Fast Response, Quality Service, 24/7 Technical Monitoring

Biggest Data Breaches in Australia and What Businesses Can Learn

Australian businesses face unprecedented cyber security challenges. In just the first three months of 2024, a staggering 1.8 million user accounts were compromised. That’s a 388% increase compared to late 2023.

With data breaches on the rise, the importance of strong cybersecurity measures has never been more critical. In an effort to mitigate these effects, the Australian Government has begun revisiting its cybersecurity frameworks and policies with the National Cyber Security Strategy 2023-2030 which aims to strengthen protections for businesses and individuals alike. However, staying ahead of cybercriminals requires more than just government action, it demands action from individual businesses to proactively strengthen their cybersecurity measures.

In this article, we’ll cover the 5 biggest data breaches in Australia, what went wrong, and, most importantly, what businesses can learn to better protect themselves.

Why Are Data Breaches A Risk For Businesses?

Data is one of the most valuable assets a business can have, and cybercriminals know it. Put simply, a data breach is when unauthorised individuals gain access to sensitive information, such as personal customer data or confidential corporate records by exploiting various vulnerabilities and weaknesses. Whether through system vulnerabilities, phishing attacks, or sophisticated cyber intrusions, these breaches can cause widespread damage to both the businesses and individuals affected.

And the threat is only growing.

Research from Surfshark reveals a sharp rise in cybersecurity attacks across Australia, with over 60% of businesses experiencing at least one cybersecurity incident. But Australia isn’t alone; companies worldwide are grappling with the rise in data breaches, with cybercriminals becoming more advanced and persistent.

With our increasing reliance on digital solutions and platforms, cybersecurity and data breaches spark bigger conversations about trust, privacy, and security. The consequences can be severe and far-reaching. A data breach can lead to significant financial losses, legal consequences, and a tarnished reputation that can take years to rebuild. Worse still, it puts customers directly in harm’s way, exposing their personal information to identity theft, fraud, and other malicious activities.

5 Data Breach Statistics Australian Businesses Should Know

  1. Australian companies lose an average of AUD $276,323per cybercrime incident
  2. 50% of consumers avoid businesses that have suffered a data breach
  3. Contact information was compromised in 88% of breaches, whilst identity information was exposed in 63% of cases
  4.  Health information was the third most common type of compromised data, appearing in 41% of breaches
  5. Malicious or criminal attacks remain the main cause behind 67% of all breaches

Why Is Cybersecurity Crime On The Rise In Australia?

Australia ranks 15th worldwide for data breaches per capita with a cybercrime reported every 6-7 minutes. But what’s driving this surge in cyber threats? Several key factors are at play:

1. Growing Digital Economy and Hyper-Connectivity

Technology has transformed the way businesses operate. Today, companies of all sizes rely on various digital tools to streamline operations, cut costs, and enhance customer experiences. While this digital shift brings many advantages, it also creates a pool of potential targets. With business operations now more interconnected than ever, a single weak point can lead to widespread exposure and vulnerability.

2. Data Is a Valuable Commodity

Data is currency and Australia’s digital wealth makes it a prime target. Cybercriminals are especially interested in financial records, healthcare data, and government databases, which can be sold on the dark web or used for fraud, identity theft, and ransomware attacks. As long as data remains profitable, cybercriminals will continue looking for ways to exploit it.

3. Challenges in Cybersecurity Readiness

Despite the growing risks, many businesses, especially small and medium-sized enterprises (SMEs), struggle to implement strong cybersecurity strategies. Limited resources, tools, and knowledge leave them vulnerable. Almost half of SMEs rate their cybersecurity understanding as “average” or “below average,” and 1 in 5 don’t even recognise the term “phishing.” Thus, without proper defences in place, these businesses become easy targets.

4. Increased Focus on Cybersecurity

You might assume that increased awareness and investment in cybersecurity would deter hackers but in many cases, it does the opposite. As the government and businesses implement stricter security measures, cybercriminals evolve their tactics, seeing new barriers as challenges to overcome.

Top 5 Security Breaches In Australia

1.     Canva

Date:

May 2019

Users Affected:

137 million users worldwide

In May 2019, Australian tech unicorn Canva, one of the world’s most popular online design tools, fell victim to a monumental data breach, impacting 137 million users worldwide. With over 55 million active monthly users, Canva’s breach was one of the biggest cybersecurity incidents in Australia’s history.

