Knowledge breaches in Australia are on the rise, notably within the monetary and healthcare industries. In an effort to DISRUPT this destructive development, the Australian authorities is revising its cybersecurity frameworks and insurance policies to strengthen resilience towards nation-state risk actors.
However Australian companies can’t solely depend on the federal government’s cybersecurity initiatives. Even the Australian Alerts Directorate (ASD) admits that proposed safety frameworks solely elevate the baseline of safety. It is as much as every particular person enterprise to proceed lifting this customary with extra knowledge breach prevention controls.
To assist Australian companies keep away from a number of the widespread malpractices that facilitate knowledge breaches, we have compiled an inventory of a number of the largest knowledge breaches in Australia, ranked by magnitude of influence.
For those who’re desirous about a world perspective, you may also learn our weblog on the largest knowledge breaches globally.
Find out how Cybersecurity mitigates vendor-related breaches with its highly effective Vendor Threat Administration device.
1. Canva
Date: Might 2019
Impression: 137 million customers
Australian unicorn Canva suffered a monumental knowledge breach impacting 137 million of its customers. To place that into perspective, the web design device at the moment has about 55 million energetic month-to-month customers.
A cybercriminal recognized as Ghosticplayers breached Canva’s defences however was stopped by Canva once they detected malicious exercise of their methods. Sadly, this interception didn’t occur quickly sufficient. The risk actor had time to entry the next person knowledge:
UsernamesReal namesEmail addressesCountry dataEncrypted passwordsPartial fee knowledge
After the cyberattack, Ghosticplayers contacted ZDNet to brag concerning the profitable knowledge breach. That is uncommon conduct for cybercriminals who normally gloat about their cybercrimes on darkish net boards.
Canva rapidly notified affected accounts that had decrypted passwords to alter their passwords and reset all accounts for those who had not modified their passwords in 6 months.
Learn to adjust to CPS 230 >
2. Sydney Instruments
Date: March 2025
Impression: 34 million on-line order data and over 5,000 worker data
Buyer full namesEmail addressesPhone numbersHome addressesItemised buy detailsFor staff, knowledge included names, surnames, designated branches, salaries, and gross sales targets.
In keeping with Cyber Each day, this breach was attributable to a serious misconfiguration when the Australian {hardware} and DIY provide retailer left an unauthenticated ClickHouse database publicly accessible on the web. The information included a staggering 34 million data detailing on-line buyer orders, alongside delicate inside knowledge for over 5,000 present and former staff, together with payroll and gross sales goal info.
Cybersecurity researchers who found the leak warned that the publicity of detailed buy histories and residential addresses may support in extremely focused bodily theft (of pricy instruments) along with typical cybercrimes like id theft and phishing campaigns.
3. Latitude
Date: March 2023
Impression: 14 million clients
Latitude, the Australian private mortgage and monetary service supplier, was affected by a knowledge breach that impacted over 14 million folks from Australia and New Zealand. Though the preliminary disclosure said that solely 328,000 particular person clients have been affected, that quantity rapidly grew to 14 million after additional investigation.
The Latitude breach was one in every of Australia’s largest breaches in current historical past and follows a current string of large-scale assaults (Optus and Medibank).
The assault occurred when one set of worker credentials was stolen, permitting entry to Latitude’s buyer knowledge, primarily consisting of:
Full namesPhysical addressesEmail addressesPhone numbersDates of birthDriver’s license numbersPassport numbers
A lot of the data was knowledge saved from 2005, which drew questions on why firms proceed to retailer buyer data past the required seven-year timeframe. The federal government additionally thought-about extending the attain of federal cyber companies to intervene within the case personal firms come underneath assault.
Latitude is at the moment being investigated for its position within the assault and whether or not or not it had adequate means to forestall the assault from taking place. The corporate can be being investigated for a class-action lawsuit.
Learn to forestall pricey knowledge breaches. Obtain the free information >
4. MediSecure
Date: April/Might 2024
Impression: 12.9 million Australians
As reported by the Australian Broadcasting Company, the MediSecure incident was one of many largest healthcare-related breaches in Australian historical past, with the next knowledge compromised:
Private and restricted well being info referring to prescriptionsNames Dates of birthAddressesMedicare card numbersPrescription particulars for scripts issued up till November 2023
The digital prescription supply service supplier suffered a large-scale ransomware assault that was reportedly initiated by way of a third-party vendor’s system. The breach resulted within the theft of roughly 6.5 terabytes of knowledge associated to prescriptions distributed between March 2019 and November 2023.
5. Optus
Date: September 2022
Impression: 9.8 million clients
The Optus knowledge breach was one of many largest safety breaches ever in Australian historical past. Because the second-largest telecommunications firm in Australia, this safety incident introduced up questions on Australian knowledge safety insurance policies and the way firms deal with them.
