More than 30,000 Australians’ banking details have been found online after being stolen by cybercriminals, according to research from cybersecurity firm Dvuln.
The compromised data spans four years and affects customers from multiple major banks, including the Commonwealth Bank, NAB, ANZ, and Westpac.
Dvuln emphasized that the banks themselves were not breached—instead, the information was harvested from users’ devices infected with “infostealer” malware.
The malware allowed criminals to collect credentials and upload them to “infostealer logs,” where data is sold and shared.
Details from 10,000 customers of one bank, 5,000 from another, and 4,000 from a third were discovered in these logs.
Dvuln warned this likely represents only a fraction of the total scale of the issue and called for coordinated efforts from banks, government, cybersecurity experts, and the public.
They also cautioned that multi-factor authentication, while important, is not a foolproof defense when devices themselves are compromised.
Australian Banking Association CEO Anna Bligh confirmed that the breaches stemmed from infected personal devices, not from the banks’ internal systems.
Banks continue to invest in advanced monitoring systems and urge customers to use strong, unique passwords, enable account notifications, and report suspicious activity immediately.
The Australian Signals Directorate (ASD) said over 87,400 cybercrime incidents were reported in 2023–24, with identity fraud being the most common.
ASD continues to work actively to counter threats posed by cybercriminals using infostealer malware to exploit legitimate credentials for financial gain.
