Meriton has revealed it was the target of an attack in which staff employment information, including bank details, tax file numbers, salary and performance reviews and appraisals, may have been stolen by a hacker.

Guests of the hotel operation may also have been caught up in the breach, with many told their contact details may have been taken.

It’s understood staff health information may also have been compromised, with details including incident reports exposed.

A total of 1889 people have been issued a warning and provided some information to protect themselves.

Meriton has more than 14,000 investment apartments and near 12,000 units in development.

The company was founded by high-rise king Harry Triguboff, 90, whom The Australian last week revealed had grown his wealth by near $3bn over the past twelve months.

Mr Triguboff was ranked fourth on The List – Australia’s Richest 250 last Friday, with an estimated net worth of $23.6bn.

The hack comes amid a spate of cyber-attacks which have hit vulnerable Australian businesses, raising concerns about their security systems.

“Leading Australian businesses and brands are failing to keep the bad guys out, despite unprecedented levels of cyber security investment,” CREST ANZ Chair, David McEwen, said, referring to industry-wide problems.

He noted the recent explosion of breaches including Latitude, Medibank, Optus, Woolworths, Toll, Toyota, and Energy Australia, which have had widespread impacts.

Mr McEwen said that most organisations which came under attack quickly realised that they had not invested enough when confronted with the impacts of destructive malware, compromise of email systems, or cyber extortion through data theft.

“There are others that are entirely unaware that they have been hacked,” he said, noting cases where it was not immediately evident that customer data has been compromised.

McEwen advocated that protection from cyber-attacks required a significant expansion of cybersecurity investment.

“We need to take a quantum leap in more robust offensive, defensive and governance security measures, to stay ahead of emerging threats,” he said.

Meriton did not respond to requests from The Australian for more details of the January breach but did share a FAQ about its hack, which is located under the topic of “helpful links” at the bottom of its website.

“Meriton’s forensic analysis team identified 35.6GB of data to be potentially impacted by the incident, very little of the data was PID related or sensitive information,” read the answer to the frequently asked question: how much data was potentially taken?

The developer confirmed its guest database had not been breached and only guests whose information was contained in hotel incident reports.

Former and current staff had been affected, but the attack had not targeted any particular person, the company said.

“Meriton has personally notified all individuals potentially affected by the incident, who have received tailored advice in respect to recommended steps that should be taken,” it read.

“There is no evidence that this cyber incident was directed towards any specific individual, and Meriton’s investigation has revealed no evidence that affected individuals have had their information misused.”

More Coverage

Inside the Triguboff succession

John Stensholt

Meriton lifts prices as high rise shortage looms

Ben Wilmot

Originally published as Meriton hack: near 2000 guests, staff caught in cyber breach