Data breaches in Australia are becoming “unfortunately regular”, particularly in industries like finance and healthcare. To fight against these cyber attacks, the Australian government has revised its cybersecurity frameworks and policies to strengthen resilience against nation-state threat actors.
However, Government policies will never put an end. These initials are not designed to work by themselves. Even the Australian Signals Directorate (ASD) admits that proposed security frameworks only raise the security baseline. Consequently, it becomes the responsibility of companies to ensure cyber readiness in terms of knowledge, standards, and effectiveness of cybersecurity strategies they shall adopt.
Data breaches are among the most common types of cyber incidents worldwide and in Australia.
Let’s understand data breaches more straightforwardly. Imagine an empty box under the sofa in your living room. Last week, I came up with a new computer device. Right now, it is nothing more than a box. But if we fill the box with the names, email addresses, bank account details, passwords, and other sensitive details of my family members, it is not a valueless box anymore.
Anyone with two specific things, a malicious intention and the ability to use this data against my interest, can manipulate, misuse, misinterpret, and eventually steal the data. So, what was the main change that turned the innocent box into a tool that can be manipulated and used against the box’s owner? Is it the colour? The way it is built? The way it was kept? Or simply just the information inside it?
The majority of us would agree on the last option. The information. In the cyber world, information is more than a person, an enterprise, or any other cyber entity; whoever has the information has the power.
Now, it becomes easy to say that data is the most valuable thing in cyber systems. It can destroy strategies, manipulate the market, and cause destruction even at the state level. A data breach is when unauthorised individuals access, disclose, or lose confidential or sensitive information.
Anyone with basic knowledge about data breaches can play a constructive role in cybersecurity by pointing out vulnerabilities in a cyber system, calling for professional help to mitigate them, and responding effectively to cyber attack situations. The first step in this process is knowing about the nature of data breaches that have already occurred. So let’s dive deep into it,
1. Canva
In May 2019, Australian tech unicorn Canva suffered a massive data breach that impacted approximately 137 million users, more than double its current 55 million active monthly users. The breach was carried out by a cybercriminal known as “Ghosticplayers,” who infiltrated Canva’s systems and accessed sensitive user data, including usernames, real names, email addresses, country information, encrypted passwords, and partial payment data. Although Canva detected the malicious activity and intervened, the response came too late to prevent data exposure. In a rare move, the hacker contacted ZDNet directly to boast about the attack, rather than resorting to dark web forums where such breaches are typically flaunted. In response, Canva promptly alerted affected users with decrypted passwords to change them and reset all accounts that hadn’t updated their passwords in the previous six months.
2. Latitude
In March 2023, Latitude, an Aussie financial services provider, suffered a major data breach that ended up affecting over 14 million people across Australia and New Zealand. It started with a stolen set of employee credentials, which gave hackers access to personal info like names, addresses, emails, phone numbers, and even driver’s license and passport numbers. Much of the data dated back to 2005, raising eyebrows over why it was still being stored. The breach led to government discussions about stronger intervention powers and has put Latitude under investigation, with a class-action lawsuit also in the works.
3. Optus
In September 2022, Optus, Australia’s second-largest telco, was hit by one of the biggest data breaches in the country’s history, affecting 9.8 million customers nearly 40% of the population. Hackers, believed to be state-sponsored, accessed sensitive data including names, birth dates, addresses, phone numbers, passport details, driver’s licenses, Medicare numbers, and more.
The breach reportedly happened through an exposed API that didn’t require authentication. Days later, a ransom of A$1.5 million in crypto was demanded, but the hacker backed down under pressure and claimed to have deleted the data. The breach sparked intense backlash, with criticism of outdated cybersecurity laws and corporate negligence. By April 2023, Optus faced a class-action lawsuit involving 1.2 million customers, and the government openly acknowledged that Australia had fallen behind in digital security.
4. Medibank
Medibank, one of Australia’s biggest health insurers, suffered a massive data breach in December 2022 that exposed the personal information of 9.7 million people. The attack was linked to the Russian ransomware group REvil, which leaked 6GB of data samples on the dark web and demanded a $10 million ransom. The stolen data included names, birthdates, passport numbers, and even sensitive medical records and claims information.
Medibank refused to pay, and although the full dataset is believed to have been released, there have been no confirmed cases of identity or financial fraud. The company urged customers to stay alert for scams and invested heavily in cybersecurity upgrades. Meanwhile, the breach triggered a formal investigation by Australia’s privacy watchdog, and Medibank now faces the possibility of a $50 million fine and a looming class-action lawsuit.
5. ProctorU
In July 2020, ProctorU, a remote exam proctoring service, experienced a data breach that exposed the personal details of around 444,000 users. The leaked data, which was posted for free on a dark web forum, was part of a larger breach affecting 18 companies and over 386 million records. Among the exposed information were student and staff email addresses from major Australian universities like the University of Sydney, Melbourne, and Queensland, as well as top U.S. institutions like Harvard, Yale, and Princeton. While no financial data was compromised, the breach raised serious concerns about data security in remote education platforms.
Rolling it Up
These five major data breaches underline a hard truth: no industry is immune to cybersecurity risks. Whether it’s finance, healthcare, education, or tech, the common thread is the mishandling or underestimation of just how valuable data is. These incidents didn’t just compromise sensitive information; they exposed deeper issues like poor data retention practices, outdated security protocols, and weak crisis management.
And while government frameworks and policies are improving, they can only go so far. Real cybersecurity resilience starts at the organisational level, with proactive investment in infrastructure, employee training, and a culture that treats data like the asset it truly is. If there’s one lesson these breaches have taught us, it’s this: in the digital world, information is power, and protecting it is everyone’s responsibility.