Cybercriminals believed to be working for a state-sponsored operation breached Optus’ inside community, compromising private info and impacting as much as 9.8 million clients, nearly 40% of the inhabitants. In keeping with Optus CEO Kelly Bayer, the oldest data within the compromised database may date way back to 2017.
Private knowledge included on this compromised knowledge set contains:
NamesBirth datesAddressesPhone numbersPassport informationDriver’s license numbersGovernment ID numbersMedical data & Medicare card ID numbers
It’s speculated that the felony group gained entry by way of an unauthorized API endpoint, which means a person/password or different authentication methodology wasn’t required to connect with the API. Bayer mentioned it was an especially subtle assault that circumvented the corporate’s sturdy cyber defenses.
Hackers printed the delicate knowledge samples on on-line boards only a few days later, demanding a A$1.5m ransom in cryptocurrency. Nevertheless, the hacker reversed course only a few days after demanding a ransom resulting from strain from regulation enforcement and claimed to delete all the info throughout an apology on the identical discussion board.
The fallout of the assault noticed main coverage criticisms concerning the effectiveness of Australian cybersecurity. In April 2023, Optus was hit with a class-action lawsuit comprised of 1.2 million clients. Australian Cyber Safety Minister Clare O’Neil admitted that the nation was a decade behind different developed nations on cybersecurity and knowledge privateness.
The alleged particulars of the Optus knowledge breach as revealed by a cybercriminal claiming duty – Supply: Twitter – Jeremy Kirk.
If the cybercriminals are confirmed to be state-sponsored, the breach was possible attributable to a ransomware assault – a mode of assault preferenced by such well-financed hacker teams for its excessive success charges and important dividends.
Find out how the Ransomware-as-a-Service felony community operates.
Investigations are nonetheless underway, and Optus has but to verify whether or not it obtained a ransomware word from the cybercriminals.
At this level, it isn’t clear whether or not this breach constitutes a violation of Australian privateness ideas. To forestall such a pricey conclusion, Optus must reveal that it took energetic measures to make sure the safety of all buyer knowledge from knowledge breach makes an attempt – a call for the privateness commissioner to make.
6. Medibank
Date: December 2022
Impression: 9.7 million folks
In December 2022, Medibank, the Australian medical health insurance big, was the sufferer of a serious knowledge breach, affecting the non-public particulars of 9.7 million clients. The assault was believed to be linked to a well known ransomware group based mostly in Russia, the REvil ransomware gang.
The privateness breach was first found when REvil posted on a darkish net weblog a folder that contained 6GB of uncooked knowledge samples, indicating that they’d bigger quantities of knowledge to launch, and demanded a $10 million ransom. The information included:
NamesBirthdatesPassport numbersMedical claims dataMedical data
Regardless of one of many largest knowledge breaches in Australian historical past, Medibank stayed agency and refused to pay the ransom. Though the info is believed to have been totally launched on the darkish net, no circumstances of id or monetary fraud have occurred but. Medibank additionally urged clients to remain vigilant on credit score checks and phishing scams to make sure that they don’t turn out to be victims, and the well being big invested important quantities into its cybersecurity.
Medibank is at the moment underneath investigation by the Workplace of the Australian Data Commissioner (OAIC) for its info dealing with practices and may very well be topic to a $50 million high-quality whether it is decided that it didn’t have adequate safety practices in place. Moreover, a class-action lawsuit may very well be underway for Medibank as nicely.
7. Qantas
Date: July 2025
Impression: As much as 6 million clients
Qantas, Australia’s flag provider, confirmed a knowledge theft incident that impacted a good portion of its buyer base. Knowledge compromised included:
NamesEmail addresses Telephone numbersDates of beginning Frequent flyer numbers
As reported by The Guardian, the breach was attributed to a cyber assault focusing on the airline’s name centre. The compromised knowledge included primary buyer info and necessary loyalty program particulars, making affected people weak to subsequent phishing scams and social engineering makes an attempt. Whereas the airline labored with federal authorities to evaluate the breach and strengthen its cyber defenses, the incident highlighted the safety dangers related to third-party service suppliers and the way an entry level by way of a less-secure system can compromise huge quantities of buyer knowledge.
8. ProctorU
Date: July 2020
Impression: 444,000 folks
Delicate info belonging to ProctorU, a web based proctoring service for distant college students, was leaked on-line totally free on a darkish net hacking discussion board. This incident was half of a bigger knowledge leak impacting 18 firms and exposing 386 million data.
The College of SydneyThe College of New South WalesThe College of MelbourneThe College of QueenslandThe College of TasmaniaJames Cook dinner UniversitySwinburne College of TechnologyThe College of Western AustraliaCurtin College and the College of Adelaide
9. Australian Nationwide College (ANU)
Date: November 2018
Impression: 200,000 college students
The Australian Nationwide College (ANU) fell sufferer to a extremely subtle cyber assault that shocked even probably the most skilled Australian safety specialists. Moreover, the assault wasn’t found till almost six months later.
