Meriton hit by cyberattack affecting nearly 2000 guests and staff
Meriton, one of Australia's largest apartment operators, has revealed it fell victim to a January cyberattack that potentially exposed personal details of almost 2000 guests and employees—the latest in an escalating wave of corporate security breaches affecting major Australian companies.
The breach occurred on January 14, according to the company's disclosure made this week. While hackers accessed approximately 35.6 gigabytes of data, Meriton stressed that sensitive information remained largely protected, with credit card details and guest payment records uncompromised. Instead, attackers obtained "incident reports" documenting injuries sustained by guests at the operator's properties across Sydney, Brisbane, the Gold Coast, Melbourne and Canberra.
The company said it has already notified all 1889 individuals potentially affected and reported the incident to both the Australian Cyber Security Centre and the Office of the Australian Information Commissioner. "There is no evidence that affected individuals have had their information misused, nor that any information has been released into the public realm," Meriton stated.
In response, Meriton outlined a comprehensive remediation plan, emphasising its partnership with leading cybersecurity and forensic specialists. The operator has implemented enhanced security measures across its network and deployed extensive monitoring systems designed to detect and respond swiftly to future threats.
The attack underscores a growing security crisis for Australian businesses. Just this month, finance company Latitude revealed a far more severe breach affecting 14 million Australian and New Zealand customers. That attack exposed nearly 8 million driver's licences, over 53,000 passport numbers, and millions of additional personal records including names, addresses and dates of birth—a dramatic illustration of the scale and sophistication of modern cyberattacks.
Meriton's breach follows a pattern established over recent months. Medibank and Optus both suffered high-profile hacks in the past year, exposing millions of Australian households. These incidents have coincided with a reported surge in online financial scams and identity theft, with regulators warning that more than $569 million in scams was reported last year—a figure authorities believe represents just 13 per cent of actual fraud losses.
Industry observers note that the consistency of these breaches is prompting calls for stronger action across the corporate sector. Australia's consumer watchdog has urged business leaders to redouble their efforts to protect customer data, particularly as criminals continue to refine their techniques and targets expand beyond traditional financial institutions to hospitality and service operators like Meriton.
Meriton's relatively contained impact—largely limited to non-financial incident reports—may reflect either stronger protections around payment systems or attackers' primary interest in operational data. Nonetheless, the breach demonstrates that no sector remains immune from threat, and that even companies with geographically diverse operations remain vulnerable to sophisticated attack.
The company's quick disclosure and notification of affected parties, though mandated by law, represents one of the few visible positives in a landscape increasingly marked by institutional vulnerability. For Meriton guests and staff, the incident serves as a stark reminder that personal information handed over to major corporations carries inherent risk—a concern that extends far beyond a single operator or breach.
Frequently Asked Questions
Hackers accessed "incident reports" documenting injuries sustained by guests at Meriton properties. Credit card details and sensitive guest payment data were not compromised. Approximately 35.6 gigabytes of data was affected in total.
Approximately 2000 people were potentially affected, including both guests who stayed at Meriton properties and past and present employees. The company has notified all 1889 identified individuals of the breach.
Yes. Meriton is one of several major Australian companies hit by cyberattacks in recent months, including Latitude (14 million people), Medibank, and Optus. The attacks have coincided with a surge in online financial scams and identity theft.