In the interconnected world we live in, the importance of cyber security has never been more evident. As digital technologies evolve, so too do the tactics of cybercriminals, leading to a surge in data breaches across the globe. Among the countries most affected by this rise in cyber-attacks is Australia, which has witnessed a series of significant data breaches in recent years, impacting millions. These breaches have not only exposed sensitive information but also highlighted the urgent need for advanced security solutions to protect user data.

Australia’s journey towards becoming a global leader in cybersecurity is marked by both challenges and progress. The nation has taken proactive steps to improve cyber security, with initiatives such as the National Cyber Security Strategy 2023-2030, having an own Minister for Cyber Security, and the implementation of the Essential Eight Framework. However, despite these efforts, the frequency and scale of data breaches continue to escalate.

This blog post provides an overview of the largest data breaches in Australia (by number of affected users), explores the factors that make the country an attractive target for cybercriminals and explains why even unbreached organizations are under threat now.

We collected data from the largest data breaches from different sources (e.g. Webber Insurance, Cyber Daily, OAIC’s notifiable data breaches report from July to December 2023) with a specific focus on 2024 and discuss the implications of these breaches for individuals and businesses.

Australia has experienced a dramatic increase in data breaches, particularly in the first quarter of 2024, where a staggering 1.8 million user accounts were compromised. This represents an astonishing 388% increase from the final quarter of 2023, propelling Australia to the 15th most compromised nation globally.

Since 2004, roundabout 37 million unique Australian email identifiers were breached which is the same like 13 accounts being compromised every minute on average. All in all, these breaches have led to the exposure of a total of 416 million personal records in Australia, including 97 million passwords (see more here and here).

Several factors contribute to Australia’s attractiveness as a target for cybercriminals:

1. Growing Digital Economy and High Connectivity: Australia has a rapidly growing digital economy. This widespread digital adoption creates a vast pool of potential targets, from individual users to large corporations. Additionally, Australia’s high level of connectivity, with a tech-savvy population and advanced digital infrastructure, makes it a lucrative target for cybercriminals.

Taken from Notifiable Data Breaches Report July to December 2023

2. Black Market Pays Record Sums for Personal Data: The value of personal data on the black market has surged, making Australia’s wealth of digital information highly desirable. Cybercriminals are particularly drawn to financial data, healthcare records, and government databases.
3. Challenges in Cyber Security Readiness: Despite significant investments in cyber security, many Australian organizations still face challenges in fully implementing and maintaining security measures. A survey by Cloudflare revealed that 41% of Australian businesses experienced at least one data breach in the past year, with 33% reporting 11 or more breaches within the same period. This suggests that while awareness is growing, the execution of effective cyber security strategies remains inconsistent, leaving many organizations vulnerable to attacks.

Taken from Notifiable Data Breaches Report July to December 2023

4. Strategic Importance and Innovation Hub: Australia’s strategic importance in the Asia-Pacific region, coupled with its reputation as a hub for innovation, also makes it a target for cyber espionage and state-sponsored attacks. As a leader in testing and adopting new technologies, Australia often finds itself in the crosshairs of those seeking to disrupt or exploit cutting-edge digital systems before they are fully secured.
5. Increased Focus on Cyber Security by the Government: The Australian government’s focus on cybersecurity, exemplified by initiatives like the National Cyber Security Strategy 2023-2030 and the appointment of a dedicated Minister for Cyber Security, has brought both benefits and risks. While these efforts aim to strengthen the nation’s defenses, they also attract the attention of sophisticated attackers looking to challenge and circumvent new security measures.

The surge in data breaches in Australia highlights the need for good cyber security posture. As the country strives to become a leader in this field by 2030, it must address the existing vulnerabilities and build upon its initiatives to create a more resilient digital environment. Solutions like passkeys, which offer phishing-resistant multi-factor authentication, represent a crucial step forward in protecting user data and enhancing overall cybersecurity.

In the following, you find a list of the largest data breaches in Australia. The data breaches are sorted by the number of impacted customer accounts in descending order. The list focuses on Australian head quartered companies and not international companies where data from Australian citizens was involved.

In May 2019, Australian tech unicorn Canva fell victim to a significant data breach that compromised the personal information of 137 million users worldwide. The breach was orchestrated by a hacker operating under the alias "Gnosticplayers," who managed to infiltrate Canva’s systems and access sensitive user data. The attack was detected by Canva’s security team while it was in progress, but the hacker had already exfiltrated a large volume of data by the time they were stopped.

