OpenAI’s Daybreak and Anthropic’s Mythos signal more than a cyber arms race. They point to the rise of competing AI intelligence blocs where hyperscalers, cloud giants and select partners gain privileged access to frontier AI systems, reshaping industries, power and global competition.
The Treasurer promised a reforming budget; cyber security got a tune‑up instead. Canberra is hardening Digital ID, myGov and core platforms, but stops short of backing cyber as a strategic industry, leaving local firms to fight it out with global giants.
The US-Iran conflict has triggered an unprecedented surge in cyberattacks. Between February 28 and March 20, DDoS attacks in the Middle East increased eightfold, with StormWall recording 2,000 to 3,000 attacks per minute at peak intensity.
Kmart’s facial recognition breach exposes more than a privacy violation. This extended analysis unpacks Wesfarmers’ compliance failures, the identity risks of biometric data, and how retail surveillance linking with social media could erode consumer trust.
Cyber News Centre covered the OAIC’s ruling against Kmart on Friday, outlining the regulator’s finding that the retailer unlawfully collected biometric data. Today’s report steps beyond the immediate decision to explore its wider significance: how repeated breaches point to systemic failures inside Wesfarmers, why biometric surveillance poses permanent identity risks, and how the convergence of retail monitoring with social media data threatens consumer trust in everyday shopping.
Kmart Australia has been caught red-handed in a privacy breach that exposes the dangerous intersection of convenience, security and consumer rights in modern retail operations.
The Office of the Australian Information Commissioner (OAIC) ruled last week that the Wesfarmers-owned retailer breached privacy laws by deploying facial recognition technology across 28 stores between June 2020 and July 2022, potentially affecting hundreds of thousands of unsuspecting customers.
Kmart's 'pilot programme' was anything but limited in its reach. The system indiscriminately captured facial images of every person entering participating stores and all customers using returns desks. Using CCTV feeds, the technology generated five-to-six images per individual, creating biometric templates compared against a database of suspected fraudsters.
The retailer justified this blanket surveillance as necessary to combat refund fraud and identify individuals with histories of theft or threatening behaviour towards staff. However, Privacy Commissioner Carly Kind found the approach 'disproportionate' and noted that less intrusive methods existed to address these legitimate concerns.
The Office of the Australian Information Commissioner also highlighted the breach on social media, reinforcing the seriousness of the finding:
Privacy Commissioner Carly Kind has found that Kmart breached Australians’ privacy by collecting their personal and sensitive information through a facial recognition technology system.
— Office of the Australian Information Commissioner (@OAICgov) September 18, 2025
Media release: https://t.co/HDk3PwOYLi pic.twitter.com/Y4tPU9oPdP
This ruling represents the second major facial recognition breach within Wesfarmers' retail empire. In October 2024, the OAIC found that Bunnings Warehouse, another Wesfarmers subsidiary, had similarly breached privacy laws through unauthorised facial recognition deployment across 62 stores. The hardware giant's system operated for over three years, capturing biometric data from millions of customers without consent.
Both cases reveal a concerning pattern within Australia's largest retailer conglomerate: a corporate culture that prioritised operational convenience over privacy compliance. The dual breaches suggest systemic governance failures at Wesfarmers, where subsidiaries independently deployed invasive surveillance technologies without adequate privacy impact assessments or legal oversight.
“Facial recognition technology, and the surveillance it enables, has emerged as one of the most ethically challenging new technologies in recent years,” Commissioner Kind said during the OAIC’s determination of the Bunnings case.
These breaches represent more than regulatory violations, they constitute a fundamental failure of corporate citizenship that threatens Wesfarmers' social licence to operate. The company's reputation as a trusted Australian household name now faces erosion as consumers question whether their privacy is being respected during routine shopping activities.
Privacy Commissioner Carly Kind underscored this point in the OAIC’s 18 September 2025 determination, noting:
“Customer and staff safety, and fraud prevention and detection, are legitimate reasons businesses might have regard to when considering the deployment of new technologies. However, these reasons are not, in and of themselves, a free pass to avoid compliance with the Privacy Act.”
The identity risks extend far beyond immediate retail fraud prevention. Biometric templates captured in-store could theoretically be cross-referenced with social media facial recognition databases, creating comprehensive identity profiles without customer knowledge. This convergence of retail surveillance and social media data presents unprecedented risks for Australian consumers.
Modern facial recognition systems do not operate in isolation. The biometric templates created by Kmart's technology could potentially be matched against publicly available social media images, creating detailed consumer profiles linking shopping behaviour with online activities. This represents a fundamental shift in retail surveillance capabilities, where a simple shopping trip becomes a data collection exercise with implications across digital platforms.
For ordinary Australians, this means their favourite stores are potentially becoming identity collection points, gathering sensitive biometric data that could be vulnerable to data breaches or misuse. The risk is not just about refund fraud detection, it is about creating permanent digital fingerprints of customers without their knowledge or consent.
First, corporate citizenship is now a competitive differentiator. Companies that respect privacy will gain consumer trust, whilst those that deploy invasive surveillance risk boycotts and reputational damage.
Second, identity risks are escalating exponentially. Biometric data breaches create permanent vulnerabilities. Unlike passwords, you cannot change your face. Retailers collecting this data assume enormous liability for protecting it from cybercriminals and hostile actors.
Third, the surveillance state is emerging through retail channels. When trusted household brands deploy facial recognition without consent, they normalise surveillance that fundamentally alters the Australian shopping experience.
For Australians, the message is sobering: routine visits to familiar stores now represent potential privacy violations and identity risks. Consumer trust, once lost through surveillance overreach, may prove impossible to rebuild. The cost of convenience has become too high and Australians are paying with their privacy.
Get the stories that matter to you.
Subscribe to Cyber News Centre and update your preferences to follow our Daily 4min Cyber Update, Innovative AI Startups, The AI Diplomat series, or the main Cyber News Centre newsletter — featuring in-depth analysis on major cyber incidents, tech breakthroughs, global policy, and AI developments.
The Treasurer promised a reforming budget; cyber security got a tune‑up instead. Canberra is hardening Digital ID, myGov and core platforms, but stops short of backing cyber as a strategic industry, leaving local firms to fight it out with global giants.
Altman vs Musk in a Californian courtroom, Jensen Huang as kingmaker of compute, and China’s Moonshot AI flinging open a trillion‑parameter model: 2026’s AI race is now a messy, global power play that no government or boardroom can afford to ignore.
Anthropic’s rise is no longer about models, but control. As it embeds across enterprise, leaked code reveals deep telemetry, remote overrides and emerging autonomy. Industry leaders warn the same systems reshaping business may amplify cyber risk beyond current defences.
Anthropic’s rapid push into enterprise AI and its $30B raise signal a new phase where autonomous systems drive both productivity and cyber risk. As AI executes tasks at machine speed, markets, governments and workers face a sharper question: who controls the systems now shaping outcomes.
Where cybersecurity meets innovation, the CNC team delivers AI and tech breakthroughs for our digital future. We analyze incidents, data, and insights to keep you informed, secure, and ahead. Sign up for free!
