We brought together the top cyber-related news for April in one place, so you don’t have to.
Need to know:
|
Good to know:
|
Global headlines:
|
Other industry news:
|
Cyber incidents making the news:
Other cyber incidents that made headlines in April included Korean telco SK Telecom, the UK’s Royal Mail, energy company Schneider Electric, IT services firm Hexicor, Moscow Metro, Sydney’s Fullerton Hotel, New Zealand-based hardware chain The ToolShed, the Tasmanian Department of Treasury and Finance , NASCAR, DBS Bank and Bank of China Singapore, creative agency Fancy Films, steel subcontractor Watkins Steel, car rental companies Hertz and Europcar, online message board 4Chan, Extreme Fire Solutions, lottery broker TheLotter, airline products company TMA, NSW-based law firm Bilbie Faraday Harrison, Australian steel provider Galvatech, Italian Medical Group Synlab, healthcare company DaVita, and Adelaide’s Women's and Children's Hospital. |

New Podcast Episode: Cross Examining Mark Rigotti
In this episode of Cross Examining Cyber, we interview Mark Rigotti, Managing Director and CEO of the Australian Institute of Company Directors (AICD). We delve into cyber governance, the AICD's role, board challenges during incidents, risk measurement, and decision-making. Additionally, we explore trust dynamics at the board level and the lawyer's role in cyber security.
You can listen to the episode here.
Demystifying Australia's Security of Critical Infrastructure Regime
The Security of Critical Infrastructure Act 2018 has been revised several times, most recently in December 2024. That reform package has now taken effect. The regime is more comprehensive, in recognition of an evolving threat landscape. But it is certainly not simpler to understand or easy comply with.
We have sought to demystify the regime’s complexities. Check our summary here.

Court tells Medibank to hand over cyber attack reports – The Australian (subscription only) – 7 April 2025
Medibank has been ordered to hand over investigative reports related to the 2022 cyberattack, which exposed the data of over 10 million customers. Federal Court judge Helen Rofe ruled that the reports, prepared by Deloitte, were not protected by legal professional privilege. The court found that the reports had multiple purposes, including improving cybersecurity and public communication, rather than solely legal advice. Medibank plans to appeal the decision.
The case highlights the ongoing challenges faced in the context of organisations seeking to establish that legal professional privilege applies to reports created in the wash-up of a material cyber incident.
Our key takeaways for clients are available here.
The full judgment is available here.
ASIC warns of threat from “hydra-like” scammers after obtaining court orders to shut down 95 companies – ASIC – 7 April 2025
The Australian Securities and Investments Commission (ASIC) has successfully applied to wind-up 95 companies linked to online investment and romance baiting scams, known as 'pig butchering' scams. The Federal Court found that these companies were incorporated with false information and lacked proper management. Many were associated with websites and apps facilitating scam activities. ASIC Deputy Chair Sarah Court warned that scammers use increasingly complex techniques, including setting up sham companies and professional-looking websites. ASIC is taking down over 130 scam websites weekly and urges consumers to remain vigilant against these persistent threats.

What we know so far about the Australian superannuation fund cyber attacks – ABC News – 4 April 2025
Multiple large superannuation funds, including Hostplus, Rest, AustralianSuper, and Australian Retirement Trust, have been targeted in cyber fraud, resulting in some members losing thousands of dollars in retirement savings. The breaches, discovered in early April, were caused by stolen passwords used to access accounts. Cybersecurity experts highlighted significant security weaknesses in the sector, noting the lack of multi-factor authentication as a key vulnerability. The attacks involved "credential stuffing", where stolen credentials from other breaches were used to gain access. While some funds are insured against fraud, members are urged to check their accounts and update their passwords. The industry is being called upon to implement stronger security measures to prevent future incidents.