Interestingly, instead of the usual practice of selling the stolen data on dark web forums, the hacker reached out directly to a media outlet, ZDNet, to boast about the breach. This act of public disclosure is uncommon in the cybercriminal world, where anonymity is typically maintained to avoid law enforcement.

Following the breach, Canva promptly informed the affected users, urging those with decrypted passwords to reset them immediately. Additionally, the company implemented a mandatory password reset for accounts that hadn’t updated their passwords in the previous six months.

In March 2023, Latitude Financial, a prominent Australian personal loan and financial services provider, experienced one of the most significant data breaches in the country’s recent history. Initially, Latitude reported that approximately 328,000 customers were affected. However, as the investigation unfolded, it became clear that the breach had compromised the personal information of over 14 million individuals across Australia and New Zealand.

The breach occurred when a cybercriminal gained access to Latitude’s systems using a stolen set of employee credentials. This unauthorized access allowed the attacker to exfiltrate a vast amount of sensitive customer data, including names, contact information, and identification details such as driver’s license and passport numbers. The breach was particularly alarming because much of the compromised data dated back to 2005, raising concerns about why such old records were still being stored beyond the mandatory retention period.

The Australian government responded by considering stronger measures, including expanding the powers of federal cyber agencies to intervene in private sector breaches. Latitude is currently under investigation for its handling of the breach, with questions being raised about its security practices and whether the company took sufficient steps to prevent such an attack.

In May 2024, MediSecure, a key player in Australia’s prescription delivery services, suffered a significant data breach that exposed the personal information of 12.9 million individuals. MediSecure, which was one of only two services facilitating the electronic and paper transmission of prescriptions from doctors to pharmacies, became the target of a ransomware attack that compromised a vast database containing sensitive patient data. The breached data included names, addresses, and health information tied to prescriptions filled before November 2023.

The attack had severe consequences, not only for the individuals whose health data was exposed but also for MediSecure as a company. In the aftermath of the breach, MediSecure was forced into administration, a process in which an external administrator takes over a financially distressed company in an attempt to restructure its operations and manage creditor repayments. The incident highlighted the critical vulnerabilities in healthcare IT systems and the devastating impact such breaches can have on both consumers and businesses.

The Australian government, along with various regulatory agencies, swiftly intervened to manage the fallout from the breach. Their response included efforts to mitigate the impact on affected individuals and to ensure that similar vulnerabilities are addressed in other healthcare systems.

The Optus data breach in September 2022 affected nearly 9.8 million customers – equivalent to almost 40% of the country's population. As the second-largest telecommunications provider in Australia, Optus became the target of a sophisticated cyber-attack, reportedly orchestrated by a state-sponsored group. The attackers accessed Optus' internal network and exfiltrated a vast array of sensitive personal information, including names, birth dates, addresses, and identification numbers such as passports, driver's licenses, and Medicare card IDs.

The breach was believed to have been facilitated through an unsecured API endpoint, which allowed the attackers to bypass authentication measures and gain direct access to the data. This vulnerability in Optus’ system raised serious questions about the adequacy of cybersecurity measures in place, especially for companies handling such large volumes of personal data.

Following the breach, the attackers published samples of the stolen data on online forums and demanded a ransom of A$1.5 million in cryptocurrency. However, under pressure from law enforcement and possibly fearing further repercussions, the hacker retracted the ransom demand just days later and claimed to have deleted the stolen data, issuing an apology on the same forum where the ransom was initially posted.

The Optus breach led to widespread criticism of Australia’s cyber security infrastructure and prompted a class-action lawsuit involving 1.2 million affected customers in April 2023.

In December 2022, Medibank, one of Australia's largest health insurance providers, was targeted in a major data breach that compromised the personal information of 9.7 million customers. The breach, which is believed to have been orchestrated by the notorious REvil ransomware group based in Russia, involved the theft of highly sensitive data, including medical records and claims information.

The incident came to light when REvil published 6GB of raw data samples on a dark web blog, accompanied by a demand for a $10 million ransom. The release of this data served as a grim warning, indicating that the attackers possessed a much larger trove of sensitive information. Despite the immense pressure, Medibank took a firm stand and refused to pay the ransom, a decision that was both praised and scrutinized by cyber security experts and the public alike.

Following Medibank’s refusal to meet the ransom demands, the stolen data was reportedly fully released on the dark web. However, to date, there have been no confirmed cases of identity theft or financial fraud directly linked to the breach. In response to the attack, Medibank urged its customers to remain vigilant, particularly with regards to credit checks and phishing attempts, while also committing substantial resources to bolster its cybersecurity defenses.

