Meriton Confirms Data Breach Affecting Nearly 2000 Guests and Staff
Apartment and serviced accommodation giant Meriton has disclosed a cyber attack that exposed personal information and incident records for nearly 2000 guests and staff members. The breach, which occurred in mid-January, marks the latest in a mounting wave of security incidents affecting major Australian businesses and raising fresh questions about data protection across the sector.
The attack compromised approximately 35.6GB of data, though Meriton maintains that "very little" constitutes genuinely sensitive information. Hackers accessed "incident reports" — internal documents detailing injuries or accidents that occurred at the company's properties across Australia, along with associated personal details of those involved. Critically, credit card information and payment details were not compromised, the company said in its statement.
Meriton operates serviced apartment sites in Sydney, Brisbane, the Gold Coast, Melbourne and Canberra, catering to both short-term guests and corporate clients. The company has already notified all 1889 affected individuals, most of whom are past or present employees and guests who interacted with Meriton properties. The company said there is "no evidence" that the stolen information has been misused or released publicly.
In its response, Meriton emphasised that it has engaged leading cybersecurity and forensic specialists to investigate the breach. The company has implemented enhanced security protocols, expanded network monitoring, and additional safeguards designed to prevent future incidents. The matter has also been reported to the Australian Cyber Security Centre and the Office of the Australian Information Commissioner, as required.
The Meriton breach arrives amid a broader and accelerating surge in cyber attacks targeting Australian businesses. Just this week, consumer finance company Latitude Group revealed that hackers had stolen personal records affecting 14 million Australian and New Zealand customers — including 7.9 million driver's licence numbers, 53,000 passport details, and millions of names, addresses and dates of birth. That attack, discovered earlier in March, exposed far more comprehensive personal data than the Meriton incident.
In recent months, Australian businesses have faced an unprecedented series of high-profile breaches. Telecommunications companies Optus and Medibank, both handling sensitive health and identity data, suffered major compromises affecting millions of customers. Across 2022 alone, Australians reported more than $569 million in losses to scams and identity theft — though authorities acknowledge this represents only about 13 per cent of the actual amount stolen.
Consumer protection agencies have issued urgent calls for business leaders to strengthen their cyber defences and improve data protection practices. The pattern emerging from these incidents suggests that cyber attacks are no longer isolated events experienced by a handful of organisations — they represent a systemic challenge affecting companies across hospitality, finance, telecommunications and beyond.
For affected Meriton customers and staff, there is a degree of reassurance in the nature of what was stolen. Injury reports and incident details, while potentially embarrassing or revealing personal circumstances, pose significantly less immediate risk than exposed credit card numbers, driver's licences or financial records. Nevertheless, the incident underscores the expanding scope of modern cyber threats and the critical need for stronger security practices across hospitality and service sectors.
Frequently Asked Questions
Hackers accessed "incident reports" detailing injuries or accidents at Meriton properties, along with associated personal information. Approximately 35.6GB of data was potentially compromised, though the company states "very little" was sensitive. Importantly, credit card details and payment information were not stolen.
Approximately 1889 people were potentially affected, including past and present employees and guests who had interacted with Meriton properties. The company has notified all affected individuals and reported the breach to the Australian Cyber Security Centre and Office of the Australian Information Commissioner.
The Meriton breach is part of a surge of major attacks in Australia. Recent months have seen breaches affecting Latitude Group (14 million records), Optus, and Medibank. In 2022 alone, Australians reported over $569 million in scam losses, with authorities suggesting the actual figure is roughly seven times higher.