DragonForce listed Gelatissimo on their leak site on Monday night. The franchise, which started with a single Sydney store back in 2002 and now runs sixty odd stores across Australia, confirmed unauthorised access to part of its systems on Wednesday and notified the OAIC and the ACSC. The number being repeated everywhere is 352 gigabytes of stolen data, which sounds dramatic and on its own means very little.
What is interesting is the sample DragonForce posted as proof. There's a payroll spreadsheet with staff names, gross earnings, paid leave, overtime, bonuses, withheld taxes and the last four digits of TFNs; a visa application form with a passport number, residential address and phone number; a 2025 workplace incident report; a bank transfer receipt; and a corporate bank statement. Almost all of it is information about Gelatissimo's own people and internal operations rather than its customers, which most of the coverage seems to have skipped past.
Where the Sensitive Stuff Actually Sits
When most owners imagine a data breach, they picture leaked customer details, and that mental model has a fairly obvious source. The breaches that made the news over the past few years (Optus, Medibank, Qantas) were all about customer records ending up where they shouldn't.
For a business with anywhere from five to a few hundred staff, the most concentrated stack of genuinely sensitive personal information sitting on the network is more likely to be in the HR and payroll system than the customer database. Tax file numbers, super fund details, copies of passports for anyone on a working visa, direct deposit account numbers, medical certificates, performance reviews, incident reports from past workplace accidents, sometimes a decade of payslips. The volume is much smaller than a customer list, but the data is heavier per record, and most businesses have given it considerably less thought.
Customer data tends to live in something an MSP set up: a CRM, a billing platform, a booking system that someone configured with permissions in mind. Employee data more often lives in a SharePoint folder, a bookkeeper's mailbox, an old spreadsheet on the office manager's desktop, or a payroll system whose access list nobody has looked at since whoever first installed it walked out the door. We covered access scope a few weeks ago in Who Has the Keys to Your Business?, and the same logic applies inside your own four walls, not just to your vendors.
Why Staff Data Is Worse to Lose
Losing staff data also tends to do more damage to the person it actually belongs to. A customer's email on a leak site is mostly an annoyance. Tax file numbers, passport scans, and home addresses are much more dangerous, and a problem they didn't have any hand in causing in the first place. HR records also routinely list family members as next of kin, which adds an angle customer leaks usually don't have, since the scammers can now go after partners and parents by name as well.
There's also a duty of care to your staff that doesn't really exist on the customer side. Privacy Act reforms are still working their way through Parliament, and over the next year or two they'll lift what "reasonable steps" is supposed to look like when you're holding personal information. An employee whose TFN ends up on the dark web because the office password list was a shared spreadsheet is going to be a lot less forgiving about it than a customer would, regardless of what the legislation eventually says.
The Bits That Almost Always Need Tidying
A handful of patterns come up almost every time we look at the HR side of a client's network. The office manager or HR person tends to have read access across the lot because it makes the day-to-day quicker. That's fine until their account gets phished, at which point the attacker inherits the view. You'll also usually find a pile of records that should have been thrown out years ago and weren't: TFN declarations from prior staff, visa documents for people who've long since got citizenship, scanned passports for reasons nobody can quite remember. They're still sitting there because nobody had any reason to delete them.
Most of it is not hard to clean up, it just doesn't get done. The systems holding staff data were set up by whoever needed them at the time, then left to accumulate sensitive information over years, without so much as an afterthought.
We've been looking after Sydney businesses for over 20 years. If you want a chat about where your staff data might actually be located, and who has access to it, get in touch. No sales pitch.
Call Now 