Data breaches in Australia are on the rise, particularly in the financial and healthcare industries. In an effort to disrupt this pernicious trend, the Australian government is revising its cybersecurity frameworks and policies to strengthen resilience against nation-state threat actors.
But Australian businesses cannot solely rely on the government's cybersecurity initiatives. Even the Australian Signals Directorate (ASD) admits that proposed security frameworks only raise the baseline of security. It's up to each individual business to continue lifting this standard with additional data breach prevention controls.
To help Australian businesses avoid some of the common malpractices that facilitate data breaches, we've compiled a list of some of the biggest data breaches in Australia, ranked by magnitude of impact. If you're interested in a global perspective, you can also review the biggest data breaches worldwide.
1. Canva Data Breach
Date: May 2019
Impact: 137 million users
Australian unicorn Canva suffered a monumental data breach impacting 137 million of its users. To put that into perspective, the online design tool currently has about 55 million active monthly users.
A cybercriminal identified as Ghosticplayers breached Canva's defences but was stopped by Canva when they detected malicious activity in their systems.
Unfortunately, this interception did not happen soon enough. The threat actor had time to access the following user data:
- User names
- Real names
- Email addresses
- Country data
- Encrypted passwords
- Partial payment data
After the cyberattack, Ghosticplayers contacted ZDNet to brag about the successful data breach. This is unusual behavior for cybercriminals who usually gloat about their cybercrimes on dark web forums.
2. Optus Data Breach
Date: September 2022
Impact: 9.8 million customers
Cybercriminals believed to be working for a state-sponsored operation breached Optus' internal network, compromising personal information impacting up to 9.8 million customers. According to Optus CEO Kelly Bayer, the oldest records in the compromised database could date as far back as 2017.
Personal information included in this compriomsed data set includes:
- Birth dates
- Phone numbers
- Passports and driver's license numbers (in some cases
It’s speculated that the criminal group gained access through an unauthorized API endpoint, meaning a user/password or any other authentication method wasn't required to connect to the API.
If the cybercriminals are confirmed to be state-sponsored, the breach was likely caused by a ransomware attack - a style of attack preferenced by such well-financed hacker groups for its high success rates and significant dividends.
Investigations are still underway, and Optus has yet to confirm whether it received a ransomware note from the cybercriminals.
At this point, it isn’t clear whether this breach constitutes a violation of Australian privacy principles. To prevent such a costly conclusion, Optus needs to demonstrate that it took active measures to ensure the protection of all customer data from data breach attempts - a decision for the privacy commissioner to make.
Click here to request your free instant security score.
3. ProctorU Data Breach
Date: July 2020
Impact: 444,000 people
Sensitive information belonging to ProctorU, an online proctoring service for remote students, was leaked online for free on a dark web hacking forum. This incident was part of a larger data leak impacting 18 different company's and exposing a total of 386 million records.
The compromised database of 444,000 records included user records with email addresses belonging to:
- The University of Sydney,
- The University of New South Wales,
- The University of Melbourne
- The University of Queensland
- The University of Tasmania
- James Cook University
- Swinburne University of Technology
- The University of Western Australia
- Curtin University and the University of Adelaide.
The total number of records impacting Australian university's from the total of 444,000 is unknown.
ProctorU said that no financial information was compromised in the breach.
4. Australian National University (ANU) Data Breach
Date: November 2018
Impact: 200,000 students
The Australian National University (ANU) fell victim to a highly sophisticated cyber attack that shocked even the most experienced Australian security experts.
Cyber attackers accessed sensitive information dating as far back as 19 years. The following information was stolen:
- Phone numbers
- Dates of birth
- Emergency contact details
- Tax file numbers
- Payroll information
- Bank account details
- Student academic results
The attackers deployed four spear-phishing campaigns to harvest network access credentials from staff. Each successful phishing attack granted them deeper levels of access until the University's Enterprise Systems Domain (ESD) was breached.
This is where the University's most sensitive records were stored.
The security incident worked meticulously to cover their tracks. They instantly deleted access logs and used the anonymity software Tor to obfuscate their location details.
ANU finally discovered the attack in April 2019.
5. Eastern Health Data Breach
Date: March 2021
Impact: 4 hospitals
Eastern Health, an operator of 4 Melbourne hospitals, fell victim to a cyberattack causing certain elective surgeries to be postponed.
