Cybersecurity Solutions for Online Retailers and SaaS Leaders

The 2024-2025 Threat Landscape: What's Changed

Australian and New Zealand online retailers and SaaS companies continue to operate at the forefront of digital commerce, but the threat environment has intensified dramatically throughout 2024 and into 2025. Recent data from the Australian Signals Directorate's Australian Cyber Security Centre reveals an unprecedented surge in cyberattacks targeting the trans-Tasman digital economy.

Critical Statistics: Australia and New Zealand Under Siege

• 84,700+ cybercrime reports to ACSC in FY2024-2025 - one every 6 minutes
• DDoS attacks increased 280%, with over 200 incidents responded to by ACSC, and June 2025 recording the most DDoS incidents ever
• Data breaches surged 48% in 2025 (71 claimed breaches through October vs 48 in same period 2024)
• Record 1,113 data breaches reported to OAIC in 2024, up 25% from 893 in 2023
• Average cost per incident: $56,600 for small businesses (14% increase)
• New Zealand: 59% of businesses faced cyberattacks in 2024, with 43% via email phishing
• Critical infrastructure notifications up 111%, with over 190 alerts issued by ACSC

Sources: ACSC Annual Cyber Threat Report 2024-2025 (https://www.cyber.gov.au/about-us/view-all-content/reports-and-statistics/annual-cyber-threat-report-2024-2025), OAIC Data Breach Report 2024, Cyble Global Threat Report H1 2025, Kordia NZ Business Cyber Security Report 2024

Record-Breaking DDoS Attacks Target Australian Infrastructure

On 24 October 2025, Microsoft Azure in Australia faced the largest DDoS attack ever recorded in the cloud, peaking at 15.72 terabits per second (Tbps) and 3.64 billion packets per second. Originating from the Aisuru botnet (a Turbo Mirai-class IoT botnet), the attack came from over 500,000 compromised devices globally, primarily home routers and cameras.

This follows an obvious upwards trend, with FY2021-22 having had more than 20 DDoS attacks, while FY2022-23 had more than 50. DDoS attacks were present almost twice as often (31%) in incidents against critical infrastructure entities compared with all incidents (16%).

For online retailers and SaaS providers, DDoS attacks pose an existential threat during peak trading periods. System downtime costs Australian online businesses an average of $5,600 per minute during peak periods.

Source: TweakTown, Microsoft Azure DDoS Protection, ACSC Annual Cyber Threat Report 2024-2025 (https://www.tweaktown.com/news/108940/largest-ever-cloud-ddos-attack-recorded-in-australia-3-64-billion-packets-per-second/index.html)

New Threat: Credential Stuffing Devastates Australian Retailers

Throughout 2024 and into 2025, a new attack vector has emerged as a primary threat to Australian online retailers: credential stuffing campaigns. Unlike traditional data breaches, these attacks exploit previously stolen login credentials purchased on the dark web to access customer accounts across multiple platforms.

The Iconic, Dan Murphy's, and Major Brands Targeted

Since November 2023, over 15,000 Australian customers of major retailers including The Iconic, Dan Murphy's, Guzman y Gomez, Event Cinemas, Binge, and TVSN fell victim to coordinated credential stuffing attacks. Cybersecurity firm Kasada revealed that Australian criminals purchased stolen login credentials from Eastern European cybercriminals for approximately 5% of total account value.

How the Attacks Worked

Attackers used stolen usernames and passwords from previous breaches (like Optus and Medibank) to systematically attempt logins across multiple retail platforms. Once successful, they exploited saved payment methods or store credit to make fraudulent purchases, with some customers reporting losses exceeding $1,000.

Prime Minister Anthony Albanese described the attacks as a "scourge," noting that "there are so many vulnerable people being ripped off who've acted in absolutely good faith." The attacks were facilitated by Australia being seen as a "happy hunting ground" following massive data breaches that made personal data readily available on the dark web.

The Iconic promised full refunds to affected customers, acknowledging the attacks were not due to their own data breach but rather the reuse of credentials stolen from other sources.

Sources: Cyber Daily, B&T, Information Age, Channel News (https://www.cyberdaily.au/security/10038-customers-of-guzman-y-gomez-dan-murphys-and-more-affected-in-credential-stuffing-campaign, https://www.bandt.com.au/guzman-dan-murphys-binge-hit-with-credential-stuffing-cyber-attack/)

Mandatory Ransomware Reporting: Australia Leads the World

On 30 May 2025, Australia became the first country in the world to implement mandatory ransomware and cyber extortion payment reporting under Part 3 of the Cyber Security Act 2024. This represents a fundamental shift in how Australian businesses must approach ransomware incidents.