The breach has sparked multiple investigations, including a significant inquiry by the Office of the Australian Information Commissioner (OAIC) into Medibank’s data handling practices. If found negligent in its cybersecurity measures, Medibank could face severe penalties – as high as 21.5 trillion (!) dollars.

This breach has not only highlighted the risks associated with handling sensitive data in the healthcare sector but also underscored the potential consequences for organizations that fail to implement adequate cyber security protections.

In August 2024, Early Settler, a well-known Australian furniture and home goods retailer, experienced a significant data breach that exposed the personal information of 1.1 million customers.

The breach was detected after unauthorized access to Early Settlers' customer database was discovered, though the specific method of the breach has not been publicly disclosed. The company promptly notified affected customers and urged them to be vigilant against potential phishing attempts and other forms of identity fraud, which could result from the exposed information.

In response to the breach, Early Settlers committed to enhancing their cyber security measures to prevent future incidents and reassured customers that they were taking all necessary steps to secure their data.

In May 2024, Clubs NSW, the peak body representing registered clubs in New South Wales, Australia, suffered a data breach that compromised the personal information of approximately 1 million members. The breach involved unauthorized access to sensitive data, including full names, email addresses, membership details, phone numbers, and physical addresses.

The breach was a significant concern due to the exposure of membership information, which could be leveraged for phishing attacks, identity theft, and other malicious activities. Upon discovering the breach, Clubs NSW swiftly notified affected members and advised them to be cautious of suspicious communications that might exploit the compromised information.

The exact method of the attack has not been disclosed, but it highlights the vulnerabilities in organizations that handle large volumes of personal and membership data. This incident also drew attention to the need for enhanced cybersecurity practices within associations and membership-based organizations, which may not always prioritize data protection as rigorously as larger corporations.

In response to the breach, Clubs NSW took steps to strengthen its security infrastructure and collaborated with cyber security experts to prevent future incidents.

In July 2020, ProctorU, an online proctoring service widely used by remote students, was involved in a significant data breach that exposed the email addresses of 444,000 users. The breach was part of a larger data leak that affected 18 companies and compromised a staggering 386 million records in total.

Despite the severity of the breach, ProctorU reported that no financial information or other sensitive personal data was compromised. However, the exposure of email addresses, particularly those linked to prominent educational institutions, raised concerns about potential phishing attacks and other malicious activities targeting affected users.

This incident highlighted the vulnerabilities within online services that have become increasingly essential in the era of remote learning.

In February 2024, Tangerine Telecom, a popular Australian telecommunications provider, experienced a data breach that exposed the personal information of 232,000 customers. The compromised data included full names, dates of birth, mobile numbers, email addresses, postal addresses, and Tangerine account numbers. This breach raised significant concerns due to the detailed nature of the exposed information, which could be exploited for identity theft and targeted phishing attacks.

The breach was discovered when unauthorized access to Tangerine’s customer database was detected. Although the company acted quickly to contain the breach and notified affected customers, the incident highlighted vulnerabilities in the security measures of telecom companies, which handle large volumes of sensitive customer data.

Following the breach, Tangerine Telecom reassured customers that no financial information or passwords were compromised, but the exposed data was still sufficient to cause potential harm. The company urged its customers to be vigilant against suspicious communications and to monitor their accounts for any unusual activity.

In November 2018, the Australian National University (ANU) suffered a highly sophisticated cyber-attack that compromised the sensitive personal information of approximately 200,000 individuals. This breach, one of the most complex in Australian history, went undetected for nearly six months, allowing the attackers to access data dating back as far as 19 years.

The attackers used a series of four spear-phishing campaigns to infiltrate ANU's network. The initial breach occurred when a senior staff member unknowingly opened a malicious email, granting the attackers the credentials they needed to penetrate deeper into the university's systems. Once inside, the attackers gained access to ANU's Enterprise Systems Domain (ESD), where the university’s most sensitive records were stored, including personal details, tax file numbers, payroll information, and even student academic results.

The attackers demonstrated a high level of sophistication by meticulously covering their tracks. They immediately deleted access logs to erase any evidence of their activities and used Tor, a software designed to anonymize online activity, to obscure their location. This level of operational security significantly delayed the detection of the breach.

In a further attempt to expand their access, the attackers used the compromised email account of the staff member to send out a second round of phishing emails, inviting other senior university members to a fake event. This expanded the scope of the attack and increased the potential damage.