Fast Flux: A national security threat – Australian Signals Directorate – 4 April 2025
The Australian Signals Directorate’s Australian Cyber Security Centre, together with the National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation and others, issued a joint cybersecurity advisory warning organisations, Internet Service Providers, and Cloud Service Providers about the ongoing threat of fast flux. Fast flux is a technique used by cybercriminals and nation-state actors to evade detection by rapidly changing DNS records, creating resilient and highly available command and control infrastructure. The advisory recommends developing accurate, reliable, and timely detection analytics and blocking capabilities, and adopting a multi-layered approach combining DNS analysis, network monitoring, and threat intelligence to mitigate this threat.
Verizon 2025 Data Breach Investigations Report shows rise in cyberattacks – Security Magazine – 25 April 2025
Verizon Business released its 2025 Data Breach Investigations Report, which assessed more than 22,000 security events. The leading initial attack vectors continued to be credential abuse (22%) and vulnerability exploitation (20%). Third-party involvement in breaches doubled to 30%. Human error continues to play a major role in breaches. Median ransom payments decreased, but ransomware presence grew by 37%. Small organizations are disproportionately affected by ransomware. Exploitation of vulnerabilities as an initial access vector increased by 34%. The report can be accessed and downloaded here.
Mandiant report finds rise in financially motivated cyber attacks – Security Brief Australia – 24 April 2025
The Mandiant M-Trends 2025 Report analyses over 450,000 hours of incident response engagements globally, providing insights into an evolving cyber threat landscape. Key findings from the report include (1) there has been an increase in financially motivated attacks; (2) direct exploits as the most common initial infection vector (following by stolen credentials and phishing); (3) financial organisations as the most commonly targeted sector (followed by business services); (4) more than half of breaches are identified by external sources; and (5) there has been a rise in the use of infostealer malware and targeting of cloud environments. The report can be accessed and downloaded here.
State of the Industry 2024 – Australian Cyber Network – 16 April 2025
The Australian Cyber Network's inaugural State of the Industry 2024 report reveals a rapidly growing cyber security sector contributing $9.99 billion to the economy and employing over 137,000 professionals. However, the sector remains under-resourced, with 69% of businesses impacted by ransomware attacks. The report highlights the need for urgent action and national leadership to address rising cyber threats. It also notes an increase in female participation in the workforce, now at 25%. The report also calls for greater transparency and shared responsibility in cyber security to build national resilience.
Law Council push for Digital ID to replace data obligations – InnovationAus – 2 April 2025
The Law Council of Australia recommends data retention obligations for businesses be replaced with the government's Digital Identity System or other privacy-preserving methods. This suggestion was made in their submission to the Commonwealth review of data retention requirements, which aims to simplify and minimise these obligations. Other organisations, including the Governance Institute and the Australian Information Industry Association, support this move to reduce the over-retention of sensitive personal data and reduce cybersecurity exposure.
Semperis Study Reveals 62% of Water and Electricity operators targeted by cyberattacks in the past year – Australian Cyber Security Magazine – 10 April 2025
A new study by Semperis reveals that 62% of water and electricity operators in the US and UK were targeted by cyberattacks in the past year, with 80% facing multiple attacks. Nearly 60% of these attacks were by nation-state groups, causing significant data corruption or destruction. The study highlights the vulnerability of Australia's critical infrastructure, with similar threats reported. Similar incidents in Australia, such as attacks on EnergyAustralia and AGL in 2022, and CS Energy in 2021, underscore the need for improved resilience.

Japan Passes Active Cyber Defense Bill – Tripwire – 1 April 2025
Japan has passed the Active Cyber Defense Bill, empowering its military and law enforcement agencies to take pre-emptive action against cyber threats. This legislation was prompted by criticisms of Japan's digital defences and escalating cyber-espionage activities, particularly from China. The bill includes both passive defence measures and controversial active measures, such as allowing law enforcement to disrupt enemy servers during cyber attacks without explicit oversight.
