In recent years, Australia has seen a dramatic rise in large-scale data breaches, exposing the personal information of millions of individuals. The latest findings from the StickmanCyber Report on Data Breaches in Australia, based on over 6,000 Notifiable Data Breach (NDB) reports submitted to the Office of the Australian Information Commissioner (OAIC) since 2018, reveal a concerning trend: breaches affecting over one million people have doubled in just five years
While data breaches are nothing new, the scale and frequency of these incidents are increasing at an alarming rate. In 2019 and 2020, there were only four breaches per year affecting one million or more individuals. By 2023, that number had risen to ten. Additionally, breaches impacting 10,000 or more individuals have surged, further demonstrating how cybercriminals are targeting large datasets with greater precision.
One of the most worrying aspects of these mega breaches is how long they remain undetected.
The report highlights that nearly a third (28%) of breaches affecting over one million individuals went unnoticed for 30 days or longer. Some organizations even failed to provide an identification date in their reports, raising serious concerns about their incident response capabilities.
A key insight from the report is that compromised credentials are the leading cause of mega breaches. Unlike smaller breaches that may result from malware or phishing attacks, large-scale breaches tend to originate from stolen or leaked credentials.
Shockingly, in nearly half of all mega breaches, the exact method used to steal these credentials remains “unknown,” suggesting that organizations lack robust investigative capabilities or transparency in their reporting.
The report also raises concerns about systemic underreporting, particularly in the private sector. We estimate that approximately 200,000 organisations are required to report notifiable data breaches to the OAIC. This includes any businesses in Australia with a turnover of $3m or more, as well as any organisations that routinely collects sensitive data eg. hospitals, retailers, marketing agencies.
Yet an average of just 900 reports are submitted each year — a third of which come from the finance and healthcare sector alone. We estimate that just 0.04% of large businesses submitted reported to the OAIC last year. This figure feels incredibly low when you consider a recent survey that found that 41% of businesses experienced a breach in 2023.
The rise in mega breaches has severe consequences for both businesses and individuals. For businesses, these breaches result in financial losses, regulatory fines, and reputational damage. More importantly, they erode consumer trust. When organizations fail to protect sensitive data, customers lose confidence in their ability to safeguard personal information.
For consumers, the risks are even greater. Stolen personal data can be used for identity theft, financial fraud, and other malicious activities. In many cases, victims are unaware that their information has been compromised until long after the breach has occurred.
To combat this growing threat, Australian businesses must take a proactive approach to cybersecurity. Some key steps include:
The rise of mega data breaches in Australia is a wake-up call for businesses, government agencies, and consumers. Cybercriminals are increasingly targeting large organizations, and many of these breaches go undetected or unreported for extended periods. Without immediate and proactive measures, these incidents will continue to rise, putting more individuals at risk.
Organizations must recognize that compliance alone does not equate to security. A strong cybersecurity posture requires continuous monitoring, better response strategies, and a commitment to transparency. Only by taking these steps can Australia begin to curb the growing threat of mega data breaches and protect the personal data of its citizens.