Data breaches in Australia are on the rise, particularly in the financial and healthcare industries. In an effort to DISRUPT this negative trend, the Australian government is revising its cybersecurity frameworks and policies to strengthen resilience against nation-state threat actors.
But Australian businesses cannot solely rely on the government's cybersecurity initiatives. Even the Australian Signals Directorate (ASD) admits that proposed security frameworks only raise the baseline of security. It's up to each individual business to continue lifting this standard with additional data breach prevention controls.
To help Australian businesses avoid some of the common malpractices that facilitate data breaches, we've compiled a list of some of the biggest data breaches in Australia, ranked by magnitude of impact.
If you're interested in a global perspective, you can also read our blog on the biggest data breaches globally.
13 Biggest Data Cyber Security Breaches in Australia
1. Canva
Date: May 2019
Impact: 137 million users
Australian unicorn Canva suffered a monumental data breach impacting 137 million of its users. To put that into perspective, the online design tool currently has about 55 million active monthly users.
A cybercriminal identified as Ghosticplayers breached Canva's defences but was stopped by Canva when they detected malicious activity in their systems. Unfortunately, this interception did not happen soon enough. The threat actor had time to access the following user data:
Usernames
Real names
Email addresses
Country data
Encrypted passwords
Partial payment data
After the cyberattack, Ghosticplayers contacted ZDNet to brag about the successful data breach. This is unusual behavior for cybercriminals who usually gloat about their cybercrimes on dark web forums.
Canva quickly notified affected accounts that had decrypted passwords to change their passwords and reset all accounts for those that had not changed their passwords in 6 months.
13 Biggest Data Cyber Security Breaches in Australia
2. Latitude
Date: March 2023
Impact: 14 million customers
Latitude, the Australian personal loan and financial service provider, was affected by a data breach that impacted over 14 million people from Australia and New Zealand. Although the initial disclosure stated that only 328,000 individual customers were affected, that number quickly grew to 14 million after further investigation.
The Latitude breach was one of Australia’s largest breaches in recent history and follows a recent string of large-scale attacks (Optus and Medibank).
The attack occurred when one set of employee credentials was stolen, allowing access to Latitude’s customer data, mainly consisting of:
Full names
Physical addresses
Email addresses
Phone numbers
Dates of birth
Driver’s license numbers
Passport numbers
Much of the information was data stored from 2005, which drew questions on why companies continue to store customer records beyond the required seven-year timeframe. The government also considered extending the reach of federal cyber agencies to intervene in the case private companies come under attack.
Latitude is currently being investigated for its role in the attack and whether or not it had sufficient ability to prevent the attack from happening. The company is also being investigated for a class-action lawsuit.
3. Optus
Date: September 2022
Impact: 9.8 million customers
The Optus data breach was one of the biggest security breaches ever in Australian history. As the second-largest telecommunications company in Australia, this security incident brought up questions about Australian data security policies and how companies handle them.
Cybercriminals believed to be working for a state-sponsored operation breached Optus' internal network, compromising personal information and impacting up to 9.8 million customers, almost 40% of the population. According to Optus CEO Kelly Bayer, the oldest records in the compromised database could date as far back as 2017.
Personal data included in this compromised data set includes:
Names
Birth dates
Addresses
Phone numbers
Passport information
Driver's license numbers
Government ID numbers
Medical records & Medicare card ID numbers
It’s speculated that the criminal group gained access through an unauthorized API endpoint, meaning a user/password or other authentication method wasn't required to connect to the API. Bayer said it was an extremely sophisticated attack that circumvented the company’s strong cyber defenses.
Hackers published the sensitive data samples on online forums just a few days later, demanding a A$1.5m ransom in cryptocurrency. However, the hacker reversed course just a few days after demanding a ransom due to pressure from law enforcement and claimed to delete all the data during an apology on the same forum.
The fallout of the attack saw major policy criticisms about the effectiveness of Australian cybersecurity. In April 2023, Optus was hit with a class-action lawsuit comprised of 1.2 million customers. Australian Cyber Security Minister Clare O’Neil admitted that the country was a decade behind other developed countries on cybersecurity and data privacy.
The alleged details of the Optus data breach as revealed by a cyber criminal claiming responsibility - Source: Twitter - Jeremy Kirk.
If the cyber criminals are confirmed to be state-sponsored, the breach was likely caused by a ransomware attack - a style of attack preferenced by such well-financed hacker groups for its high success rates and significant dividends.
Investigations are still underway, and Optus has yet to confirm whether it received a ransomware note from the cybercriminals.
At this point, it isn’t clear whether this breach constitutes a violation of Australian privacy principles. To prevent such a costly conclusion, Optus needs to demonstrate that it took active measures to ensure the protection of all customer data from data breach attempts - a decision for the privacy commissioner to make.
