Read this list carefully. Think about what connects these organisations.
1,700 Victorian government schools. Australian state and federal courts across five jurisdictions. A New Zealand medication management platform serving aged-care residents. A children's toy retailer with dozens of stores across Australia and New Zealand. A resort hotel and conference venue on Victoria's Mornington Peninsula. A global medical technology company.
Take your time.
Ready?
There is no connection. That is the point.The organisations targeted in 2026 (so far)
Every incident below is drawn from publicly reported events in the first four months of 2026.
In January 2026, a cyber attack impacted all 1,700 Victorian government schools, with student data accessed by an unauthorised third party. The Victorian government confirmed it was working with cyber experts and other government agencies to respond, stating there was no evidence the data had been released publicly or shared with other third parties. Source: Cyber Daily, January 2026.
In February 2026, a significant security incident exposed highly sensitive Australian court data. Canadian transcription firm VIQ Solutions admitted it had subcontracted court recording work to an Indian technology firm, resulting in the exposure of confidential court files across courts in NSW, Victoria, Queensland, Western Australia, and South Australia. An investigation by ABC News broke the story in mid-February, and VIQ subsequently acknowledged the incidents were reasonably likely to have a material financial impact on the company.
In February 2026, MediMap, a New Zealand medication management platform serving aged-care, hospice, disability and medical facilities, was the target of a cyber attack. Patient records were altered. Some elderly residents were incorrectly marked as deceased. Nurses could not confirm which medications to administer, and facilities reverted to paper-based systems while the platform was restored. Health New Zealand activated its Cyber Incident Management Team in response. Source: Cyber Daily, March 2026.
In March 2026, children's toy retailer Charlie Bears, which operates dozens of stores across Australia and New Zealand, was listed as a victim by the LockBit ransomware operation on its darknet leak site. After the publication deadline passed, LockBit subsequently released the alleged breach data.
In March 2026, global medical technology company Stryker was targeted by the Iran-linked Handala hacking group, which claimed to have wiped 12 petabytes of company data.
In April 2026, Brooklands of Mornington, a resort-style hotel and conference venue on Victoria's Mornington Peninsula, was listed on the Space Bears ransomware group's dark web leak site. The group claimed to have stolen personal data belonging to guests and staff, as well as financial documents.
State government education. The justice system. Aged-care software. Children's toy retail. Global medical devices. A regional hospitality venue.
Public and private. Large and small. Australian and New Zealand. Community-serving and commercial. Critical infrastructure and high street retail. Nation-state actors and opportunistic criminal gangs.
There is no sector in common. No size threshold that confers immunity. No ownership structure that provides protection. No geography within Australia and New Zealand that sits outside the crosshairs. These organisations share almost nothing in terms of what they do, where they operate, or who they serve.
The only thing they share is this: they were targeted.
The comfortable assumption is that attackers come looking for someone else. Someone in banking. Someone with patient records on a large scale. Someone bigger, richer, more strategically interesting.
That assumption is not just wrong. The incidents above demolish it completely.
The ASD Annual Cyber Threat Report 2024-25 is clear that cybercriminals target Australian organisations for financial gain through the theft of data or the disruption of services to elicit payment, while state-sponsored actors conduct operations for espionage, interference and pre-positioning for disruptive effects. Neither category discriminates by sector, size, or geography. Source: ASD, cyber.gov.au.
In March 2026, the Australian Cyber Security Centre issued a formal advisory outlining the activity of ransomware group INC Ransom and the threat their operations currently pose to networks in Australia, New Zealand, and the Pacific island states, specifically calling out small and medium businesses as an audience focus.
The toy retailer. The regional resort. The dental clinic. None of them feature in anyone's threat model as a high-value target. That is precisely what makes them attractive. Understaffed IT teams, limited security tooling, no dedicated incident response capability. Opportunity, not strategic interest, drives most attacks in 2026.
