ÐÓ°ÉÂÛ̳

Our main focus in the digital world these days should be on steering clear of scams, and deleting, reporting or ignoring all forms of contact that seem even remotely fishy. But large-scale data breaches that make our personal details available to scammers – pretty much forever – are worth paying attention to as well. 

With the stolen personal information, all the corporate-style global scam operations out there have a lot to work with. They can craft personalised scams that can fool the best of us. 

The biggest data breaches in recent years include the Optus case, where up to 9.8 million people had their data stolen; the Latitude Finance case, which affected around 14 million Australians; and the Medibank event, where the records of around 4 million customers were heisted. 

Most of the breaches in the first half of 2024 affected 100 people or less, but the MediSecure data breach affected almost 13 million Australians

But these are just the well-publicised cases, and the reported ones. Under the Notifiable Data Breaches scheme, all organisations must report any data breach both to the Office of the Australian Information Commissioner (OAIC) and to affected people if the theft of the personal information is likely to result in harm to those it identifies. 

From January to June 2024, the OAIC received 527 data breach notifications, the highest number since the July to December 2020 period and a 9% increase on the previous six months.

Most of the breaches (63%) in the first half of 2024 affected 100 people or less, but the MediSecure data breach affected almost 13 million Australians. Many breaches likely go unreported. 

Twelve major breaches over two years 

According to the Sydney-based cybersecurity firm StickmanCyber, mega data breaches (those affecting a million people or more) have gone up and up in recent years. 

The firm – which is a member of the NSW Government Cybersecurity Taskforce and the Australian Cyber Security Centre – recently released a report it says is based on an analysis of all 6000 notifiable data breaches reports submitted to the OAIC since the scheme's inception in 2018. The firm obtained the reports through a Freedom of Information request lodged in October last year. 

The main takeaway is that there were just two data breaches that affected a million Australians or more between 2018 and 2021. And then, from the beginning of 2022 to the end of 2023, there were 12. Breaches affecting at least a 1000 people went up 40% over that period as well, according to the report. 

We should never accept this as the status quo – businesses have to do better, or they must leave our data alone

StickmanCyber CEO Ajay Unni

Other noteworthy findings include that nearly a third of mega breaches went undetected for at least 30 days; that Australian Government organisations usually take longer than corporate entities to detect a breach; and that the healthcare and finance sectors have suffered the highest number of breaches. 

"For mega breaches to increase so much, so fast, is cause for concern," says StickmanCyber CEO Ajay Unni. 

"The problem is that there are now more companies with more data on Australian residents than ever. When they are breached, we are accustomed to the contact, payment and identification details of millions of people falling into the wrong hands. But we should never accept this as the status quo. Businesses have to do better, or they must leave our data alone."

Data breach details in OAIC reports 

The StickmanCyber report would be eye-opening for many, but it's worth noting that the data breach information was already available by way of the OAIC's , for those who take the time to delve into government reports. 

In its January to June 2022 report, when the OAIC started to notice an increase in large-scale data breaches, it introduced a breakout box showing the number of Australians affected.

An OAIC spokesperson tells ÐÓ°ÉÂÛ̳the reasons for the increase in major breaches are multifold, the standout being "the increasing frequency and complexity of cyber attacks", which are behind the majority of breaches. 

More businesses reporting breaches to the regulator as required following the high-profile Optus and Medibank cases is another probable reason, OAIC says. Other reasons for the increase include the growing use of external service providers by businesses, particularly cloud and software services. 

The data suggests that underreporting is a chronic issue in the private sector

Data breaches also give criminals the tools they need to launch increasingly effective cyber attacks, leading to further data breaches. The OAIC's spokesperson referred to these as "credential stuffing attacks". It means the criminals are using our personal information to steal yet more personal information. 

Ajay Unni says his firm's research provides further evidence that the organisations that have our data continue to fall short on protecting it. 

"The Australian public sector is notably poor at both identifying and responding to breaches in a timely fashion. But at least the public sector is reporting to the OAIC. The data suggests that underreporting is a chronic issue in the private sector. There are suspiciously few breaches in many industries like retail, which we know collect large volumes of data and struggle to protect it."

Stock images: Getty, unless otherwise stated.

Join the conversation

To share your thoughts or ask a question, visit the ÐÓ°ÉÂÛ̳Community forum.