Perth-based operational technology firm Intellect Systems has been targeted by the Akira ransomware group, which claims to have stolen 10GB of sensitive corporate and personal data. The attack highlights the growing threat to the critical infrastructure sector through vulnerable network devices.
US casino operator Boyd Gaming has confirmed a cyberattack that resulted in the theft of employee data and information from a limited number of other individuals. The company is investigating the incident and has notified relevant authorities.
Instagram has launched an AI-driven age verification tool in Australia ahead of the December 10 ban on under-16s using social media. The move aims to boost child safety but raises major privacy concerns, with experts warning of risks tied to surveillance, data misuse and unreliable accuracy.
Kmart’s facial recognition breach exposes more than a privacy violation. This extended analysis unpacks Wesfarmers’ compliance failures, the identity risks of biometric data, and how retail surveillance linking with social media could erode consumer trust.
Cyber News Centre covered the OAIC’s ruling against Kmart on Friday, outlining the regulator’s finding that the retailer unlawfully collected biometric data. Today’s report steps beyond the immediate decision to explore its wider significance: how repeated breaches point to systemic failures inside Wesfarmers, why biometric surveillance poses permanent identity risks, and how the convergence of retail monitoring with social media data threatens consumer trust in everyday shopping.
Kmart Australia has been caught red-handed in a privacy breach that exposes the dangerous intersection of convenience, security and consumer rights in modern retail operations.
The Office of the Australian Information Commissioner (OAIC) ruled last week that the Wesfarmers-owned retailer breached privacy laws by deploying facial recognition technology across 28 stores between June 2020 and July 2022, potentially affecting hundreds of thousands of unsuspecting customers.
Kmart's 'pilot programme' was anything but limited in its reach. The system indiscriminately captured facial images of every person entering participating stores and all customers using returns desks. Using CCTV feeds, the technology generated five-to-six images per individual, creating biometric templates compared against a database of suspected fraudsters.
The retailer justified this blanket surveillance as necessary to combat refund fraud and identify individuals with histories of theft or threatening behaviour towards staff. However, Privacy Commissioner Carly Kind found the approach 'disproportionate' and noted that less intrusive methods existed to address these legitimate concerns.
The Office of the Australian Information Commissioner also highlighted the breach on social media, reinforcing the seriousness of the finding:
Privacy Commissioner Carly Kind has found that Kmart breached Australians’ privacy by collecting their personal and sensitive information through a facial recognition technology system.
— Office of the Australian Information Commissioner (@OAICgov) September 18, 2025
Media release: https://t.co/HDk3PwOYLi pic.twitter.com/Y4tPU9oPdP
This ruling represents the second major facial recognition breach within Wesfarmers' retail empire. In October 2024, the OAIC found that Bunnings Warehouse, another Wesfarmers subsidiary, had similarly breached privacy laws through unauthorised facial recognition deployment across 62 stores. The hardware giant's system operated for over three years, capturing biometric data from millions of customers without consent.
Both cases reveal a concerning pattern within Australia's largest retailer conglomerate: a corporate culture that prioritised operational convenience over privacy compliance. The dual breaches suggest systemic governance failures at Wesfarmers, where subsidiaries independently deployed invasive surveillance technologies without adequate privacy impact assessments or legal oversight.
“Facial recognition technology, and the surveillance it enables, has emerged as one of the most ethically challenging new technologies in recent years,” Commissioner Kind said during the OAIC’s determination of the Bunnings case.
These breaches represent more than regulatory violations, they constitute a fundamental failure of corporate citizenship that threatens Wesfarmers' social licence to operate. The company's reputation as a trusted Australian household name now faces erosion as consumers question whether their privacy is being respected during routine shopping activities.
Privacy Commissioner Carly Kind underscored this point in the OAIC’s 18 September 2025 determination, noting:
“Customer and staff safety, and fraud prevention and detection, are legitimate reasons businesses might have regard to when considering the deployment of new technologies. However, these reasons are not, in and of themselves, a free pass to avoid compliance with the Privacy Act.”
The identity risks extend far beyond immediate retail fraud prevention. Biometric templates captured in-store could theoretically be cross-referenced with social media facial recognition databases, creating comprehensive identity profiles without customer knowledge. This convergence of retail surveillance and social media data presents unprecedented risks for Australian consumers.
Modern facial recognition systems do not operate in isolation. The biometric templates created by Kmart's technology could potentially be matched against publicly available social media images, creating detailed consumer profiles linking shopping behaviour with online activities. This represents a fundamental shift in retail surveillance capabilities, where a simple shopping trip becomes a data collection exercise with implications across digital platforms.
For ordinary Australians, this means their favourite stores are potentially becoming identity collection points, gathering sensitive biometric data that could be vulnerable to data breaches or misuse. The risk is not just about refund fraud detection, it is about creating permanent digital fingerprints of customers without their knowledge or consent.
First, corporate citizenship is now a competitive differentiator. Companies that respect privacy will gain consumer trust, whilst those that deploy invasive surveillance risk boycotts and reputational damage.
Second, identity risks are escalating exponentially. Biometric data breaches create permanent vulnerabilities. Unlike passwords, you cannot change your face. Retailers collecting this data assume enormous liability for protecting it from cybercriminals and hostile actors.
Third, the surveillance state is emerging through retail channels. When trusted household brands deploy facial recognition without consent, they normalise surveillance that fundamentally alters the Australian shopping experience.
For Australians, the message is sobering: routine visits to familiar stores now represent potential privacy violations and identity risks. Consumer trust, once lost through surveillance overreach, may prove impossible to rebuild. The cost of convenience has become too high and Australians are paying with their privacy.
Get the stories that matter to you.
Subscribe to Cyber News Centre and update your preferences to follow our Daily 4min Cyber Update, Innovative AI Startups, The AI Diplomat series, or the main Cyber News Centre newsletter — featuring in-depth analysis on major cyber incidents, tech breakthroughs, global policy, and AI developments.
Perth-based operational technology firm Intellect Systems has been targeted by the Akira ransomware group, which claims to have stolen 10GB of sensitive corporate and personal data. The attack highlights the growing threat to the critical infrastructure sector through vulnerable network devices.
Australia's top cyber agency warns of escalating attacks on code repositories, where threat actors use stolen credentials and infected packages to compromise software supply chains. The alert follows a major npm worm attack, highlighting significant risks for Australian organisations.
Australia's Privacy Commissioner has ruled Kmart's use of facial recognition technology unlawful, finding the retailer breached customer privacy by collecting biometric data without consent.
Cyber incidents linked to third-party suppliers used by the New South Wales government have more than quadrupled in two years, revealing significant vulnerabilities in the state's digital supply chain. The surge highlights the growing threat of supply chain attacks to government services and data.
Where cybersecurity meets innovation, the CNC team delivers AI and tech breakthroughs for our digital future. We analyze incidents, data, and insights to keep you informed, secure, and ahead. Sign up for free!
