute water supplies. These were not direct attacks on major infrastructure operators. They entered through the supply chain: smaller suppliers, contractors, and technology partners with access to critical systems but without enterprise-grade security. If nation-state attackers are using your peers as their entry point into larger targets, a supply chain cyber attack is not someone else’s problem. It is yours. How Supply Chain Cyber Attacks Work in 2025 The ACSC’s 2025 Annual Report identified IT supply chain as one of the top vulnerabilities facing Australian organisations, noting that “an organisation’s supply chain can often be its weakest link.” The attack mechanism follows a consistent pattern: Several high-profile 2025 Australian incidents followed this exact pattern: Supply Chain Cyber Attack Risk Runs Both Ways for Australian SMBs The supply chain risk runs in both directions. As an SMB, you may be a supplier to: Many Australian businesses are discovering that their clients — particularly enterprise and government customers — are now asking hard questions about security posture as part of procurement. The SMB1001 standard, developed specifically for Australian SMBs, provides a certification pathway that demonstrates baseline security to procurement teams.r Australian SMBs, provides a certification pathway that demonstrates baseline security to procurement teams. Cyber Security Services for Australian Businesses – Netlogyx 24/7 Monitoring and Maintenance for Gold Coast and Brisbane Businesses The Three Questions You Must Ask About Every Supplier 1. What access does this supplier have to my systems?Map every supplier, contractor, and service provider with any form of access to your network, data, or systems. For each relationship, document what they access, through what mechanism, and what an attacker could do if they compromised that supplier’s access. 2. What security controls does this supplier maintain?You have a right to ask your suppliers about their security posture. At minimum, this should include: do they have MFA on all accounts with access to your systems? When did they last conduct a security assessment? Do they have an incident response plan? Do they carry cyber liability insurance? 3. How quickly would I know if this supplier was compromised?Most supply chain breaches are discovered when damage is already done. Implement monitoring that would alert you to unusual activity from any supplier connection — access at unusual hours, large data movements, or access to systems the supplier has no business reason to reach. Practical Steps for SMB Supply Chain Security Audit your access grants. Remove any supplier access that is no longer needed. Reduce any access that is broader than necessary. Apply the principle of least privilege to every external connection. Revoke supplier access immediately when a contract ends. Implement network segmentation. Suppliers should access only the specific systems they need, not your entire network. A flat network where one compromised supplier connection can reach everything is a fundamental architectural vulnerability. Require contractual security standards. Add security requirements to supplier contracts. At minimum: MFA, current patching, incident notification within specified timeframes, and the right to audit. This is particularly important for IT suppliers, legal advisers, accountants, and any contractor who holds your data. Monitor for anomalous activity from supplier connections. Set up alerting for unusual access patterns from any external connection. Access outside business hours, large data transfers, or access to systems beyond the supplier’s normal scope should trigger an alert immediately. Understand your own security posture as a supplier. If you are part of someone else’s supply chain, review what security requirements they have communicated. Respond proactively to security questionnaires. Obtain certification to a recognised standard — the SMB1001 certification provides a verifiable security baseline that satisfies many enterprise procurement requirements. Penetration Testing Services – Find Your Vulnerabilities Before Attackers Do Supply Chain Cyber Attacks Are Responsible for Some of Australia’s Most Damaging Breaches in 2025. Is Your Business Exposed? Netlogyx helps SMBs map their supply chain attack surface, implement appropriate access controls, and understand their own security posture in the context of supplier and client relationships. Frequently Asked Questions Q: My suppliers have their own IT teams and security. Isn’t their security their responsibility?A: Their security is their responsibility — but their breaches are your problem if they have access to your systems. The law, and increasingly your insurance policy, will ask what steps you took to verify your suppliers’ security posture before granting them access. Third-party risk management is not passing the buck — it is protecting your business from someone else’s failure. Q: How do I know if my supplier has already been compromised?A: Often, you do not — until an attacker uses the compromised access to enter your systems. This is why monitoring for anomalous activity from supplier connections is so important. The ACSC’s 2025 report found that over a third of serious incidents were discovered only because the ASD proactively notified the affected organisation. You need similar early-warning capability for your own environment. Q: What is SMB1001 certification and should my business pursue it?A: SMB1001 is an Australian cybersecurity standard developed specifically for small businesses, providing a tiered certification pathway that demonstrates a verifiable security baseline. For businesses supplying to enterprise or government customers, SMB1001 certification is increasingly being requested in procurement processes. It is also an excellent framework for systematically improving your security posture. The supply chain is the frontier of modern cyber threats — used by nation-states to access critical infrastructure and by ransomware groups to reach businesses they could never compromise directly. Every Australian SMB is simultaneously at risk from its suppliers and a potential risk to its clients. Understanding and managing both sides of that equation is not optional in the current threat environment. (We are not looking to replace your current provider, just offering an alternative perspective) Written by the Netlogyx Technology Specialists Team Sources and References
Read More