Last updated: 25 June 2026 · This is a developing story and follows our earlier coverage of the ALS Global cyber incident.
When we first wrote about the ALS Global cyber incident, the situation was a claim: a ransomware group said it had broken in, and a countdown was ticking. That countdown has now run out. The stolen data has been published online, and ALS Global has publicly acknowledged it.
Here is what changed, what it means, and what you should do if you think you might be affected.
What's happened
ALS Global — a Brisbane-headquartered testing and inspection company that traces its roots back to 1863 and now operates in more than 70 countries — first told the market it was dealing with a cyber incident in an Australian Stock Exchange filing on 11 June 2026. At that stage, the company described temporary disruption to parts of its operations.
A ransomware group calling itself Aur0ra has since claimed responsibility. On 19 June, the group posted details of the incident on its dark web leak site, along with sample files. It has now moved to publish the stolen dataset rather than keeping it as leverage.
ALS has confirmed it is aware of the published data. In a statement, the company said it identified the incident, engaged cyber security experts to contain and investigate, strengthened its security controls and monitoring, and notified the Australian Cyber Security Centre (ACSC) along with relevant regulators. The company says it will continue to meet its regulatory obligations.
What data is involved
This is where the story shifts from "potential exposure" to "confirmed exposure." According to the attackers, the dataset includes a wide range of sensitive employee and business information:
- Home directories for up to 500 employees, including cached login credentials and personal data
- Hundreds of files containing passwords stored in plain text
- Passport scans
- Bank account details
- Payroll data
- Workplace injury records
The attackers also claim to hold client laboratory results, analytical data, and internal research. The sample files they released reportedly include administrator passwords and details of a salary negotiation.
If you have ever been employed by ALS Global, or done business that involved sharing personal or financial details with them, this is the kind of exposure worth taking seriously.
Why this one matters
Most of the breaches we cover involve names, emails, and phone numbers. This one is different in scale and depth. Plain-text passwords and cached credentials are immediately usable. Passport scans and bank details feed directly into identity theft and financial fraud. Workplace injury records and salary information are deeply personal and can be used for targeted manipulation.
When credentials are dumped publicly, the risk does not stay contained to one company. People reuse passwords across personal and work accounts. A password exposed in a corporate breach is often the same one protecting an email account, a banking login, or a social media profile. Criminals know this, and automated tools test stolen credentials against thousands of other services within hours.
What to do if you might be affected
You don't need to wait for an official letter to start protecting yourself. If there's any chance your details are in this dataset, here are the practical steps that matter most.
Change your passwords now — and don't reuse them. Start with your email, then your banking and any account that shares a password with your old ALS login. Use a unique password for every account. A password manager makes this manageable.
Turn on multi-factor authentication everywhere you can. Even if a criminal has your password, MFA gives them a second wall to climb. Prioritise email and banking first.
Watch your bank and financial accounts closely. With bank details and payroll data potentially exposed, look for unfamiliar transactions and set up alerts for any activity on your accounts.
Be alert to targeted scams. When attackers hold detailed personal information, their phishing gets convincing. Treat unexpected calls, texts, or emails referencing your employment, your bank, or your personal details with caution — especially if they create urgency. Verify independently before acting.
Consider whether your passport needs attention. If your passport scan was exposed, be aware it can be used in identity fraud. Keep an eye out for accounts or credit applications you didn't make.
How SelfCybr helps
This is exactly the gap SelfCybr exists to close — the space between a breach making the news and an ordinary person knowing whether they're affected and what to do about it.
SelfCybr monitors the dark web and breach sources for your details and alerts you when your information turns up somewhere it shouldn't. We explain what the exposure actually means in plain language, without the jargon and without the fear-mongering, and we walk you through the steps that matter for your situation. If things escalate, our Australian-based team can help with the reactive side too.
Your data stays in Australia, we never sell it, and our support is local.
A note on this story
The details above are drawn from the ransomware group's own claims and from ALS Global's public statements. As with any breach of this kind, the full scope may take time to confirm, and we'll update this post as more becomes known.
If you're worried about whether your information has been exposed in this or any other breach, that's exactly what we're here for.
SelfCybr is an Australian cybersecurity service helping individuals and families understand and respond to data breaches, scams, and online threats — in plain language. Learn more at selfcybr.com.