The nature of the cyber attack is unknown, but it's suspected to have been a ransomware attack. This is likely to be true since, according to the Australian Cyber Security Centre (ACSC), ransomware attacks targeting the Australian health sector are growing.
Eastern Health assured the public that no patient data was compromised in the attack.
6. Service NSW Data Breach
Date: April 2020
Impact: 104,000 people
47 Service NSW staff email accounts were hacked through a series of phishing attacks. This led to 5 million documents being accessed, 10 percent of which contains sensitive data impacting 104,000 people.
A major contributing factor to the seamless breach was the lack of multi-factor authentication
7. Melbourne Heart Group Data Breach
Date: February 2019
Impact: 15,000 patients
Ransomware attacks are still classified as data breaches because cybercriminals access sensitive data and hold it hostage unless a ransom price is paid. This data breach compromised personal patient details and medical data, exposing victims to potential phishing attacks and identity theft.
Melbourne Heart Group was locked of it its compromised data for almost 3 weeks.
A spokesperson for the cardiology unit said that no sensitive data was leaked while it was in possession of the cybercriminals.
But such a claim assumes ransomware criminals are true to their promise that damages will be completely reversed if demands are obeyed
Melbourne Heart Group, reportedly, paid the bitcoin ransom.
Most of the encrypted files were restored, but not all of them.
8. Australian Parliament House Data Breach
Date: February 2019
Impact: Multiple political party networks - Liberal, Labor, and the Nationals.
Australian Parliament House networks were breached by a nation-state criminal group. It's speculated that China was responsible for the attack, as a response to Scott Morrison banning Huawei and ZTE equipment from Australia's 5G network.
The attack resulted in the loss of some data, but according to the head of the Australian Signals Directorate (ASD) Mike Burgess, none of it was classified as sensitive.
"There was a small amount of data taken; none of that was deemed sensitive, but the assessment of that is a matter for the parliament themselves." Mike said at the Foreign Affairs, Defence and Trade Legislation Committee on April 5, 2019.
The cybercriminals used phishing methods to steal employee credentials and gain entry into the government's network. This precursor attack took place on an infected external website that a small number of parliament staff visited.
9. Tasmanian Ambulance Data Breach
Date: January 2021
Impact: Every resident that requested an ambulance between Nov 2020 and Jan 2021.
At the time of the breach, the Tasmanian ambulance was using outdated radio technology to run its communications network. Cyberattackers intercepted the radio data, converted the conversation to text, and posted the stolen data online.
The breached data included the following patient information:
- HIV status
- Address of each emergency incident.
The website exposing the compromised data has since been taken offline.
10. Northern Territory Government Data Breach
Date: February 2021
Impact: 4400 emails
Personal and business emails across thousands of territories have been leaked following a breach of the Northern Territory's COVID-19 check-in app.
When the app was introduced, NT residents were assured that only Health Department officials and technical support personnel would have access to the collected data.
According to Sue Hawes, the head of the COVID-19 hazard management unit, the data breach was caused by an unintentional error.
11. Western Australian Parliament Data Breach
Date: March 2021
Western Australia parliament's mail server was accessed after a Microsoft Exchange Server Vulnerability was compromised. This incident was part of a global cyberattack frenzy targeting the zero-day exploit before Microsoft responded with a patch release.
WA's Executive Manager of Parliamentary Services Rob Hunter said that a forensic audit found no evidence of a data breach. A soon as security teams became aware of the malicious intrusion, they immediately disconnected the targeted email server.
But it's uncertain whether this consolation is true. The lack of transparency into the event is concerning.
The Australian Cyber Security Centre (ACSC) declined to comment about the WA parliament attack but said that many Australian organisations were exposed to potential compromise while their servers remained unpatched.
If the nation-state criminals were as sophisticated as the Prime Minister described them, may have had enough time to clandestinely exfiltrated some sensitive, even during such a brief visit.
UpGuard Helps Australian Businesses Prevent Data Breaches
UpGuard helps Australian businesses prevent data breaches by discovering vulnerabilities and data leaks exposing sensitive resources. This detection and remediation capability extends to the entire third-party vendor network.
Get a preliminary assessment of your data breach risk, click here for your free security score now!