What Happened?

A cybercriminal identified as “Ghosticplayers” successfully breached Canva’s defences, gaining access to sensitive user data, including:

  • Usernames and real names
  • Email addresses and country data
  • Encrypted passwords
  • Partial payment data

Unlike most hackers who attempt to sell stolen data on dark web forums, Ghosticplayers reached out directly to the media outlet ZDNet to boast about the attack.

How Canva Responded

Fortunately, Canva was able to detect and stop the attack while it was in progress. While Ghosticplayers claimed to have obtained OAuth login tokens (used for Google sign-ins), Canva found no evidence that these were downloaded or used to access user accounts. Similarly, the hacker briefly viewed files containing partial credit card and payment data but showed no signs of financial data being stolen.

To mitigate the impact of the breach, Canva:

  • Immediately notified affected users and prompted them to change their passwords.
  • Reset all passwords for accounts that had not been changed in six months.
  • Revoked all active login tokens that existed before the breach, requiring users to reconnect their accounts.

2.     Latitude

Date:

March 2023

Users Affected:

14 million customers from Australia and New Zealand.

 

In March 2023, Australian personal loan and financial services provider Latitude suffered a massive cybersecurity breach, compromising the sensitive information of 14 million customers across Australia and New Zealand. What initially seemed like a relatively small breach affecting 328,000 customers quickly escalated after an investigation identified 14 million affected customers.

How Did the Breach Happen?

The attack began when a single set of employee credentials was stolen, granting cybercriminals access to Latitude’s customer database. The stolen data included:

  • Real names and physical addresses
  • Email addresses and phone numbers
  • Dates of birth
  • Driver’s license numbers
  • Passport numbers

One of the most alarming aspects of the Latitude breach was that much of the compromised information dated back to 2005. This raised concerns about why customers’ records were stored beyond the legally required seven-year timeframe as keeping outdated data unnecessarily increases the risk of exposure in the event of a cyberattack – as seen in the breach by Latitude.

How Latitude Responded

To contain the breach, Latitude took its systems offline to prevent further access and prioritise the protection of personal data. The company also:

  • Notified affected customers and applicants via email or letter (where contact details were available).
  • Provided clear information about the stolen data and available support.
  • Cooperated with investigations into whether it had sufficient security measures in place to prevent such an attack.

 

3.     Optus

Date:

September 2022

Users Affected:

9.8 million customers

 

In September 2022, Optus, one of Australia’s largest telecommunications companies, saw a breach affecting the personal data of 9.8 million customers (almost 40% of the Australian population.)

The breach sparked major policy criticisms about the state of cybersecurity in Australia and the effectiveness of existing security measures.

How Did the Breach Occur?

The breach occurred when cybercriminals, believed to be working for a state-sponsored operation, gained access to Optus’ internal network via an unauthorised API endpoint, a critical vulnerability that didn’t require traditional user authentication methods like usernames or passwords.

Customer information breached included:

  • Names and birthdates
  • Addresses and phone numbers
  • Passport and driver’s license numbers
  • Government ID numbers
  • Medical records and Medicare card IDs

The stolen data quickly appeared on online forums and demanded a $1.5 million ransom in cryptocurrency. However, under pressure from law enforcement, the hackers reversed course, apologising and claiming that they had deleted the data.

The incident is still under investigation, but it has prompted organisations across Australia to re-evaluate the sensitive data they hold and critically assess their data storage and collection practices.

4.     Medibank

Date:

December 2022

Users Affected:

9.7 million people

 

In December 2022, Medibank, one of Australia’s largest health insurance providers, became the victim of a high-profile data breach, exposing sensitive data including:

  • Names and birthdates
  •  Passport numbers
  • Medical claims data
  •  Medical records

What Happened?

The breach was believed to be carried out by REvil, a ransomware group based in Russia. The cyberattack was made possible by the theft of internal credentials belonging to an individual with privileged system access, likely obtained through phishing tactics – the use of deceptive messages, often disguised as legitimate communications, to trick individuals into revealing sensitive information, such as usernames, passwords, or credit card details.

 It was first discovered when REvil posted a folder containing 6GB of raw data samples on a dark web blog, claiming that much larger amounts of data were available for release, demanding a $10 million ransom. Medibank made the decision to refuse the ransom demand, staying firm in its commitment to not negotiate with criminals.