Despite the severity of the breach, there has been no confirmed evidence that the stolen data was exploited. However, the incident prompted ANU to invest millions of dollars in upgrading its cybersecurity infrastructure to prevent future breaches.

In April 2020, Service NSW, the New South Wales government agency responsible for delivering various services to residents, experienced a significant data breach that exposed the personal information of 104,000 individuals. The breach was initiated through a series of phishing attacks that successfully compromised 47 staff email accounts. The attackers gained access to approximately 5 million documents, 10% of which contained sensitive personal data.

The breach was particularly concerning due to the sheer volume of data accessed and the sensitive nature of the information involved. The compromised data likely included personal details such as names, addresses, contact information, and possibly other critical identification information, although specific types of data exposed were not fully disclosed.

A major contributing factor to the success of the breach was the absence of multi-factor authentication (MFA) on the compromised accounts. Without this additional layer of security, the attackers were able to easily gain and maintain access to the email accounts, moving laterally through the network to harvest large quantities of sensitive data.

In response to the breach, Service NSW undertook a comprehensive review of its security practices and began implementing stronger security measures, including the rollout of MFA across its systems.

In June 2024, Hey You, a popular Australian food and beverage ordering app, experienced a data breach that exposed the personal information of approximately 100,000 customers. The breach compromised sensitive customer data, including full names, email addresses, phone numbers, delivery addresses, and order history. This data exposure posed significant risks, particularly in terms of potential identity theft and phishing attacks.

The breach was discovered when unauthorized access to Hey You's database was detected. While Hey You assured customers that no payment or financial information was compromised, the breach still underscored the importance of securing even seemingly less critical data. Information such as order history and delivery addresses, when combined with other personal data, can be used by cybercriminals for various malicious purposes.

In response to the breach, Hey You implemented additional security measures to prevent future incidents and worked closely with cyber security experts to strengthen their data protection protocols. The company also advised customers to be cautious of any unusual communications and to monitor their accounts for signs of unauthorized activity.

In April 2024, Telstra, one of Australia's largest telecommunications providers, disclosed a data breach that exposed the personal information of approximately 47,000 customers. The compromised data included names, email addresses, and phone numbers. The breach became public when a dataset containing this information was posted on a hacking forum, raising concerns about the potential misuse of the exposed data.

Although the dataset reportedly included a significant amount of dummy data, the exposure of real customer information still posed serious risks, particularly regarding identity theft and targeted phishing scams. While Telstra clarified that the breach did not result from a direct cyber-attack on their systems, the incident highlighted the ongoing challenges in protecting customer data from unauthorized access and distribution.

In response to the breach, Telstra took steps to assess the scope of the exposure and worked to reassure customers that more sensitive information, such as financial details, was not compromised.

Moreover, Telstra introduced passkeys as phishing-resistant MFA for consumers.

In May 2024, Sumo, an Australian energy and telecommunications provider, experienced a data breach that compromised the personal information of approximately 40,000 customers. The breach involved unauthorized access to sensitive customer data, including full names, email addresses, phone numbers, billing addresses, and account details. This information could potentially be exploited for identity theft, phishing schemes, and other malicious activities.

The breach was discovered when unusual activity was detected within Sumo's systems, prompting an immediate investigation. Although financial information such as credit card details was not reported to be part of the compromised data, the exposed information was still sufficient to put affected customers at risk. Sumo advised its customers to remain vigilant, especially regarding unexpected communications, and to monitor their accounts for any unusual activity.

In response to the breach, Sumo implemented enhanced security measures and worked closely with cyber security experts to strengthen their defenses against future attacks.

We’ve seen that many business have been breached and that almost every Australian’s data is probably part of one of the breaches. Let’s focus now on the threat that results from such a data breach even if the breached organization immediately changes all passwords. The number one concern is probably credential stuffing.

Credential stuffing is a type of cyber-attack where hackers use automated tools to try large volumes of username and password combinations, often sourced from previous data breaches, to gain unauthorized access to user accounts. Unlike brute force attacks that try random combinations, credential stuffing relies on the fact that many people reuse passwords across multiple sites. This makes it easier for attackers to breach accounts by using login credentials that were compromised in one breach to target accounts on other platforms.

Taken from Notifiable Data Breaches Report July to December 2023

Data breaches are the primary fuel for credential stuffing attacks. When a company’s database is compromised, the stolen credentials – often including usernames, email addresses, and passwords - can be sold or shared on dark web forums. Cybercriminals then use these credentials to launch credential stuffing attacks against other services, knowing that a significant percentage of users reuse passwords across different sites.