Who Must Report

• Businesses with annual turnover of $3 million or more (captures top 6.5% of Australian businesses, representing ~50% of economy)
• Entities responsible for critical infrastructure assets

Reporting Requirements

• 72-hour reporting window from making payment or becoming aware of payment
• No minimum payment threshold - all payments must be reported
• Includes monetary and non-monetary benefits (services, gifts, data exchanges)
• Civil penalties up to $19,800 for non-compliance

Implementation Phases

Phase 1 (30 May - 31 December 2025): Education-first approach, regulatory action only for egregious non-compliance

Phase 2 (1 January 2026 onwards): Active regulatory enforcement begins

Why This Matters for Online Retailers and SaaS Companies

According to the Australian Cyber Network, over 90% of Australian businesses hit by ransomware in the past five years opted to pay ransoms. The new regime means that any decision to pay now comes with mandatory government notification within 72 hours, significantly changing the risk calculus for online businesses.

The ACSC responded to incidents where over 70% of extortion-related cybersecurity incidents involved ransomware in FY2023-2024. Ransomware attacks doubled in Australia and New Zealand year-over-year, with average ransom demands reaching USD $750,000.

Sources: Australian Department of Home Affairs, Information Age, The Record, Gadens Law (https://www.homeaffairs.gov.au/cyber-security-subsite/files/factsheet-ransomware-payment-reporting.pdf, https://ia.acs.org.au/article/2025/the-businesses-that-must-report-ransomware-payments.html)

Major Recent Breaches: The Australian Context

Marks & Spencer UK: A £300 Million Warning

In April 2025, UK retailer Marks & Spencer suffered a ransomware attack that resulted in an estimated £300 million ($618 million AUD) impact. The attack disrupted online operations for approximately six weeks, with some services still recovering months later. Customer data was also stolen in the attack.

This incident, referenced in the ACSC Annual Cyber Threat Report 2024-2025, demonstrates the extreme costs ransomware can impose on retail operations, particularly those dependent on online sales channels.

Qantas Data Breach (October 2025)

Qantas suffered a data breach where hackers claimed to have stolen personal data including names, contact details, and travel history, threatening public release. The FBI seized the attackers' website, though the breach raised serious concerns about data governance practices.

Ongoing Major Breaches

• Latitude Financial: Over 14 million individuals affected across Australia and New Zealand, including 7.9 million driver licences compromised
• Optus: 9.5 million records leaked, ongoing regulatory penalties and legal action
• Medibank: 9.7 million people's data exposed, OAIC launched legal action

Sources: New Era Technology, UpGuard, Cyble Global Threat Report (https://www.neweratech.com/au/blog/top-3-cyber-incidents-in-australia-october-2025-update/, https://www.upguard.com/blog/biggest-data-breaches-australia)

Emerging Threats Specific to Online Retail and SaaS

Scattered Spider: Targeting Your Sector

Scattered Spider, a sophisticated financially motivated collective, has demonstrated particular expertise in compromising online retailers and cloud-based businesses. The group uses social engineering and ransomware to infiltrate help desks and exfiltrate sensitive data. The ACSC issued advisories in July 2025 urging organisations to implement phishing-resistant multi-factor authentication and offline backups.

Supply Chain Attacks

The procurement of any digital product or service increases the attack surface of an organisation's information environment. Multiple Australian companies were compromised through hosting service hacks, with the Black Basta ransomware gang posting details affecting nearly a dozen organisations.

Australian retail software vendor GaP Solutions was hit by a LockBit ransomware attack, demonstrating how supply chain compromises can cascade across the sector.

The Dark Web Economy

According to Cyble's analysis, initial access to Australian corporate networks costs less than a corporate team lunch on the dark web. The Australian dark web economy now actively trades:

• Stolen corporate data and credentials
• Remote access to Australian business systems
• Customer databases from breached retailers
• Payment card information

One threat actor on Darkforums advertised unauthorised access to an Australian telecommunications portal for just USD $750, providing domain administration tools and critical network information.

