Heavy-lift crane maker Favelle Favco has been listed on a cyber extortion leak site in an incident that points to ongoing data security and liability exposures for Australian organisations and their insurers. The Malaysia-based group, which has an office and production facilities in the Sydney suburb of Prestons, appeared on the SafePay ransomware group’s darknet site on April 16, 2026. The entry was accompanied by a claimed 237-gigabyte collection of corporate data.
According to Cyber Daily’s report, SafePay stated on its leak portal that it acts independently and does not operate as a ransomware‑as‑a‑service affiliate. “SafePay ransomware has never provided and does not provide the RaaS,” the group said on its site. The data set linked to Favelle Favco is reported to contain more than 140,000 files. These include scans of Australian employees’ passports and driver’s licences, internal and customer communications, financial information, and technical documentation relating to cranes built by the company. The material is also understood to contain maintenance records and documents connected with a crane collapse in Derrimut, in Melbourne’s western suburbs, in 2025.
SafePay has previously claimed responsibility for incidents involving New South Wales dental provider Smile Team Orthodontics in March and global IT distributor Ingram Micro in July 2025, after which more than 42,000 individuals were notified that their personal information had been affected. The group has listed organisations in jurisdictions including the UK, the US, Italy, New Zealand, Canada, Belgium, Brazil, Germany, Barbados, and Argentina. Favelle Favco and related entity Kroll operate across Malaysia, Australia, the Middle East, Europe, and the US.
The combination of employee identity documents, customer correspondence, technical specifications, and incident-related records in one leak illustrates how a single compromise can affect multiple policy classes, including cyber, professional indemnity, directors and officers, and product liability. The presence of Derrimut collapse documentation may also have implications for any current or future disputes in which maintenance and engineering records are relevant.
The Favelle Favco case is emerging at a time when entities continue to report a significant number of data breaches under Australia’s Notifiable Data Breaches (NDB) scheme. The Office of the Australian Information Commissioner (OAIC) received 532 notifications between January and June 2025. This represented a 10% decrease compared with the previous six-month period, when notifications reached a record level, but the volume remained elevated by historical standards. Since the start of the scheme, the OAIC has noted that more notifications are typically submitted in the second half of each calendar year.
Malicious or criminal attacks were the leading cause of reported breaches in the January-June 2025 reporting period, accounting for 59% of notifications (308 incidents). Cyber security incidents comprised the majority within this category. The OAIC reported that, on average, just over 10,000 individuals were affected by each cyber incident in the period, indicating the level of exposure that can arise when attackers gain access to large data sets.
Human error accounted for 37% of all breaches (193 notifications), up from 29% in the previous reporting period. The figures indicate that mistakes in handling personal information, such as misdirected communications or incorrect access permissions, continue to contribute materially to reported incidents even where technical controls are in place. By industry, health service providers lodged 18% of notifications, the highest share of any sector. Financial services entities made up 14% of reports, and Australian government agencies 13%. This distribution points to direct exposure through financial sector operations and to accumulation risk via health, government, and infrastructure clients.
