‘We need to get better’: Official figures show data breaches skyrocketing in Australia

As reports of data breaches in Australia skyrocket, experts argue the country is lagging behind other nations in protecting the private data of its citizens.

The Australian Signals Directorate’s (ASD) annual cyber threat report revealed the increasing risk of data breaches, with reported incidents rising from 80 in 2021-22 to 150 in the 2022-23 financial year.

Nigel Phair, professor at Monash University’s Department of Software Systems and Cybersecurity, said “things are getting worse and the attacks are getting better”.

“We need to get better as an economy,” he told The New Daily.

“We’re a rich jurisdiction and we’re always going to be targeted in cybercrime.”

The ASD said data breaches were usually the result of opportunistic intrusions exploiting a single access point or more complex intrusions using a variety of techniques.

Criminals stole an average of 120 gigabytes of data during a data breach, which most commonly included contact information (32 per cent), identity information (18 per cent) and financial details (14 per cent).

“Data stolen by cybercriminals typically ends up on the dark web marketplaces where it can be shared, bought, and sold by other malicious cyber actors,” the report said.

“Once exposed, some data can be used in perpetuity for future crime, particularly in cases of identity theft, blackmail, or extortion.”

According to the report, the average cost of cybercrime increased by 14 per cent for businesses, while total cybercrime — including data breaches — increased by 23 per cent to 94,000 incidents.

Stronger protections

David Vaile, privacy and surveillance stream lead at UNSW’s Faculty of Law, said it is virtually impossible to have a perfect defence against data breaches.

“We’ve lost the advantage to the attackers because all they need is the finest hairline crack in your defences to get in,” he said.

“You can’t assume that perimeter defence or deep technical security, even if it is done really well, will be enough.”

The Optus breach last year leaked the private information of 9.7 million customers after a human error exposed a vulnerability in the telecommunications company’s systems, and Medibank’s breach was the result of stolen credentials being sold on the dark web.

Optus telco complaints

Optus’s data breach exposed the private details of over a third of Australia’s population. Photo: TND

Professor Phair said other jurisdictions, like the European Union, have been “thinking about this for a lot longer than we have,” resulting in stronger protections and better public policy like the General Data Protection Regulation (GDPR).

“They have a different construct to what we do when it comes to personally identifying information, being online and protecting data,” he said.

“It’s not the panacea, but it would certainly give a lot of protection to individuals.”

The GDPR gives individuals the right to access, rectify and erase their personal data collected by companies and organisations, while also regulating the use of private data in the EU.

It became the gold standard of information privacy after it was adopted in 2016, with other countries around the world embracing similar principles to protect individuals.

While the GDPR wouldn’t prevent systems from being breached, the principles would reduce the amount of information exposed in the event of data hack.

Data minimisation

The ASD said that organisations “should consider what data is vital to their operations, and individuals should consider what data might affect their privacy”.

Vaile said this is an example of data minimisation, which is becoming increasingly important as data breaches become more prevalent.

“You don’t need to be paranoid about it, but you do need to look both ways before crossing the road,” he said.

“Companies and platforms have proved they don’t care and it’s you who is going to suffer, not them.”

He said Australians should also have stronger legal recourse if their information is leaked.

“My own view is that if people could sue and if they were successful, it would happen less,” he said.

“If the Optus breach resulted in a really substantial and humiliating judgement against the company on behalf of their clients, they wouldn’t have just sacked most of their senior technical people.”

Customers launched a class action against Optus in April 2023, but no company in Australia has successfully been sued for a data breach.

Stay informed, daily
A FREE subscription to The New Daily arrives every morning and evening.
The New Daily is a trusted source of national news and information and is provided free for all Australians. Read our editorial charter.
Copyright © 2024 The New Daily.
All rights reserved.