13 Critical Data Breach Stats for Australian Businesses in 2021

13 Critical Data Breach Stats for Australian Businesses in 2021

Edward Kost
Edward Kost
updated Oct 21, 2021

If you're an Australian business reading this, there's a 30% chance you will suffer a data breach.

Such cutthroat statistics, as uncomfortable as they are to read, are important to be aware of if you want to avoid becoming one.

To help you achieve a data-driven approach to cybersecurity, we've aggregated some of the most critical data breach stats for Australian businesses. This list also includes global data breach statistics that could be a window into Australia's future modified threat landscape.

What is the Average Cost of a Data Breach in Australia?

The average cost of a data breach in Australia is $3.35 million per breach, an increase of 9.8% year on year. This amount is about $2 million less than the global average of $5.39 million (about US$ 3.86 million) in 2020.

The graph below demonstrates the fluctuations of the global average between 2015 and 2020.

average cost of a data breach

The financial repercussions of a data breach has been found to last several years. For highly regulated industries, such as healthcare and financial services, 53% of data breach costs were incurred during the second and third years following a data breach event.

average distribution of data breach costs for highly regulated industries

Between 2014 and 2020, the average total data breach cost increased by 10%. This steep trend is likely caused by an increase in both the sophistication and volume of cyberattacks. There are other contributing factor to data breach cost. Those are discussed further long this article.

According to the Cost of a Data Breach Report 2020 by IBM and the Ponemon Institute, Australia was ranked 13th out of 18 countries sorted by total data breach cost.

average cost of a data breach by. region

Though the security posture of the average Australian business is far from perfect, the country's data breach cost is significantly lower than the global average. This demonstrates promising cyber threat resilience potential that should be leveraged with a cybersecurity strategy.

Globally, the average data breach cost has risen across the Energy, Healthcare, and retail sectors.

percentage change in average total data breach cost by industry

Data breaches involving the compromise of over 50 million records cost an average of US $392 million. Such mega-breaches happen a lot more often than you might think.

Why Do Data Breaches Cost So Much?

Regulatory fines contribute the most to data breach costs. As an example, the University of Texas cancer center suffered a data breach compromising the personal information of 33,500 patients.

The medical center did not encrypt its patient data, and therefore, did not comply with the Health Insurance Portability and Accountability Act, which resulted in a $4.3 million fine.

Other factors include legal costs and hiring security remediate data breach damage  

There are also indirect costs such as customer churn when customers dissociate themselves from compromised vendors to prevent reputational damage.

Costs linked to customer turnover after a breach rose from $1.42 million in 2019 to $1.52 million in 2020.

lost business cost due to data breach

Stock prices could also plummet, especially if credit card data is compromised in a  breach.

Slow response time will further add to data breach costs. So a strategy for reducing data breach costs is to simply respond to data breaches faster.

Victims that respond to data breaches in under 200 days spend an average of $1.1 million less on data breach damages.

Complying with cybercriminal demands could also hike up data breach costs. According to the State of Ransomware 2020 report by Sophos, ransomware attack remediation efforts on average cost US$732,500 when a ransom is not paid, and US $1,448,458 when a ransom is paid. That's double the cost of not paying a ransom.

ransomware attack remediation costs

This startling statistic supports the FBI's strong recommendation of not paying cybercrime ransoms.

Average Data Breach Response Time for Australian Businesses

According to the 2021 Verizon Data Breach Investigations Report, a hacker can exfiltrate an entire customer database in a matter of hours. On Average, it takes 200 days for Australian organisations to identify a data breach - that's over 6 months.

This means, on average, cybercriminals exfiltrate a victim's entire database and then keep monitoring internal activity for half a year before their presence is finally discovered.

This demonstrates a concerning lack of attack surface transparency amongst Australian businesses. Such organizations definitely don't stand a chance against complex breaches involving access log obfuscation tactics to avoid detection.

Many poorly secured organizations have already suffered a data breach by such highly sophisticated threat actors and never detected it.

“The more time an attacker has within an environment the more access they can get to different devices, different pieces of data, different accounts."
- Wendi Whitmore, director of X-Force Threat Intelligence at IBM

The data breaches that are detected are usually discovered through the following channels:

  • Breach statements from compromised third-parties
  • Notifications from monitoring services
  • Dark web victory posts by threat actors responsible for the attack

Most Common Types of Data Breaches

Customer information is the most coveted category of sensitive data amongst cybercriminals. On average, 80% of data breaches involved customer Personal Identifiable Information (PII).

The average cost per record of customer PII is $175

top categories of compromised records in a data breach

The reason for its popularity is because customer data usually includes financial information or at least a portion of it that could be enough for an intelligent hacker to completely uncover.

Customer PII can also offer compounding financial returns for cybercriminals that target each customer with phishing attacks and then the new victims that are discovered in each attack campaign.

Are Cyberattacks On The Rise?

2020 was a particularly disastrous year for cybersecurity as cybercriminals capitalized on a world distracted by the shock of a pandemic.

The trends below demonstrate the surge in cyberattacks trends between 2019 and 2020.

IoT attack trends
percentage of victims on name and shame website

next generation supply chain attack trends

Cyberattack data for 2021 is still being harvested, by so far, here's a summary of the findings.

  • Publically reported U.S data compromises increased by 12% between Q4 2020 and Q1 2021.
  • Number of individuals impacted by data breaches increased by 564% between Q4 2020 (8 million) and Q1 2021 (51 million).
  • Compared to 2019, Malware attacks increased by 358%, and Ransomware attacks increased by 435%.
  • Google recognized over 2 million phishing sites as of January 2021.

Because cyberattacks are on the rise, the probability of businesses suffering a data breach is increasing.