China admits to being behind Volt Typhoon cyber activities targeting US – Cyber Daily – 14 April 2025
China has purportedly admitted that hackers backed by the People's Republic of China are behind the cyber activities attributed to the Volt Typhoon group, which has targeted critical infrastructure in the US and its Pacific territories. The admission came during a closed-door meeting at a Geneva summit in December 2024 between outgoing Biden administration officials and Chinese representatives. According to the Wall Street Journal, the comments were “indirect and somewhat ambiguous” however US officials is portraying the meaning as plain. Volt Typhoon has focussed on transport hubs and water utilities, prepositioning for potential future conflicts, particularly concerning Taiwan.
U.S. Subpoenas Chinese Telecom Giants Over National Security Risks and Data Privacy Concerns – Cyber Insider – 25 April 2025
The House Select Committee on the Chinese Communist Party has subpoenaed China Mobile, China Telecom, and China Unicom for failing to respond to inquiries about their ties to Chinese military and intelligence agencies. The subpoenas, demanding compliance by 7 May 2025, are part of a bipartisan investigation into whether these firms continue to operate digital infrastructure in the US despite federal bans. Concerns include potential cyber espionage and the disruption of US critical infrastructure. The investigation follows reports of Chinese state-sponsored hackers infiltrating US telecom networks. The Chinese embassy criticised the move, while the telecom firms have not responded. Non-compliance may lead to further legal action.
Inside the UK Government's Cyber Security & Resilience Bill – Cyber Magazine – 1 April 2025
The UK Government has outlined a scope and ambition for the Cyber Security and Resilience Bill, aimed at securing technology, innovation and critical infrastructure. The bill will expand the remit of existing regulations to protect more digital services and supply chains, ensuring critical infrastructure and digital services are secure. It additionally introduces new measures to safeguard data centres and IT providers, and mandates stronger cyber defences for hospitals and energy suppliers. The bill also enhances reporting requirements to build a comprehensive picture of cyber threats and puts regulators on a stronger footing to enforce essential cyber safety measures.
China's Personal Information Protection Compliance Audit: Nature And Strategy – Mondaq – 2
April 2025
The Cyberspace Administration of China issued the Rules on Compliance Audit for Personal Information Protection (PIPCA Rules) to implement compliance audit requirements under the Personal Information Protection Law and the Regulation on Network Data Security Administration. Effective 1 May 2025, the PIPCA Rules mandate regular audits for data processors handling personal information of over 10 million individuals or those with high-risk processing activities. The Rules also outline the qualifications for professional institutions conducting these audits and emphasise both legal and technical compliance.
China-linked Billbug hackers breached multiple entities in Southeast Asian country – The Record – 23 April 2025
A long-running cyber espionage operation linked to China, attributed to the Billbug APT group, breached multiple prominent government and business organisations in a Southeast Asian country from August 2024 to February 2025. Billbug, also known as Lotus Panda, targeted a government ministry, an air traffic control organisation, a telecoms operator, and a construction company. The attacks involved custom-made tools like credential stealers and backdoors, as well as legitimate tools to confuse incident responders. Billbug has a history of targeting Southeast Asian entities, aiming to bolster China's claims over Taiwan and the South China Sea.
Commission opens consultation on revising EU Cybersecurity Act – European Commission– 11 April 2025
The European Commission is seeking input to revise the EU Cybersecurity Act to strengthen the EU's resilience against cyber threats. The review will focus on the mandate of the ENISA, the European Cybersecurity Certification Framework, and ICT supply chain security challenges. The aim is to simplify cybersecurity rules, streamline reporting obligations, and foster a business-friendly environment. The consultation period ends on 20 June 2025, with interested parties including cybersecurity authorities, industry and trade associations, researchers, consumer organisations and citizens being invited to give their views here.
Taiwan to launch joint cybersecurity center – Taipei Times – 15 April 2025
Taiwan will launch a joint cybersecurity centre to enhance its defence against severe cybersecurity threats, including those from Chinese state-backed hackers, AI, quantum computing, ransomware, and intellectual property theft. The centre will focus on four key areas: societal resilience, defence of homeland and critical infrastructures, protecting crucial industries and supply chains, and safe AI use. It will map cybersecurity vulnerabilities, seek to collaborate with government and private entities, and monitor global trends. The initiative similarly aims to implement the Zero Trust principle, advance quantum encoding technologies, broaden international cybersecurity alliances, and boost public vigilance.