Sources: ACSC Scattered Spider Advisory, Cyble Australian Dark Web Report, Webber Insurance breach list (https://cyble.com/blog/australian-dark-web-cybersecurity-threats-2025/, https://www.webberinsurance.com.au/data-breaches-list)

Critical Risk Factors for Trans-Tasman Online Businesses

Platform Dependencies Create Expanded Attack Surfaces

Online retailers and SaaS companies operate across complex technology ecosystems:

• Multi-cloud infrastructure spanning AWS, Azure, and Google Cloud platforms
• Third-party integrations including payment processors, analytics tools, and customer service platforms
• API-driven architectures connecting internal systems with external services
• Customer-facing applications requiring 24/7 availability

ACSC reports that over 60% of Australian cybersecurity leaders have experienced incidents due to unknown or unmanaged assets. The proliferation of generative AI and IoT devices has increased these risks further.

Regulatory Complexity Has Intensified

Australian online businesses now face an increasingly complex regulatory landscape:

• Privacy Act requirements for data collection, processing, and breach notification
• Digital ID Act 2024 fundamentally changing customer data protection approaches
• Mandatory ransomware reporting (from 30 May 2025) for businesses with turnover over $3 million
• Essential Eight implementation expectations for businesses handling sensitive data
• Consumer Data Right (CDR) obligations for companies in designated sectors

Credential Theft as Primary Attack Vector

The ACSC reports that cybercriminals are continuing their aggressive campaign of credential theft, purchasing stolen usernames and passwords from the dark web. For online businesses, this creates multiple vulnerabilities:

• 55% of critical infrastructure incidents involve compromised assets, networks, or infrastructure
• 19% involve compromised accounts or credentials
• Customer password reuse across multiple platforms creates cascading vulnerabilities

Following the massive Optus and Medibank breaches, millions of Australian credentials are readily available on the dark web, fuelling credential stuffing campaigns against retail platforms.

Building Resilience: Recommendations for 2025 and Beyond

Immediate Actions for Online Retailers and SaaS Companies

• Update incident response plans to include 72-hour ransomware payment reporting requirements
• Implement phishing-resistant multi-factor authentication across all customer and internal systems
• Deploy advanced DDoS protection with 24/7 monitoring and automated mitigation
• Monitor for credential stuffing attempts and implement rate limiting on login endpoints
• Conduct supply chain security audits of all third-party vendors and service providers
• Implement offline, ransomware-resistant backups following the 3-2-1 backup rule
• Establish continuous dark web monitoring for compromised credentials and data

Customer Protection Measures

• Proactively notify customers to change passwords following any industry breach
• Implement forced password resets for accounts showing suspicious activity
• Remove card-on-file requirements where possible, or implement additional verification for stored payment methods
• Deploy anomaly detection for unusual purchase patterns or login locations
• Provide customer security education on unique passwords and password managers

Strategic Governance and Compliance

• Align with Essential Eight maturity model to demonstrate cybersecurity baseline
• Consider ISO 27001 certification as competitive differentiator for enterprise customers
• Establish Board-level cyber reporting with regular risk assessments
• Conduct tabletop exercises simulating ransomware, DDoS, and credential stuffing scenarios
• Engage CISO-as-a-Service if lacking internal expertise

How Insicon Cyber Supports Trans-Tasman Online Businesses

Insicon Cyber understands the unique challenges facing Australian and New Zealand online retailers and SaaS companies. Our approach combines:

• 24/7 Security Operations Centre (SOC) monitoring for DDoS attacks, credential stuffing, and anomalous activity
• Managed Detection and Response (MDR) with rapid incident response capabilities
• Compliance advisory services for ransomware reporting, Privacy Act, and Essential Eight
• Board Cyber Advisory to translate technical risks into business language
• ISO 27001 certification support to demonstrate security excellence to enterprise customers

The question isn't whether cyber risks will impact your online business - it's whether you'll be prepared to turn those challenges into opportunities for building stronger customer relationships and market positioning.

Key Sources and References

• ACSC Annual Cyber Threat Report 2024-2025: https://www.cyber.gov.au/about-us/view-all-content/reports-and-statistics/annual-cyber-threat-report-2024-2025
• Australian Department of Home Affairs Ransomware Reporting Factsheet: https://www.homeaffairs.gov.au/cyber-security-subsite/files/factsheet-ransomware-payment-reporting.pdf
• Office of the Australian Information Commissioner Data Breach Report 2024
• Cyble Global Threat Landscape Report H1 2025 and Australian Dark Web Report
• Kordia New Zealand Business Cyber Security Report 2024
• New Era Technology Top 3 Cyber Incidents October 2025
• Herbert Smith Freehills Cyber Security Updates May-June 2025
• The Record - Australian ransomware reporting regime coverage