Australia's Privacy Commissioner has ruled Kmart's use of facial recognition technology unlawful, finding the retailer breached customer privacy by collecting biometric data without consent.
Cyber incidents linked to third-party suppliers used by the New South Wales government have more than quadrupled in two years, revealing significant vulnerabilities in the state's digital supply chain. The surge highlights the growing threat of supply chain attacks to government services and data.
Sydney-based real estate firm The Property Business has been hit by the Kairos ransomware group, with 164GB of data reportedly stolen. The attack highlights the growing threat to Australia's property sector, which holds sensitive client financial and personal information.
Australia's Privacy Commissioner has ruled Kmart's use of facial recognition technology unlawful, finding the retailer breached customer privacy by collecting biometric data without consent.
Cyber News Centre's cyber update for 19th September 2025: Kmart has been found to have breached Australian privacy laws through its use of facial recognition technology in stores.
The Update: Privacy Commissioner Carly Kind announced the finding yesterday, concluding that Kmart unlawfully collected biometric data from potentially hundreds of thousands of customers. Cameras at store entrances and at returns counters scanned faces and compared them against a watchlist of suspected offenders.
The regulator found Kmart failed to alert customers or obtain consent, breaching strict protections in the Privacy Act that apply to sensitive personal information. The retailer argued it could rely on an exemption in the Act covering unlawful conduct, but the Commissioner rejected this, saying the system captured people indiscriminately, offered little benefit in stopping fraud, and that less intrusive tools were available.
As part of the determination, Kmart must not reintroduce facial recognition in its stores, publish an acknowledgement of the breach, and place a formal apology prominently on its website.
“Customer and staff safety, and fraud prevention and detection, are legitimate reasons businesses might have regard to when considering the deployment of new technologies. However, these reasons are not, in and of themselves, a free pass to avoid compliance with the Privacy Act,” Privacy Commissioner Carly Kind said in the OAIC’s 18 September 2025 determination.
Kmart told the ABC it was disappointed by the outcome and is reviewing whether to appeal. “Like most other retailers, Kmart is experiencing escalating incidents of theft in stores which are often accompanied by anti-social behaviour or acts of violence against team members and customers,” the spokesperson said. They added that images were only kept when they matched known or suspected offenders and all other data was deleted, with no use for marketing.
Why it Matters: This is the second major ruling against a retailer’s use of biometric surveillance, following the OAIC’s 2024 decision against Bunnings. Together, the cases make clear that companies cannot roll out intrusive technologies without consent, transparency and proportionality.
For business, it sends a warning that the Privacy Act applies even when new technologies are used for loss prevention. For customers, it is a strong affirmation that biometric information, which is both unique and sensitive, cannot be collected behind the scenes without their knowledge.
Privacy Commissioner Carly Kind has found that Kmart breached Australians’ privacy by collecting their personal and sensitive information through a facial recognition technology system.
— Office of the Australian Information Commissioner (@OAICgov) September 18, 2025
Media release: https://t.co/HDk3PwOYLi pic.twitter.com/Y4tPU9oPdP
Get the stories that matter to you.
Subscribe to Cyber News Centre and update your preferences to follow our Daily 4min Cyber Update, Innovative AI Startups, The AI Diplomat series, or the main Cyber News Centre newsletter — featuring in-depth analysis on major cyber incidents, tech breakthroughs, global policy, and AI developments.
Cyber incidents linked to third-party suppliers used by the New South Wales government have more than quadrupled in two years, revealing significant vulnerabilities in the state's digital supply chain. The surge highlights the growing threat of supply chain attacks to government services and data.
Sydney-based real estate firm The Property Business has been hit by the Kairos ransomware group, with 164GB of data reportedly stolen. The attack highlights the growing threat to Australia's property sector, which holds sensitive client financial and personal information.
The U.S. has charged Ukrainian national Volodymyr Tymoshchuk for his role in the LockerGoga, MegaCortex, and Nefilim ransomware attacks that targeted over 250 American companies and hundreds more worldwide. The State Department is offering a $10 million reward for information leading to his arrest.
Australia has gone all-in on quantum, betting billions on PsiQuantum’s Brisbane facility while building alliances and spin-outs from Sydney to Chicago. With defence contracts, investor momentum and Five Eyes strategy at stake, Canberra’s gamble is to lead, not follow, in the quantum race.
Where cybersecurity meets innovation, the CNC team delivers AI and tech breakthroughs for our digital future. We analyze incidents, data, and insights to keep you informed, secure, and ahead. Sign up for free!
