Australia is entering the age of agentic intelligence as startups like Firmus Technologies and Sharon AI build sovereign compute, renewable powered data infrastructure and AI platforms. Infrastructure is accelerating while enterprise adoption remains slow, creating a widening national gap.
A wave of cyber attacks disrupted Australia’s defence and industry sectors, as confidential military data and industrial networks were exposed by state backed and criminal groups. ASIO’s director warns these persistent threats now demand urgent, coordinated cyber security action.
GlobalLogic has confirmed that the Clop ransomware group stole the personal and financial data of more than ten thousand current and former employees after exploiting critical vulnerabilities in Oracle’s E Business Suite platform.
Kmart’s facial recognition breach exposes more than a privacy violation. This extended analysis unpacks Wesfarmers’ compliance failures, the identity risks of biometric data, and how retail surveillance linking with social media could erode consumer trust.
Cyber News Centre covered the OAIC’s ruling against Kmart on Friday, outlining the regulator’s finding that the retailer unlawfully collected biometric data. Today’s report steps beyond the immediate decision to explore its wider significance: how repeated breaches point to systemic failures inside Wesfarmers, why biometric surveillance poses permanent identity risks, and how the convergence of retail monitoring with social media data threatens consumer trust in everyday shopping.
Kmart Australia has been caught red-handed in a privacy breach that exposes the dangerous intersection of convenience, security and consumer rights in modern retail operations.
The Office of the Australian Information Commissioner (OAIC) ruled last week that the Wesfarmers-owned retailer breached privacy laws by deploying facial recognition technology across 28 stores between June 2020 and July 2022, potentially affecting hundreds of thousands of unsuspecting customers.
Kmart's 'pilot programme' was anything but limited in its reach. The system indiscriminately captured facial images of every person entering participating stores and all customers using returns desks. Using CCTV feeds, the technology generated five-to-six images per individual, creating biometric templates compared against a database of suspected fraudsters.
The retailer justified this blanket surveillance as necessary to combat refund fraud and identify individuals with histories of theft or threatening behaviour towards staff. However, Privacy Commissioner Carly Kind found the approach 'disproportionate' and noted that less intrusive methods existed to address these legitimate concerns.
The Office of the Australian Information Commissioner also highlighted the breach on social media, reinforcing the seriousness of the finding:
Privacy Commissioner Carly Kind has found that Kmart breached Australians’ privacy by collecting their personal and sensitive information through a facial recognition technology system.
— Office of the Australian Information Commissioner (@OAICgov) September 18, 2025
Media release: https://t.co/HDk3PwOYLi pic.twitter.com/Y4tPU9oPdP
This ruling represents the second major facial recognition breach within Wesfarmers' retail empire. In October 2024, the OAIC found that Bunnings Warehouse, another Wesfarmers subsidiary, had similarly breached privacy laws through unauthorised facial recognition deployment across 62 stores. The hardware giant's system operated for over three years, capturing biometric data from millions of customers without consent.
Both cases reveal a concerning pattern within Australia's largest retailer conglomerate: a corporate culture that prioritised operational convenience over privacy compliance. The dual breaches suggest systemic governance failures at Wesfarmers, where subsidiaries independently deployed invasive surveillance technologies without adequate privacy impact assessments or legal oversight.
“Facial recognition technology, and the surveillance it enables, has emerged as one of the most ethically challenging new technologies in recent years,” Commissioner Kind said during the OAIC’s determination of the Bunnings case.
These breaches represent more than regulatory violations, they constitute a fundamental failure of corporate citizenship that threatens Wesfarmers' social licence to operate. The company's reputation as a trusted Australian household name now faces erosion as consumers question whether their privacy is being respected during routine shopping activities.
Privacy Commissioner Carly Kind underscored this point in the OAIC’s 18 September 2025 determination, noting:
“Customer and staff safety, and fraud prevention and detection, are legitimate reasons businesses might have regard to when considering the deployment of new technologies. However, these reasons are not, in and of themselves, a free pass to avoid compliance with the Privacy Act.”
The identity risks extend far beyond immediate retail fraud prevention. Biometric templates captured in-store could theoretically be cross-referenced with social media facial recognition databases, creating comprehensive identity profiles without customer knowledge. This convergence of retail surveillance and social media data presents unprecedented risks for Australian consumers.
Modern facial recognition systems do not operate in isolation. The biometric templates created by Kmart's technology could potentially be matched against publicly available social media images, creating detailed consumer profiles linking shopping behaviour with online activities. This represents a fundamental shift in retail surveillance capabilities, where a simple shopping trip becomes a data collection exercise with implications across digital platforms.
For ordinary Australians, this means their favourite stores are potentially becoming identity collection points, gathering sensitive biometric data that could be vulnerable to data breaches or misuse. The risk is not just about refund fraud detection, it is about creating permanent digital fingerprints of customers without their knowledge or consent.
First, corporate citizenship is now a competitive differentiator. Companies that respect privacy will gain consumer trust, whilst those that deploy invasive surveillance risk boycotts and reputational damage.
Second, identity risks are escalating exponentially. Biometric data breaches create permanent vulnerabilities. Unlike passwords, you cannot change your face. Retailers collecting this data assume enormous liability for protecting it from cybercriminals and hostile actors.
Third, the surveillance state is emerging through retail channels. When trusted household brands deploy facial recognition without consent, they normalise surveillance that fundamentally alters the Australian shopping experience.
For Australians, the message is sobering: routine visits to familiar stores now represent potential privacy violations and identity risks. Consumer trust, once lost through surveillance overreach, may prove impossible to rebuild. The cost of convenience has become too high and Australians are paying with their privacy.
Get the stories that matter to you.
Subscribe to Cyber News Centre and update your preferences to follow our Daily 4min Cyber Update, Innovative AI Startups, The AI Diplomat series, or the main Cyber News Centre newsletter — featuring in-depth analysis on major cyber incidents, tech breakthroughs, global policy, and AI developments.
A wave of cyber attacks disrupted Australia’s defence and industry sectors, as confidential military data and industrial networks were exposed by state backed and criminal groups. ASIO’s director warns these persistent threats now demand urgent, coordinated cyber security action.
The Australian Signals Directorate (ASD) has issued a critical alert regarding the BADCANDY malware, which is actively exploiting a Cisco vulnerability to compromise hundreds of devices across Australia. The non-persistent web shell allows attackers to reinfect unpatched systems repeatedly.
Vocus Group, the parent company of Dodo and iPrimus, has confirmed a cyberattack that exposed sensitive customer data and led to unauthorised SIM-swap incidents. The breach affected 1,600 customers, underscoring rising cybersecurity threats in Australia’s telecom sector.
The Australian Signals Directorate's latest Annual Cyber Threat Report reveals a cybercrime is reported every 6 minutes, with costs to businesses soaring. The report highlights the growing threat from state-sponsored actors and the impact of AI in enabling larger, faster attacks on the nation.
Where cybersecurity meets innovation, the CNC team delivers AI and tech breakthroughs for our digital future. We analyze incidents, data, and insights to keep you informed, secure, and ahead. Sign up for free!