Probability of a supply chain attack

Are Cyberattacks in Australia On the Rise?

Since the Australian parliament introduced the Notifiable Data Breach (NDBS) scheme in 2018, data breach reports have risen by a shocking 712%.

data breach reporting events australia

According to the Australian Cyber Security Center ACSC, on average, 164 cybercrime reports are made by Australia every day - that's about 1 report every 10 minutes.

Between 1 April 2018 and 31 March 2019 the Office of the Australian Information Commissioner (OAIC) received almost 1000 data breach notifications.

In comparison, between July 1, 2019, and June 30, 2020, the ACSC received almost 60,000 cyberattack reports and responded to almost 2,300 cyberattack incidents.

Michele Bullock, Assistant Government for the Royal Bank of Australia says that cyberattacks targeting Australian financial systems are on the rise, and they're getting increasingly sophisticated.

"Cyber-attacks are becoming more organised and sophisticated."
- Michele Bullock, Assistant Governor for the Royal Bank of Australia

Fraud attacks, such as phishing campaigns, are one of the most common types of cyberattacks in Australia, but ransomware attacks are following close behind.

"This year we've seen ransomware attacks on reasonably large businesses, as well as small businesses, which can cripple a business while they try and work out how to keep their businesses going,"
- Abigail Bradshaw, Head of the ACSC

Between 1 April 2018 and 31 March 2019, The Healthcare sector reported the highest number of data breaches to the OAIC; followed by Finance Legal, Education, and Personal Services.

data breach events for different australian industries

Do Australian Businesses Need to Report Data Breaches?

In 2018, the Australian government mandated the Notifiable Data Breach (NDB) scheme which requires all business entities with an annual turnover of more than $3 million to report data breach events to both impacted individuals and the OAIC.

NDB scheme compliance is also mandatory for the following entities:

  • Health service providers
  • Credit reporting bodies
  • Credit providers that process credit eligibility information
  • Tax File Number (TFN) recipients
  • All entities regulated under the Privacy Act 1988

Failure to comply with the NDB scheme breaches the Privacy act which could result in enforcement action.

How to Protect Your business Against Data Breaches

Data breach prevention controls will remove the devastating financial impacts of data breaches. The financial benefits compound if the right data protection strategies are implemented.

The Australian Signals Directorate (ASD) recommends all Australian businesses implement the Essential Eight framework to raise their baseline of cybersecurity. But this is a minimal security best practice. In addition to this, security solutions should be implemented to further reduce the chances of a data breach.

Your choice of solutions should depend upon the findings of reputable studies. Let's summarise some of the key findings of such studies:

  • According to a study by the Ponemon Institute, some of the most profitable cybersecurity investments include an incident response plan and security posture strengthening solutions.
  • IBM found that cybersecurity automation solutions, powered by Machine Learning and Artificial Intelligence, help organizations respond over 27% faster to data breach events.
  • The OAIC discovered that 38% of all data breach notifications received via the NDB scheme were caused by human errors.
  • The most common type of compromised data is customer Personal Identifiable Information (PII).
  • The most type of cyber threat is phishing attacks.
  • In Australia, the healthcare and finance sectors suffer the highest number of cyber attacks.

The problem of human error acting as a prominent attack vector can be readily solved with education. Staff need to be taught how to identify common cyber threats and how to correctly respond to them.

Each of the following items links to an article that can be used for cyber threat awareness training in the workplace:

To comply with the Ponemon Institute's findings, this article describes the key components of a profitable Incident Response Plan (IRP).

UpGuard offers a suite of products to help Australian businesses capititalize on the cybersecurity foundation established by the Essential Eight framework, and other security frameworks.

  • BreachSight - BreachSIght is a complete attack surface management solution that discovers internal security vulnerabilities. This solution is ideal for protecting customer data since it's the most coveted category of sensitive data by cybercriminals.
  • VendorRIsk - VendorRisk extends vulnerability detection to the entire vendor network to maintain protection during digital transformation. This solution also helps prevent third-party breaches and supply chain attacks which is especially important for highly regulated industries such as finance and healthcare.
  • CyberResearch - CyberResearch combines Artificial Intelligence and expert analysts to help Australian businesses detect data leaks both internally and throughout the vendor network. Remediating vendor data leaks before they're discovered by cybercriminals prevents third-party breaches - which account for almost 60% of all data breaches.

    CyberResearch also helps businesses efficiently scale their Third-party Risk Management programs by offering a team of expert analysts to manage vendor security.

UpGuard Helps Australian Businesses Prevent Data Breaches

UpGuard empowers Australian companies like Aware Super, HBF Health, Red Energy, IAG, and even the NSW Government to secure their sensitive resources and prevent data breaches.

Click here to request a FREE trial of UpGuard now!


UpGuard logo in white
UpGuard free resources available for download
Learn more

Download our free ebooks and whitepapers

Insights on cybersecurity and vendor risk management.
UpGuard logo in white
eBooks, Reports & Whitepapers
UpGuard free resources available for download
UpGuard customer support teamUpGuard customer support teamUpGuard customer support team

See UpGuard In Action

Book a free, personalized onboarding call with one of our cybersecurity experts.
Abstract shapeAbstract shape

Related posts

Learn more about the latest issues in cybersecurity.
Deliver icon

Sign up to our newsletter

Get the latest curated cybersecurity news, breaches, events and updates in your inbox every week.
Abstract shapeAbstract shape
Free instant security score

How secure is your organization?

Request a free cybersecurity report to discover key risks on your website, email, network, and brand.
  • Check icon
    Instant insights you can act on immediately
  • Check icon
    Hundreds of risk factors including email security, SSL, DNS health, open ports and common vulnerabilities
Website Security scan resultsWebsite Security scan ratingAbstract shape