🔒breach.co.nz · the NZ & Australia breach register 🛡️ A Govern service
Register › 🇦🇺 AU › Other
Advertising
Your brand, in front of the right people
Run-of-site leaderboard — every ad-supported page across the register.
Enquire → breach@govern.co.nz

The Fullerton Hotel Sydney

🇦🇺 Sydney, NSW · The Fullerton Hotel Sydney (The Fullerton Hotels and Resorts) · Record AU-2025-0330
○ Reported — awaiting official confirmation
Reported — awaiting official confirmation. The facts below are drawn from the organisation's own disclosure and credible reporting. Figures are as reported; unknowns are labelled, not estimated by us.
People affected
Not disclosed
Breach date
2025-03
Regulator
OAIC (notified)
Trust tier
B · Reported

Data exposed

As claimed by the Akira ransomware group (~148 GB): passports, driver licences, employee records, corporate documents and the credit-card details of a small number of guests Media-reported

Confidence: Confirmed = regulator/court · Company-confirmed = the organisation's own disclosure · Media-reported = press. Figures without an official source are labelled, not estimated.

What happened

In April 2025 The Fullerton Hotels and Resorts confirmed that its Sydney property had been hacked, after the Akira ransomware group listed the hotel on its dark-web leak site [full-cyberdaily]. The group claimed to have taken around 148 GB of data — including passports, driver licences, employee records, corporate documents and the credit-card details of a small number of guests [full-cyberdaily]. The hotel confirmed that an incident had occurred and said its Singapore and Hong Kong properties were not affected [full-cyberdaily].

Timeline

  • 2025-03 — Attack dated to 24 March 2025 [full-cyberdaily].
  • 2025-04 — Akira posted the hotel to its leak site (8 April); the hotel confirmed the incident (9 April) and said it had notified the OAIC [full-cyberdaily].

Current status

Investigating. The hotel confirmed the breach and said it had reported it to the Office of the Australian Information Commissioner and would cooperate [full-cyberdaily]. The 148 GB volume and the specific data categories are the attacker’s claims and have not been independently confirmed; no count of affected individuals has been published, so none is asserted here.

Why it matters

Hotels collect passports and payment cards at check-in, making them a rich target — and this record keeps the company’s confirmed facts (a hack occurred; the regulator was notified) separate from the ransomware group’s unverified claims about what was taken.

GGOVERN Tabletop Exercises · Govern house Strengthen your cyber resilience — rehearse the decisions that matter. Book a Discovery Call →