The World Leaks extortion group leaked 696 GB of data (over 5.1 million files) allegedly stolen from the company’s internal servers. The breach exposed structured access to sensitive operational directories, including shared drives, financial records, and client logistics information. The attackers demonstrated deep infiltration, compromising critical business and supply chain data. The leak suggests a large-scale exfiltration with potential long-term operational, financial, and reputational damage. Given the sector (petroleum distribution), the breach could disrupt fuel supply chains, regulatory compliance, and partner trust. The sheer volume of data indicates a prolonged, undetected intrusion, likely involving advanced persistent threat (APT) tactics or ransomware-affiliated actors (though ransomware was not explicitly confirmed in this case). The exposure of financial and logistics data heightens risks of fraud, competitive espionage, and regulatory penalties under Australia’s Privacy Act and Critical Infrastructure laws.
Source: https://cyble.com/blog/australian-data-breaches-2025-surge/
TPRM report: https://www.rankiteo.com/company/refuel-australia
"id": "ref4162541100925",
"linkid": "refuel-australia",
"type": "Breach",
"date": "10/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'industry': 'Transportation',
'location': 'Australia',
'name': 'Major Australian Airline Carrier',
'type': 'Airline'},
{'customers_affected': '236,000 records',
'industry': 'Telecommunications',
'location': 'Australia',
'name': 'Australian Telecommunications Provider '
'(Broadband/SIM Plans)',
'type': 'Telecom'},
{'industry': 'Financial Services/IT',
'location': 'Australia',
'name': 'Australian SaaS Company (Loan Management '
'System & e-Signature Tool)',
'type': 'SaaS'},
{'industry': 'Telecommunications',
'location': 'Australia',
'name': 'Australian ICT & Telecommunications Services '
'Provider',
'type': 'ICT/Telecom'},
{'industry': 'Construction',
'location': 'Australia',
'name': 'Large Australian Construction Company',
'type': 'Construction'},
{'customers_affected': '27,000 records',
'industry': 'Finance',
'location': 'Australia',
'name': 'Australian Trading Platform '
'(Forex/Stocks/Commodities/Crypto)',
'type': 'Financial Services'},
{'customers_affected': 'Thousands of member accounts',
'industry': 'Finance',
'location': 'Australia',
'name': 'Multiple Australian Pension Funds',
'type': 'Financial Services'},
{'industry': 'Telecommunications',
'location': 'Australia',
'name': 'Wholesale Broadband Network Infrastructure '
'Project (Australia)',
'type': 'Telecom/Infrastructure'},
{'industry': 'Energy & Utilities',
'location': 'Australia',
'name': 'Australia-Based Petroleum Distribution & '
'Logistics Company',
'type': 'Energy'},
{'industry': 'Telecommunications',
'location': 'Australia',
'name': 'Australian Telecommunications Company (Domain '
'Admin Portal)',
'type': 'Telecom'},
{'industry': 'IT',
'location': 'Australia',
'name': 'Australia-Based IT & Telecom Solutions '
'Company',
'type': 'IT/Telecom'},
{'customers_affected': '71,000 records (SQL database)',
'industry': 'Retail',
'location': 'Australia',
'name': 'Large Australian Retail Chain',
'type': 'Retail'}],
'attack_vector': ['Dark Web Data Leaks',
'Ransomware',
'Credential Stuffing',
'Supply Chain Compromise',
'Exploit of Web-Facing Assets'],
'customer_advisories': ['Pension fund members advised to monitor accounts for '
'unauthorized activity.'],
'data_breach': {'data_exfiltration': ['Confirmed in All Cases'],
'file_types_exposed': ['Databases',
'PDFs/Documents (Geotechnical Reports, '
'Blueprints)',
'Source Code Files',
'Network Maps',
'SQL Dumps',
'Logistics/Financial Spreadsheets',
'Configuration Files'],
'number_of_records_exposed': ['236,000 (Telecom Provider)',
'27,000 (Trading Platform)',
'71,000 (Retail Chain)',
'Thousands (Pension Funds)',
'5.1M files (Petroleum '
'Company)'],
'personally_identifiable_information': ['Names, Emails, '
'Passwords, Account '
'IDs, Mobile Numbers, '
'Dates of Birth, '
'Addresses, Card '
'Details, KYC Data'],
'sensitivity_of_data': ['High (PII, Financial, Operational, '
'Source Code)'],
'type_of_data_compromised': ['PII',
'Source Code',
'Financial Documents',
'Operational Data',
'Network Designs',
'Trading Records',
'Pension Account Details',
'Licensing Files',
'SQL Databases']},
'date_publicly_disclosed': '2025-10-03',
'description': 'Cyble dark web researchers recorded a 48% increase in claimed '
'data breaches involving Australian organizations in 2025 '
'compared to the same period in 2024, with 71 breaches '
'reported by October 3. Ransomware groups were responsible for '
'~71% of these breaches (up from 42% in 2024), and supply '
'chain attacks contributed to the surge. Key sectors targeted '
'include Professional Services, IT, Healthcare, Energy & '
'Utilities, Banking & Financial Services, Education, '
'Construction, Real Estate, Telecom, Transportation, '
