Australia’s cybersecurity measures are inadequate and addressing data breaches must be a priority, says the country’s privacy chief.

Released Monday by the Office of the Australian Information Commissioner, the latest Notifiable Data Breaches Report shows hacks, scams and other privacy offences are on the rise and affecting millions of Australians.

From January to June 2024 there were 527 data breaches – the highest number of notifications since July to December 2020, and an increase of 9% since the second half of 2023.

Approximately 12.9 million people alone were affected when electronic prescription provider MediSecure was hacked in April – the largest number of Australians affected by a cybersecurity breach since the Notifiable Data Breaches scheme began in 2018.

“Privacy and security measures are not keeping up with the threats facing Australians’ personal information and addressing this must be a priority,” Australian Privacy Commissioner Carly Kind said. “Almost every day, my office is notified of data breaches where Australians are at likely risk of serious harm.”

As the report shows, malicious and criminal attacks were the most common kind of data breach (67%), with the majority (57%) consisting of cybersecurity incidents.

The health sector recorded the most data breaches during the period (102) followed by the Australian Government (63), finance (58), education (44) and retail (29).

With the NDB scheme six years in, Kind said “expectations of entities are higher”.

Australia’s regulatory framework does not penalise companies and organisations for having been targeted by bad actors, but the OAIC can enforce action if entities fail under the Privacy Act 1988 “to take reasonable steps to secure personal information from misuse, interference and loss; and from unauthorised access, modification or disclosure”.

A legal case against Medibank for allegedly failing to comply with the Privacy Act is currently before the Federal Court.

“Our recent enforcement action, including against Medibank and Australian Clinical Labs, should send a strong message that keeping personal information secure and meeting the requirements of the scheme when a data breach occurs must be priorities for organisations,” Kind said.

“We would like to see all Australian organisations be required to build the highest levels of security into their operations to protect Australians’ personal information to the maximum extent possible,” she added.

The number of breaches will continue to grow

Professor Nigel Phair

Professor Nigel Phair – from the Department of Software Systems and Cybersecurity at Monash University – told Government News data breaches continue to be the number one cybersecurity concern for Australian businesses. 

“Cyber criminals constantly adapt their methods to steal customer data from a wide range of Australian organisations and subsequently monetise that theft,” he said. “We still don’t have an accurate picture of the extent of the problem, both the number of breaches and the economic loss they create, as we rely on voluntary reporting. I expect the number of breaches will continue to grow.”

Despite the threat, Phair said Australia has shown to under-invest in cyber-risk management and to introduce adequate controls. 

“Some organisations are starting to do much better at this, but many are not. Australian organisations need to understand that with the benefits of the online environment comes a down side which needs to be addressed.”

While Australia has some excellent agencies who provide a range of technical and policy support, Phair said it is difficult for government to plug cybersecurity breaches. “Responsibility lies at the organisations who continue to hold and use personal data.”