Australian firm FIIG Securities has been ordered to pay a $2.5 million penalty by the Federal Court following ASIC action over significant cybersecurity failures that led to a major data breach in 2023. The landmark case sets a new precedent for cyber resilience obligations for AFS licensees.
Artificial Labs has raised $45M in Series B funding to expand its AI-driven underwriting platform across global insurance markets. Backed by CommerzVentures, the London insurtech aims to modernise specialty insurance through automation, data intelligence, and scalable digital trading.
Victoria's largest not-for-profit private hospital group, Epworth HealthCare, has been targeted by a fake ransomware group known as 0APT. The group claims to have stolen 920GB of patient data, but evidence suggests it is a bluff designed to extort money through psychological warfare.
Kmart’s facial recognition breach exposes more than a privacy violation. This extended analysis unpacks Wesfarmers’ compliance failures, the identity risks of biometric data, and how retail surveillance linking with social media could erode consumer trust.
Cyber News Centre covered the OAIC’s ruling against Kmart on Friday, outlining the regulator’s finding that the retailer unlawfully collected biometric data. Today’s report steps beyond the immediate decision to explore its wider significance: how repeated breaches point to systemic failures inside Wesfarmers, why biometric surveillance poses permanent identity risks, and how the convergence of retail monitoring with social media data threatens consumer trust in everyday shopping.
Kmart Australia has been caught red-handed in a privacy breach that exposes the dangerous intersection of convenience, security and consumer rights in modern retail operations.
The Office of the Australian Information Commissioner (OAIC) ruled last week that the Wesfarmers-owned retailer breached privacy laws by deploying facial recognition technology across 28 stores between June 2020 and July 2022, potentially affecting hundreds of thousands of unsuspecting customers.
Kmart's 'pilot programme' was anything but limited in its reach. The system indiscriminately captured facial images of every person entering participating stores and all customers using returns desks. Using CCTV feeds, the technology generated five-to-six images per individual, creating biometric templates compared against a database of suspected fraudsters.
The retailer justified this blanket surveillance as necessary to combat refund fraud and identify individuals with histories of theft or threatening behaviour towards staff. However, Privacy Commissioner Carly Kind found the approach 'disproportionate' and noted that less intrusive methods existed to address these legitimate concerns.
The Office of the Australian Information Commissioner also highlighted the breach on social media, reinforcing the seriousness of the finding:
Privacy Commissioner Carly Kind has found that Kmart breached Australians’ privacy by collecting their personal and sensitive information through a facial recognition technology system.
— Office of the Australian Information Commissioner (@OAICgov) September 18, 2025
Media release: https://t.co/HDk3PwOYLi pic.twitter.com/Y4tPU9oPdP
This ruling represents the second major facial recognition breach within Wesfarmers' retail empire. In October 2024, the OAIC found that Bunnings Warehouse, another Wesfarmers subsidiary, had similarly breached privacy laws through unauthorised facial recognition deployment across 62 stores. The hardware giant's system operated for over three years, capturing biometric data from millions of customers without consent.
Both cases reveal a concerning pattern within Australia's largest retailer conglomerate: a corporate culture that prioritised operational convenience over privacy compliance. The dual breaches suggest systemic governance failures at Wesfarmers, where subsidiaries independently deployed invasive surveillance technologies without adequate privacy impact assessments or legal oversight.
“Facial recognition technology, and the surveillance it enables, has emerged as one of the most ethically challenging new technologies in recent years,” Commissioner Kind said during the OAIC’s determination of the Bunnings case.
These breaches represent more than regulatory violations, they constitute a fundamental failure of corporate citizenship that threatens Wesfarmers' social licence to operate. The company's reputation as a trusted Australian household name now faces erosion as consumers question whether their privacy is being respected during routine shopping activities.
Privacy Commissioner Carly Kind underscored this point in the OAIC’s 18 September 2025 determination, noting:
“Customer and staff safety, and fraud prevention and detection, are legitimate reasons businesses might have regard to when considering the deployment of new technologies. However, these reasons are not, in and of themselves, a free pass to avoid compliance with the Privacy Act.”
The identity risks extend far beyond immediate retail fraud prevention. Biometric templates captured in-store could theoretically be cross-referenced with social media facial recognition databases, creating comprehensive identity profiles without customer knowledge. This convergence of retail surveillance and social media data presents unprecedented risks for Australian consumers.
Modern facial recognition systems do not operate in isolation. The biometric templates created by Kmart's technology could potentially be matched against publicly available social media images, creating detailed consumer profiles linking shopping behaviour with online activities. This represents a fundamental shift in retail surveillance capabilities, where a simple shopping trip becomes a data collection exercise with implications across digital platforms.
For ordinary Australians, this means their favourite stores are potentially becoming identity collection points, gathering sensitive biometric data that could be vulnerable to data breaches or misuse. The risk is not just about refund fraud detection, it is about creating permanent digital fingerprints of customers without their knowledge or consent.
First, corporate citizenship is now a competitive differentiator. Companies that respect privacy will gain consumer trust, whilst those that deploy invasive surveillance risk boycotts and reputational damage.
Second, identity risks are escalating exponentially. Biometric data breaches create permanent vulnerabilities. Unlike passwords, you cannot change your face. Retailers collecting this data assume enormous liability for protecting it from cybercriminals and hostile actors.
Third, the surveillance state is emerging through retail channels. When trusted household brands deploy facial recognition without consent, they normalise surveillance that fundamentally alters the Australian shopping experience.
For Australians, the message is sobering: routine visits to familiar stores now represent potential privacy violations and identity risks. Consumer trust, once lost through surveillance overreach, may prove impossible to rebuild. The cost of convenience has become too high and Australians are paying with their privacy.
Get the stories that matter to you.
Subscribe to Cyber News Centre and update your preferences to follow our Daily 4min Cyber Update, Innovative AI Startups, The AI Diplomat series, or the main Cyber News Centre newsletter — featuring in-depth analysis on major cyber incidents, tech breakthroughs, global policy, and AI developments.
Australian firm FIIG Securities has been ordered to pay a $2.5 million penalty by the Federal Court following ASIC action over significant cybersecurity failures that led to a major data breach in 2023. The landmark case sets a new precedent for cyber resilience obligations for AFS licensees.
Victoria's largest not-for-profit private hospital group, Epworth HealthCare, has been targeted by a fake ransomware group known as 0APT. The group claims to have stolen 920GB of patient data, but evidence suggests it is a bluff designed to extort money through psychological warfare.
The CL0P ransomware gang has breached Podiatry WA, a key Australian healthcare association, as part of a massive 22-victim global attack wave. The incident highlights the escalating threat of data extortion targeting professional services and healthcare sectors across Australia.
The Victorian Department of Education has confirmed a major data breach affecting all 1700+ government schools. Hackers accessed the names, emails, and encrypted passwords of current and former students, impacting potentially hundreds of thousands of individuals just weeks before the new school year
Where cybersecurity meets innovation, the CNC team delivers AI and tech breakthroughs for our digital future. We analyze incidents, data, and insights to keep you informed, secure, and ahead. Sign up for free!
