Cyber Incident Victim: Meriton
Date:
Jan 2023
Location:
Australia
Summary
A major Australian property and hospitality entity experienced a cybersecurity breach compromising sensitive personal data of both staff and guests. Staff information potentially accessed included tax file numbers, bank details, employment records, salaries, disciplinary proceedings, and health data, while guests faced exposure of contact details and health-related disclosures such as incident reports. The incident involved an unidentified third party exfiltrating approximately 35.6 gigabytes of data, prompting the organization to notify affected individuals and engage cybersecurity experts to mitigate risks and prevent recurrence, though no evidence of data misuse was identified.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On January 14, 2023, Meriton Property Trust, a major Australian property developer and luxury accommodation operator, experienced a cybersecurity incident involving unauthorized access to sensitive data belonging to both guests and employees. An unidentified third party compromised approximately 35.6 gigabytes of information, with staff members disproportionately affected. The breach exposed employee tax file numbers, bank account details, salary information, disciplinary records, and health-related data. Guests’ compromised information included contact details and health disclosures provided to the hotel, such as incident reports filed during stays. Meriton confirmed the breach in communications to the Australian Broadcasting Corporation, characterizing it as a general cyber incident without evidence of targeting specific individuals.
Meriton initiated response protocols by engaging cybersecurity and forensic IT specialists to investigate the breach and implement protective measures. The company dispatched formal notification letters to affected guests and staff, advising them of potential exposure while emphasizing no observed misuse of stolen data. Internal statements highlighted ongoing efforts to strengthen defenses against future incidents, though technical specifics of the attack vector and containment procedures were not publicly disclosed. The breach occurred amid a surge in cyberattacks targeting Australian corporations, positioning Meriton among multiple high-profile entities compromised during this period. No ransomware claims or explicit motives were attributed to the threat actors, and Meriton did not release additional details regarding operational disruptions or financial impacts stemming from the incident.