Modern attacker toolkits, automation, and AI have lowered the skill barrier and accelerated reconnaissance, meaning adversaries can now uncover misconfigurations and identity gaps in complex enterprise environments faster than defenders can close them. If that is true for enterprise environments, consider what it means for organisations operating without a dedicated security function.
The court data incident is the one that should sharpen executive attention most. VIQ Solutions was not hacked in the traditional sense. It offshored work to a subcontractor. A supply chain decision, not a technical failure, exposed confidential court files across five Australian jurisdictions. The courts themselves held no liability for the vendor's governance failure. But the damage was done. Since May 2025, entities with annual turnover of at least $3 million must notify the ASD within 72 hours if they make a ransomware payment, and under the Notifiable Data Breaches scheme organisations must assess whether a breach is likely to result in serious harm and, if so, notify both the Office of the Australian Information Commissioner and affected individuals. The regulatory exposure now follows the incident, regardless of where the failure originated.
Attackers do not research your sector before they probe your network. They test credentials, scan for unpatched systems, probe supply chain entry points, and sell access to whoever will pay for it. The school system, the aged-care platform, the resort hotel. Each was targeted not because of what they were, but because of what they had and what gaps existed.
The pattern across Australia and New Zealand in 2026 is not a pattern at all. It is noise. Random, indiscriminate, relentless noise. And that is the most important thing any board can understand about the current threat environment.
We are not asking you to assume breach and live in paralysis. We are asking you to retire one specific assumption: that your organisation is not interesting enough to be targeted.
Every organisation in Australia and New Zealand that holds data, processes payments, manages staff, or provides services is a target. Full stop. The question your board should be asking is not whether you are a target. It is whether you have the visibility, the controls, the vendor governance, and the response capability to make an attack survivable.
Governance is the starting point. Not a firewall purchase. Not a compliance checkbox. Governance. Understand your risk. Know your critical assets and your critical suppliers. Test your response plan before you need it. Ensure your board has access to independent, expert advice that carries no conflict of interest.
At Insicon Cyber we work alongside boards and executive teams across Australia and New Zealand, helping organisations build security postures that are proportionate, practical, and defensible. Not theory. Operational reality, grounded in what is actually happening across the threat landscape right now.
The organisations in this post did not choose to become case studies. They became them because the threat landscape does not wait for anyone to be ready.
We can help you be ready.
Sources
Cyber Daily (January 2026): https://www.cyberdaily.au/security/13095-all-1-700-victorian-government-schools-caught-up-in-cyber-attack-student-data-accessed
ABC News / Cyber News Centre (February 2026): https://www.cybernewscentre.com/22nd-february-2026-cyber-update-australian-court-data-exposed-in-major-third-party-breach-2/
Cyber Daily (March 2026): https://www.cyberdaily.au/security/13334-are-we-charlie-kirk-nz-medical-service-hacked-to-change-patient-names-and-living-status
Cyber Daily (April 2026): https://www.cyberdaily.au/security/13412-exclusive-cuddly-toy-maker-charlie-bears-allegedly-hacked
Cyber Daily (March 2026): https://www.cyberdaily.au/security/13337-update-stryker-hackers-claim-to-have-wiped-12-petabytes-of-company-data
Cyber Daily (April 2026): https://www.cyberdaily.au/security/13440-exclusive-victorian-resort-hotel-allegedly-breached-by-space-bears-ransomware
ASD Annual Cyber Threat Report 2024-25: https://www.cyber.gov.au/about-us/view-all-content/reports-and-statistics/annual-cyber-threat-report-2024-2025
ACSC Alerts and Advisories (March 2026): https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/inc-ransom-affiliate-model-enabling-targeting-of-critical-networks
Insurance Business Australia (February 2026): https://www.insurancebusinessmag.com/au/news/cyber/qilin-ransomware-activity-adds-pressure-on-australian-insurers-566534.aspx
Interactive Australia (December 2025): https://www.interactive.com.au/insights/2025-in-cyber-the-threats-that-changed-the-landscape-and-how-to-stop-them-in-2026/