A threat actor operating on underground hacking forums has alleged that customer records belonging to Sydney-based travel agency FirstClass.com.au were obtained without authorisation, with the claim potentially touching more than 53,000 individuals. The incident, if confirmed, would represent a notifiable data breach under Australian privacy law – carrying regulatory, financial, and reputational consequences for the business – and signals continued exposure for commercial operators that hold personal and travel-related customer data.
The actor, who goes by the username “2019,” posted the claim on June 3, 2026, to an underground forum, stating that data from more than 53,300 FirstClass customer accounts had been accessed, according to Cyber Daily’s June 9 report. The post listed names, email addresses, phone numbers, IP addresses, account status, and preferred airport as the categories of information involved. A review of a data sample that 2019 published showed a large portion of those fields were empty, with the bulk of populated records limited to names, emails, and phone numbers. The data was made available on the forum at no cost.
FirstClass operates as a travel agency catering to the high-end segment of the market, with offerings spanning business and first-class air travel, luxury cruises, and packaged holidays. The company also provides a membership program, a travel insurance product, and mobile data services for travellers through a partnership with World Mobile. Its offices are in Sydney’s central business district. As of the time of Cyber Daily’s reporting, FirstClass had not issued a public response to the claim.
The actor using the handle 2019 joined underground forums in early 2026 and has since published 19 separate leak posts, according to Cyber Daily. The bulk of targets in those posts are Australian organisations. Among the entities that have since acknowledged cyber incidents are the Melbourne International Film Festival and corporate catering provider Hampr. Posts attributed to 2019 have also named organisations based in the US, the United Arab Emirates, France, and Italy. The actor appends a consistent line to forum posts: “Everything I post comes from me.”
The FirstClass claim emerges as federal agencies document sustained increases in malicious activity directed at Australian networks, with consequences that flow directly into the cyber insurance market. In the 2024-25 financial year, the Australian Signals Directorate’s (ASD) Australian Cyber Security Centre (ACSC) received more than 42,500 calls to its cyber hotline – up 16% on the prior year – while the number of incidents it responded to grew 11% to exceed 1,200, according to the ASD’s Annual Cyber Threat Report 2024-2025, published Oct. 14, 2025. Proactive notifications to entities about potentially malicious activity rose 83% to more than 1,700 during the same period.
The financial exposure tied to cybercrime is also shifting upward in ways relevant to policy limits and claims forecasting. Businesses reported an average cost of $80,850 per cybercrime incident in 2024-25, a 50% increase from the year prior, according to the ASD report. Large businesses recorded the steepest rise, with average costs climbing 219% to $202,700, while medium businesses saw a 55% increase to $97,200 and small businesses a 14% rise to $56,600. At the regulatory level, the Office of the Australian Information Commissioner (OAIC) recorded 532 notifiable data breach notifications in the first half of 2025 (H1 2025), a 10% reduction from the record set in the second half of 2024 (H2 2024), though the OAIC noted in its Nov. 4, 2025, report that volumes remain elevated.
Criminal and malicious attacks were the source of 59% of those notifications, with cyber security incidents driving the majority within that category. Across those incidents, an average of approximately 10,000 individuals were affected per breach – a figure that, if applied to the FirstClass claim, would place it among the larger alleged incidents of that period. The OAIC separately cited IBM figures placing the average organisational cost of a data breach at $4.26 million in 2024, a baseline that underwriters and actuaries may reference when modelling aggregate loss exposure across a portfolio.
The profile of the alleged target carries specific implications for insurers operating in the cyber and travel insurance lines. FirstClass is not a health provider, financial institution, or government agency – the three sectors that recorded the highest breach volumes in the OAIC’s first-half 2025 data, at 18%, 14%, and 13%, respectively. Its exposure stems from the nature of its business: a membership-based platform that aggregates personal contact details, travel preferences, and insurance arrangements for a customer base in the premium segment. The incident illustrates the breadth of organisations now carrying material data breach risk outside the traditionally monitored sectors. For travel insurers, the involvement of a company that itself distributes travel insurance products raises questions about supply chain exposure and the adequacy of cyber risk assessments applied to intermediaries and distribution partners.
The ASD has flagged that the growing use of artificial intelligence by malicious actors is expanding the scale and pace at which attacks can be executed, while internet-facing vulnerabilities in network edge devices remain a frequent entry point. The OAIC has noted that no organisation, regardless of the strength of its defences, can consider itself fully protected from a breach – a position that bears directly on how insurers approach risk selection, policy conditions, and claims response when the scope of an incident, as in this case, remains unverified.