Despite the data being fully released on the dark web, to date, no cases of identity theft or financial fraud have been confirmed as a result of the breach. However, customers have been urged to remain vigilant against potential phishing scams and to monitor their credit reports to protect themselves.

What Have They Done Since?

In the aftermath of the breach, Medibank has invested significant resources into strengthening its cybersecurity infrastructure. The breach is currently under investigation by the Office of the Australian Information Commissioner (OAIC), which is examining Medibank’s information handling practices. If it is found that the company did not have adequate security measures in place, it could face a $50 million fine.

5.     ProctorU

Date:

July 2020

Users Affected:

444,000 records

 

ProctorU is an online exam proctoring service that suffered a breach in July 2020. The breach exposed user records, including email addresses, of students from several prominent Australian universities:

  • The University of Sydney
  • The University of New South Wales
  • The University of Melbourne
  • The University of Queensland
  • The University of Tasmania
  • James Cook University
  • Swinburne University of Technology
  • The University of Western Australia
  • Curtin University
  • The University of Adelaide

The breach impacted records dating back to 2014 but did not involve financial information.

Impact and Response

Once the breach was detected, ProctorU promptly notified the affected universities, which in turn alerted their students. The company worked to ensure the exposed data was secured and prevented further unauthorised access.

Lessons Learned

The breaches of Canva, Latitude, Optus, Medibank, and ProctorU serve as a reminder that no company, no matter how big or secure, is immune to cyber threats.

Cybercriminals are always evolving, finding new ways to exploit vulnerabilities. While companies may have strong defences in place, these incidents show that breaches can still occur, especially when it comes to vulnerable employee credentials or outdated data storage practices.

The key takeaway is that cybersecurity is a core business practice and are a sobering reminder that cybersecurity threats require constant vigilance, investment, and a proactive approach to ensure businesses and individuals are protected.

What Can You Do To Protect Your Business?

To defend against cyber threats, it’s essential to be proactive. By having the right measures in place, you can significantly reduce the risk of a breach.

  • Follow the Essential 8: The Australian Government’s Essential 8 framework is your blueprint for cybersecurity. It is a great place to start, offering a comprehensive set of strategies like application control, patching applications, restricting administrative privileges, and enabling multi-factor authentication to mitigate common cyber risks.
  • Keep Systems Updated and Patched: Outdated software can quickly become a weak point in your IT infrastructure. Regularly update and patch your systems to reduce vulnerabilities before attackers can exploit them.
  • Train Your Team: When it comes to cybersecurity, education and awareness are critical. Educate your team about cybersecurity best practices and raise awareness about the latest threats to reduce the risk of human error in security breaches.
  • Invest in Robust Security Tools: Strengthen your defences with antivirus, anti-ransomware, and advanced web filtering solutions. Data loss prevention and email filtering tools can also protect your business from malicious attacks.
  • Enable Multi-Factor Authentication (MFA): MFAs add an extra layer of security to your login processes, making it more difficult for cybercriminals to gain unauthorised access.
  • Develop a Response Plan: Hope for the best but prepare for the worst. Having a detailed response plan ensures your business can react swiftly and minimise damage in the event of a breach.
  •  Regular Security Audits: Regular vulnerability assessments and penetration testing are essential for identifying potential weaknesses in your systems. These audits often simulate real-world cyberattacks to uncover gaps in your defences, such as outdated software, misconfigurations, or vulnerabilities in your network.

Read More: What Is A Cyber Security Audit? Steps and Benefits for Your Business



Protect Your Business Before It's Too Late

It’s clear that even some of the nation's largest and most trusted organisations have fallen victim to cyber-attacks. The unfortunate truth is that the question is not if your business will be targeted, but when. The real challenge lies in ensuring that you're prepared, with robust security measures in place to mitigate and minimise.

At CRT Network Solutions, we specialise in helping businesses safeguard their digital assets through comprehensive security audits and tailored cybersecurity strategies. Our expert team will work with you to identify vulnerabilities, strengthen your defences, and implement proactive measures to ensure that your business stays one step ahead. Get in touch today and start protecting what matters most. If you are looking to shift your IT management needs, CRT Network Solutions is the MSP you can count on. We take the risk and stress out of maintaining your business’s IT infrastructure while boosting your cost efficiency and productivity. With a full range of end-user IT managed services, we tailor our solutions to meet the specific needs of your operations. Get in touch today and let us help you optimise your IT infrastructure.

Request A Free Quote