Justice Department Implements Critical National Security Program to Protect Americans’ Sensitive Data from Foreign Adversaries – Office of Public Affairs – 11 April 2025
The US Justice Department has launched the Data Security Program under Executive Order 14117 to prevent ‘countries of concern’ (eg China, Russia and Iran) from accessing US government-related and sensitive personal data. The program establishes export controls to block these adversaries from exploiting data for espionage and other malicious activities. To support compliance, the National Security Division has issued a Compliance Guide, FAQs, and an initial enforcement policy. The program took effect from 8 April 2025 and includes a 90-day grace period.
Government punts cyber governance code of practice for UK businesses – Computer Weekly – 8 April 2025
The UK Government has launched a cyber governance code of practice for medium and large organisations, backed by the Institute of Directors. Cyber Security Minister Feryal Clark emphasised the importance of safeguarding operations and protecting customers. The code outlines steps for robust cyber security, aiming to support economic growth. It also complements the upcoming Cyber Security and Resilience Bill, which will enhance protection for supply chains and critical services. The code has received industry support and highlights the need for formal cyber strategies and incident response plans.
Trump sacks Waltz over Signalgate in first shakeup of presidency – Australian Financial Review – 2 May 2025
President Donald Trump has removed the US national security adviser, Mike Waltz, after he accidentally added the editor of The Atlantic to a Signal app thread discussing sensitive military operations in Yemen. Secretary of State, Marco Rubio, will temporarily assume the role of national security adviser. No official has held both portfolios simultaneously since Henry Kissinger under the Nixon and Ford administrations. Mike Waltz has been nominated as ambassador to the United Nations.
Trump administration under scrutiny as it puts major round of CISA cuts on the table – Cyber Security Dive – 7 April 2025
The Trump administration is facing criticism for planning significant job cuts at the CISA. CISA is expected to slash up to 1,300 jobs through a combination of terminations and other incentives. The cuts follow the recent removal of General Timothy Haugh from US Cyber Command. Critics argue that these cuts will weaken US cybersecurity amid increasing threats from China and Russia, and the Trump administration has been urged to reconsider the reductions.
Trump sackings are ‘dangerously degrading’ US cyber defences – InnovationAus – 27 April 2025
President Donald Trump has dismissed top cyber officials, including General Timothy Haugh and Wendy Noble from the NSA and Cyber Command, and has initiated an investigation into former head of CISA, Christopher Krebs. Jen Easterly, Krebs’ successor and now-former CISA head, warns that these actions are weakening US cyber defences and politicising the federal cyber ecosystem, and has criticised silence from industry leadership.
Cameron Whittfield
Partner, Melbourne
Peter Jones
Partner, Head of TMT, Asia, Singapore
Heather Kelly
Senior Associate, Melbourne
Magdalena Blanch-de Wilt
Executive Counsel, Melbourne
Christine Wong
Partner, Sydney
Merryn Quayle
Managing Partner, Melbourne Office, Melbourne
Josh Kain
Foreign Law Clerk (Australia), New York
Kaman Tsoi
Special Counsel, Melbourne
Key contacts
Cameron Whittfield
Partner, Melbourne
Peter Jones
Partner, Head of TMT, Asia, Singapore
Heather Kelly
Senior Associate, Melbourne
Magdalena Blanch-de Wilt
Executive Counsel, Melbourne
Christine Wong
Partner, Sydney
Merryn Quayle
Managing Partner, Melbourne Office, Melbourne
Josh Kain
Foreign Law Clerk (Australia), New York
Kaman Tsoi
Special Counsel, Melbourne
Caitlyn Bellis
Senior Associate, Sydney
Disclaimer
The articles published on this website, current at the dates of publication set out above, are for reference purposes only. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking any action.