This is a work in progress. While we strive for accuracy, some breach details may be incomplete or pending verification.

Meriton

Summary

Meriton, a major Australian hotel and property company, first became aware of a cyber security incident on 14 January 2023. The company's forensic analysis identified 35.6 gigabytes of data potentially compromised by an unidentified third party, affecting 1,889 people including both hotel guests and employees. The stolen data included highly sensitive documents such as birth certificates, bank account details, tax file numbers, salary records, and health information.

What Happened

Meriton first detected unauthorised access to its systems on 14 January 2023. An unidentified third party gained access to company systems and exfiltrated 35.6 gigabytes of data. The forensic analysis team worked to identify what information was potentially compromised and determine the scope of individuals affected.

The breach exposed both employee records and guest information. For guests, the compromised data included certain health information relating to hotel incident reports, such as when an ambulance is called for an injury. For employees, the breach was more extensive, exposing financial and employment records.

Impact on Individuals

The breach affected 1,889 people, including both guests and staff of Meriton's hotel and property operations. The types of sensitive information potentially exposed included:

For employees:

  • Birth certificates
  • Bank account details
  • Tax file numbers
  • Salary records and income data
  • Health information
  • Employment history

For guests:

  • Health information relating to hotel incident reports
  • Personal details connected to their stays

The exposure of birth certificates and tax file numbers creates a high risk of identity theft, as these documents are often required for significant financial transactions and cannot be easily changed like passwords or credit cards. The combination of financial records, health information, and identity documents in a single breach significantly increases the potential harm to affected individuals.

Organisational Response

Meriton informed both the Australian Cyber Security Centre and the Office of the Australian Information Commissioner (OAIC) of the incident. All 1,889 people potentially affected by the incident were personally notified by the company.

The company engaged forensic experts to investigate the breach and determine the full extent of the compromise. Meriton worked to secure its systems and prevent further unauthorised access.

Verification Source: View original statement