For example, if a user’s email and password were exposed in a breach at a social media site, attackers might use the same credentials to try to access the user’s banking, shopping, or email accounts. This can lead to significant financial loss, identity theft, and unauthorized access to sensitive information, even for companies that were not directly breached.

Even if your company has not experienced a data breach, you’re still at risk for breaches caused by credential stuffing. Attackers using credentials from other breaches can target your user accounts, potentially gaining access to sensitive data, making fraudulent transactions, or compromising your systems. This not only poses a security threat but also damages your brand reputation and can lead to financial losses from fraud and customer churn.

Under Australia’s Notifiable Data Breaches scheme, companies must notify individuals if their data has been compromised. However, the implications of credential stuffing extend beyond just notifying users. Companies need to be proactive in preventing these attacks by implementing stronger security measures, such as multi-factor authentication (MFA), monitoring for suspicious login attempts, and using tools that detect compromised credentials before they can be exploited.

For individuals, tools like Have I Been Pwned allow users to check if their email addresses have been involved in any data breaches, helping them take steps to protect themselves. Companies can use similar resources, such as HudsonRock, which allows businesses to check if their domain is associated with breached accounts, providing early warning signs of potential credential stuffing attacks.

Australia holds the unfortunate distinction of having one of the highest rates of data breaches per capita globally. The analysis of recent breaches, as outlined above, reveals that even some of the nation's largest and most trusted organizations have fallen victim to cyber-attacks. This widespread exposure of sensitive data significantly increases the risk of credential stuffing attacks, particularly for users who habitually reuse passwords across multiple platforms.

Given the large-scale breaches at major institutions, including telecommunications providers, financial services, and educational bodies, it’s highly likely that a vast number of Australian credentials are circulating on the dark web. These compromised credentials can be exploited by cybercriminals to gain unauthorized access to various accounts, posing a severe threat to both individuals and businesses.

Additionally, Australia’s advanced e-government infrastructure, which enables citizens to interact with government services online, has become an attractive target for attackers. The high degree of digitization within government platforms makes them a prime focus for credential stuffing attacks, further emphasizing the need for robust cybersecurity measures across all sectors in Australia.

Passkeys are a great solution to the vulnerabilities that often lead to data breaches and credential stuffing. They use a combination of a private key stored on the user's device and a public key stored on the server. Even if a hacker obtains a user’s public key or compromises the server, they cannot log in without the corresponding private key, which is stored securely on the user's device (in the TPM or secure enclave).

Passkeys also effectively prevent credential stuffing attacks. Since passkeys don’t involve passwords that can be reused across multiple sites, the entire premise of credential stuffing is rendered obsolete. Even if a hacker acquires login information from another breached site, it cannot be used to access a passkey-secured account. This is particularly crucial in a country like Australia, where the high rate of data breaches means a large pool of potentially compromised credentials is available on the dark web.

Let’s have a look how a passkey rollout to prevent data breaches and credential stuffing could look like. Therefore, we recommend to work in four phases.

1. Phase: Introduce passkeys

   In the initial phase, you integrate passkeys into your product and offer passkey creation proactively in the account settings and if users have successfully logged in with traditional login methods (see also automatic passkey upgrades).

2. Phase: Make your users use passkeys as primary authentication method

   Apply a passkey-first thinking that encourages the usage of passkeys for logins as often as possible and as the primary authentication method. Traditional authentication is still offered but not actively promoted.

3. Phase: Provide other authentication options only for fallback & recovery of passkeys
   Only on devices that are not passkey-ready, if there is no passkey available or the user cancels the passkey login process, you can use an existing authentication method.

4. Phase: Improve overall security by removing passwords from your system
   If you have a sufficiently high passkey adoption rate, you can start to remove the passwords in order to further improve the security and make leaked credentials

As Australia faces an increasing number of data breaches, the threat of credential stuffing has become a significant concern for organizations and individuals alike. The widespread exposure of sensitive information across various sectors highlights the urgent need for stronger cybersecurity measures. Passkeys, with their advanced security features, offer a promising solution to these challenges, effectively mitigating the risks associated with traditional password-based systems. By embracing innovative technologies like passkeys, Australia can strengthen its defenses against cyber threats and protect the digital identities of its citizens and businesses. As we move forward, it’s crucial for both organizations and individuals to stay vigilant and adopt best practices to secure their data in an ever-evolving digital landscape.