'Hospitality, and Manufacturing. Below are 12 significant '
'breaches documented in 2025.',
'impact': {'brand_reputation_impact': ['High (Multiple High-Profile Breaches '
'in Key Sectors)'],
'customer_complaints': ['Reports of Pension Account Theft'],
'data_compromised': ['PII (ID, Name, Email, Password, Account ID, '
'Last Name, Mobile, Home Phone, Date of '
'Birth, Card Details, Address, etc.)',
'Source Code (Authentication Modules, '
'Document Generation, API Endpoints, Database '
'Admin Access)',
'Financial Documents',
'Geotechnical Reports & Construction '
'Blueprints',
'Network Maps & Designs',
'Trading Platform Data (KYC, Transaction IDs, '
'User Details)',
'Pension Fund Accounts',
'Operational Data (Logistics, Client '
'Information)',
'Backup Data & Licensing Files',
'SQL Databases (User Tables)'],
'identity_theft_risk': ['High (PII & Financial Data Exposed)'],
'operational_impact': ['Unauthorized Access to Critical Portals',
'Exfiltration of Sensitive Operational Data',
'Financial Losses via Pension Account '
'Compromises',
'Potential Disruption to Telecom & Energy '
'Services'],
'payment_information_risk': ['High (Card Details, Transaction '
'Data, KYC Records Exposed)'],
'systems_affected': ['Internal Portals (Construction, Telecom, '
'Retail)',
'Domain Administration Tools',
'Loan Management & e-Signature Systems',
'Pension Fund Member Accounts',
'Broadband Network Infrastructure',
'Petroleum Distribution Logistics Servers']},
'initial_access_broker': {'backdoors_established': ['Likely in Cases of '
'Persistent Access (e.g., '
'Telecom Portal)'],
'data_sold_on_dark_web': ['Confirmed (Telegram, '
'BreachForums, '
'DarkForums, Exploit, '
'etc.)'],
'entry_point': ['Stolen Credentials (Pension Funds)',
'Exploited Web-Facing Portals '
'(Telecom, Retail)',
'Supply Chain Compromises',
'Dark Web Data Sales '
'(Telegram/BreachForums)'],
'high_value_targets': ['Financial Data (Trading '
'Platforms, Pension Funds)',
'Source Code (SaaS '
'Companies)',
'Operational Data (Energy, '
'Construction)',
'PII Databases (Telecom, '
'Retail)']},
'investigation_status': 'Ongoing (Cyble Dark Web Researchers)',
'lessons_learned': ['Ransomware groups are increasingly effective at data '
'exfiltration (71% of breaches in 2025 vs. 42% in 2024).',
'Supply chain attacks amplify breach impact by '
'compromising downstream entities.',
'Credential stuffing remains a major vector (e.g., '
'pension fund breaches).',
'Dark web monitoring is critical for early detection of '
'leaked data.',
'Sectors like Telecom, Finance, and Energy are high-value '
'targets due to sensitive data.'],
'motivation': ['Financial Gain',
'Data Theft',
'Extortion',
'Sale of Stolen Data'],
'post_incident_analysis': {'corrective_actions': ['Enforce multi-factor '
'authentication (MFA) and '
'password policies.',
'Conduct regular dark web '
'monitoring for leaked '
'credentials/data.',
'Implement network '
'segmentation to limit '
'lateral movement.',
'Harden web-facing '
'applications and remove '
'unnecessary exposures.',
'Develop supply chain '
'risk management '
'frameworks.',
'Invest in attack surface '
'reduction tools (e.g., '
'Cyble).'],
'root_causes': ['Inadequate credential hygiene '
'(reused/stolen passwords).',
'Unprotected web-facing assets '
'(portals, admin tools).',
'Lack of segmentation for critical '
'systems.',
'Delayed detection of dark web '
'data leaks.',
'Supply chain vulnerabilities '
'exploited for downstream '
'attacks.']},
'ransomware': {'data_encryption': ['Likely in Ransomware Cases'],
'data_exfiltration': ['Confirmed (Double Extortion Tactics)'],
'ransomware_strain': ['SpaceBears', 'World Leaks', 'Killsec']},
'recommendations': ['Implement risk-based vulnerability management '
'programs.',
'Segment critical assets and enforce Zero-Trust access '
'principles.',
'Remove or protect web-facing assets to reduce attack '
'surface.',
'Maintain ransomware-resistant backups and hardened '
'endpoints.',
'Deploy network, endpoint, and cloud monitoring for '
'early threat detection.',
'Rehearse incident response plans regularly.',
'Use attack surface management solutions (e.g., '
'Cyble) to scan for exposures and leaked credentials.',
'Enhance employee training on phishing and credential '
'hygiene.',
'Monitor dark web forums for signs of stolen data or '
'access sales.'],
'references': [{'date_accessed': '2025-10-03', 'source': 'Cyble Research'}],
'response': {'enhanced_monitoring': ['Recommended in Post-Incident Analysis'],
'network_segmentation': ['Recommended in Post-Incident Analysis'],
'third_party_assistance': ['Cyble Dark Web Researchers '
'(Investigation)']},
'threat_actor': ['Unnamed Threat Actors '
'(Telegram/BreachForums/DarkForums/Leakbase/XSS/Exploit)',
'SpaceBears Extortion Group',
'World Leaks Extortion Group',
'Killsec Hacking Group'],
'title': 'Surge in Australian Data Breaches in 2025',
'type': ['Data Breach',
'Ransomware',
'Supply Chain Attack',
'Unauthorized Access']}