Cyber attackers accessed delicate info relationship way back to 19 years. The next info was stolen:
Names Addresses Telephone numbers Dates of beginning Emergency contact particulars Tax file numbers Payroll info Checking account particulars Pupil educational outcomes
That is the place the College’s most delicate data have been saved. The attackers labored meticulously to cowl their tracks, immediately deleted entry logs, and used the anonymity software program Tor to obfuscate their location particulars.
10. Jap Well being
Date: March 2021
Impression: 4 hospitals
Jap Well being, an operator of 4 Melbourne hospitals, fell sufferer to a cyberattack inflicting sure elective surgical procedures to be postponed.
The character of the cyber assault is unknown, nevertheless it’s suspected to have been a ransomware assault. That is more likely to be true since, in keeping with the Australian Cyber Safety Centre (ACSC), ransomware assaults focusing on the Australian well being sector are rising.
Jap Well being assured the general public that no affected person knowledge was compromised within the assault.
11. Service NSW
Date: April 2020
Impression: 104,000 folks
A serious contributing issue to the seamless breach was the shortage of multi-factor authentication
12. Melbourne Coronary heart Group
Date: February 2019
Impression: 15,000 sufferers
Melbourne Coronary heart Group, a specialist cardiology unit in Cabrini Hospital, fell sufferer to a ransomware assault impacting 15,000 affected person recordsdata.
Ransomware assaults are nonetheless categorized as knowledge breaches as a result of cybercriminals entry delicate knowledge and maintain it hostage except a ransom worth is paid. This knowledge breach compromised private affected person particulars and medical knowledge, exposing victims to potential phishing assaults and id theft.
Melbourne Coronary heart Group was locked of it its compromised knowledge for nearly 3 weeks.
A spokesperson for the cardiology unit mentioned that no delicate knowledge was leaked whereas it was in possession of the cybercriminals.
However such a declare assumes ransomware criminals are true to their promise that damages will likely be fully reversed if calls for are obeyed
Melbourne Coronary heart Group, reportedly, paid the bitcoin ransom.
A lot of the encrypted recordsdata have been restored, however not all of them.
13. Australian Parliament Home
Date: February 2019
Impression: A number of political occasion networks – Liberal, Labor, and the Nationals.
Australian Parliament Home networks have been breached by a nation-state felony group. It is speculated that China was chargeable for the assault, as a response to Scott Morrison banning Huawei and ZTE tools from Australia’s 5G community.
The assault resulted within the lack of some knowledge, however in keeping with the top of the Australian Alerts Directorate (ASD) Mike Burgess, none of it was categorized as delicate.
“There was a small amount of data taken; none of that was deemed sensitive, but the assessment of that is a matter for the parliament themselves.” Mike mentioned on the International Affairs, Defence and Commerce Laws Committee on April 5, 2019.
The cybercriminals used phishing strategies to steal worker credentials and acquire entry into the federal government’s community. This precursor assault occurred on an contaminated exterior web site {that a} small variety of parliament workers visited.
14. Tasmanian Ambulance
Date: January 2021
Impression: Each resident that requested an ambulance between Nov 2020 and Jan 2021.
On the time of the breach, the Tasmanian ambulance was utilizing outdated radio expertise to run its communications community. Cyberattackers intercepted the radio knowledge, transformed the dialog to textual content, and posted the stolen knowledge on-line.
The breached knowledge included the next affected person info:
HIV statusGenderAgeAddress of every emergency incident.
The web site exposing the compromised knowledge has since been taken offline.
15. Northern Territory Authorities
Date: February 2021
When the app was launched, NT residents have been assured that solely Well being Division officers and technical help personnel would have entry to the collected knowledge.
In keeping with Sue Hawes, the top of the COVID-19 hazard administration unit, the info breach was attributable to an unintentional error.
16. Western Australian Parliament
Date: March 2021
Impression: Unknown
Western Australia parliament’s mail server was accessed after a Microsoft Trade Server Vulnerability was compromised. This incident was a part of a world cyberattack frenzy focusing on the zero-day exploit earlier than Microsoft responded with a patch launch.
However it’s unsure whether or not this comfort is true. The dearth of transparency into the occasion is regarding.
The Australian Cyber Safety Centre (ACSC) declined to remark concerning the WA parliament assault however mentioned that many Australian organisations have been uncovered to potential compromise whereas their servers remained unpatched.
If the nation-state criminals have been as subtle because the Prime Minister described them, might have had sufficient time to clandestinely exfiltrated some delicate, even throughout such a quick go to.
Advisable Studying:Cybersecurity Helps Australian Companies Forestall Knowledge Breaches
Cybersecurity helps Australian companies power their cyber risk resilience by discovering vulnerabilities and knowledge leaks exposing sensiveit assets. This detection and remediation answer extends to the whole third-party vendor community.
