πŸ”’breach.co.nz Β· the NZ & Australia breach register πŸ›‘οΈ A Govern service
Register β€Ί πŸ‡¦πŸ‡Ί AU β€Ί Finance
Advertising
Your brand, in front of the right people
Run-of-site leaderboard β€” every ad-supported page across the register.
Enquire β†’ breach@govern.co.nz

Firstmac

πŸ‡¦πŸ‡Ί Brisbane, QLD Β· Firstmac Limited Β· Record AU-2024-0130
β—‹ Reported β€” awaiting official confirmation
Reported β€” awaiting official confirmation. The facts below are drawn from the organisation's own disclosure and credible reporting. Figures are as reported; unknowns are labelled, not estimated by us.
People affected
Not disclosed
Breach date
2024-04
Regulator
OAIC (notifiable)
Trust tier
B Β· Reported

Data exposed

Name, date of birth, address, email and phone number Company-confirmed
External bank account details (BSB and account number) and driver licence number Media-reported

Confidence: Confirmed = regulator/court Β· Company-confirmed = the organisation's own disclosure Β· Media-reported = press. Figures without an official source are labelled, not estimated.

What happened

In April–May 2024 the non-bank lender Firstmac notified customers of a data breach after the EMBARGO ransomware group published stolen data on the dark web [fm-bitdefender], [fm-cyberdaily]. Firstmac confirmed that personal information β€” names, dates of birth, addresses, email addresses and phone numbers β€” had been compromised; reporting on the leaked trove also described external bank account details (BSB and account number) and driver licence numbers [fm-bitdefender], [fm-cyberdaily].

Timeline

  • 2024-04 β€” Data stolen; EMBARGO listed Firstmac data on its leak site late April [fm-cyberdaily].
  • 2024-05 β€” Firstmac notified affected customers [fm-bitdefender].

Current status

Disclosed. Firstmac did not publish a count of affected individuals, so no figure is asserted here. The volume of leaked data reported by the attacker is not a reliable measure of how many people were affected [fm-cyberdaily].

Why it matters

A lender holds exactly the identity and banking data that enables fraud β€” names, dates of birth, and account details together. A double-extortion ransomware group publishing it raises the risk for those affected.

GGOVERN Tabletop Exercises Β· Govern house Rehearse the breach before it reaches the balance sheet. Book a Discovery Call β†’