Inspiring Vacations has been confirmed as one of two Australian brands to fall victim to cybersecurity breaches in recent weeks, as reports emerge of sensitive travel and passport information being made public after the company's database was breached.

The other at Yakult Australia reportedly saw the FMCG business' Australian and New Zealand IT systems fall victim to a cyber incident in December.

A spokesperson from Inspiring Vacations acknowledged the evolving cybersecurity situation to Mi3 Australia and said both customers and staff had been contacted to inform them of the cyberbreach, which occurred in early December.

"Inspiring Vacations is aware an individual has made claims suggesting there has been unauthorised access to a folder within our IT environment," the spokesperson said in a statement. "We treat cybersecurity and the protection of our data seriously and we contacted staff and customers in early December to announce an investigation into these claims, supported by external experts. We will update our stakeholders as this investigation progresses."

According to an SMH report, the breach at Inspiring Vacations was unearthed by cybersecurity researcher, Jeremiah Fowler. The leaked data reportedly includes potentially sensitive customer information such as passport images, travel visa certifications, and itinerary or ticket files. Fowler has claimed the exposed database also includes an estimated 24,000 itinerary and eticket PDF documents, several including partial credit card numbers.

The Office of the Australian Information Commissioner (OAIC) confirmed Inspiring Vacations had notified the agency of the incident.

"We are making preliminary inquiries with Inspiring Vacations regarding its compliance with the Notifiable Data Breaches scheme," the spokesperson stated.

Inspiring Vacations is a Victoria-based tour operator with offices across Australia, the US and India.

The OAIC has also received notification of the cyber incident at Yakult Australia, a subsidiary of Japan-based global FMCG business, Yakult Honsha Co. The cyberattack has reportedly seen 95GB of data leaked by cyber criminal group, DragonForce, which has claimed responsibility for the attack.

In a statement released to customers on 23 December, Yakult Australia said it was working with cyber incident experts to investigate the extent of the incident. As well as the OAIC, Yakult said it had notified the Australian Cyber Security Centre and Office of the Privacy Commissioner New Zealand.

"We are currently investigating which data and systems may have been impacted," the statement read. "All our offices in Australia and New Zealand remain open and continue to operate.

"Our investigations are ongoing. Further updates will be provided as information becomes available."

Yakult Australia declined to provide Mi3 Australia with further updates on the situation or what data sets had been taken. But several reports, including that by BleepingComputer, report 95GB of data has been leaked by DragonForce.

Yakult reportedly became aware of the incident on 15 December. The data set was leaked on the DragonForce website on 20 December. According to BleepingComputer, data sets appear to contain several business documents, spreadsheets, credit applications made by Yakult Australia, employee records, plus copies of identity documents such as passports.

Under the Notifiable Data Breaches scheme, organisations covered by the Privacy Act 1988 must notify affected individuals and the OAIC as quickly as possible if they experience a data breach that is likely to result in serious harm to individuals whose personal information is involved. The rules state reports must be made with 30 days of becoming aware a cyberbreach has occurred to avoid potential penalties.

Supplied statements must include a description of the data breach, kind of information concerned, and recommendations to individuals and customers on the steps required to minimise the impact of the breach.

"We review all data breach notifications we receive to ensure the requirements of the Notifiable Data Breaches scheme are met and to identify any serious issues with an organisation's privacy practices that may warrant further regulatory action," the OAIC spokesperson added.

Under section 42(2) of the Privacy Act, the Commissioner may also conduct its own investigation, known as a consumer-led investigation (CII), to satisfy itself reasonable steps have been taken around notification and response to cyber incidents.

This was the case with the high-profile Optus cyberattack, where OAIC opened its own investigation in September 2022 to determine whether the telco had taken reasonable steps to protect the personal information it held from customers. That cyberattack saw 9.8 million customer records being exposed on the dark Web.

OAIC made a similar decision with the Medibank breach, which affected 9.7 million customers and saw sensitive information around patient care exposed. Both investigations remain ongoing.

In response to a data breach notification, the OAIC can also take other regulatory action, including issuing an administrative warning, or directing an entity to notify individuals at risk of harm of a data breach.