4. Medibank
Date: December 2022
Impact: 9.7 million people
In December 2022, Medibank, the Australian health insurance giant, was the victim of a major data breach, affecting the personal details of 9.7 million customers. The attack was believed to be linked to a well-known ransomware group based in Russia, the REvil ransomware gang.
The privacy breach was first discovered when REvil posted on a dark web blog a folder that contained 6GB of raw data samples, indicating that they had larger amounts of data to release, and demanded a $10 million ransom. The data included:
Names
Birthdates
Passport numbers
Medical claims data
Medical records
Despite one of the largest data breaches in Australian history, Medibank stayed firm and refused to pay the ransom. Although the data is believed to have been fully released on the dark web, no cases of identity or financial fraud have occurred yet. Medibank also urged customers to stay vigilant on credit checks and phishing scams to ensure that they do not become victims, and the health giant invested significant amounts into its cybersecurity.
Medibank is currently under investigation by the Office of the Australian Information Commissioner (OAIC) for its information handling practices and could be subject to a $50 million fine if it is determined that it did not have sufficient security practices in place. Additionally, a class-action lawsuit could be underway for Medibank as well.
5. ProctorU
Date: July 2020
Impact: 444,000 people
Sensitive information belonging to ProctorU, an online proctoring service for remote students, was leaked online for free on a dark web hacking forum. This incident was part of a larger data leak impacting 18 companies and exposing 386 million records.
The compromised database of 444,000 records included user records with email addresses belonging to:
The University of Sydney
The University of New South Wales
The University of Melbourne
The University of Queensland
The University of Tasmania
James Cook University
Swinburne University of Technology
The University of Western Australia
Curtin University and the University of Adelaide
Email addresses from prominent American universities were also included in the data exposure, including UCLA, Princeton, Harvard, Yale, Syracuse, Columbia, and more. However, despite the email address breach, ProctorU said no financial information was compromised.
6. Australian National University (ANU)
Date: November 2018
Impact: 200,000 students
The Australian National University (ANU) fell victim to a highly sophisticated cyber attack that shocked even the most experienced Australian security experts. Furthermore, the attack wasn’t discovered until nearly six months later.
Cyber attackers accessed sensitive information dating as far back as 19 years. The following information was stolen:
Names
Addresses
Phone numbers
Dates of birth
Emergency contact details
Tax file numbers
Payroll information
Bank account details
Student academic results
The attackers deployed four spear-phishing campaigns to harvest network access credentials from staff. The successful phishing attack came down to a senior staff member who opened an infected email, which granted the attackers deeper levels of access until the University's Enterprise Systems Doman (ESD) was breached.
This is where the University's most sensitive records were stored. The attackers worked meticulously to cover their tracks, instantly deleted access logs, and used the anonymity software Tor to obfuscate their location details.
The phishing campaign continued to expand with a second round of emails directly from the staff member’s breached email, which invited more prominent school members to a fake event to increase the scope of the attack. Although there has been no evidence of information being exploited, ANU spent millions of dollars after the attack to upgrade its network security.
7. Eastern Health
Date: March 2021
Impact: 4 hospitals
Eastern Health, an operator of 4 Melbourne hospitals, fell victim to a cyberattack causing certain elective surgeries to be postponed.
The nature of the cyber attack is unknown, but it's suspected to have been a ransomware attack. This is likely to be true since, according to the Australian Cyber Security Centre (ACSC), ransomware attacks targeting the Australian health sector are growing.
Eastern Health assured the public that no patient data was compromised in the attack.
8. Service NSW
Date: April 2020
Impact: 104,000 people
47 Service NSW staff email accounts were hacked through a series of phishing attacks. This led to 5 million documents being accessed, 10 percent of which contains sensitive data impacting 104,000 people.
A major contributing factor to the seamless breach was the lack of multi-factor authentication
9. Melbourne Heart Group
Date: February 2019
Impact: 15,000 patients
Melbourne Heart Group, a specialist cardiology unit in Cabrini Hospital, fell victim to a ransomware attack impacting 15,000 patient files.
Ransomware attacks are still classified as data breaches because cybercriminals access sensitive data and hold it hostage unless a ransom price is paid. This data breach compromised personal patient details and medical data, exposing victims to potential phishing attacks and identity theft.
Melbourne Heart Group was locked of it its compromised data for almost 3 weeks.
A spokesperson for the cardiology unit said that no sensitive data was leaked while it was in possession of the cybercriminals.
But such a claim assumes ransomware criminals are true to their promise that damages will be completely reversed if demands are obeyed
Melbourne Heart Group, reportedly, paid the bitcoin ransom.
Most of the encrypted files were restored, but not all of them.
10. Australian Parliament House
Date: February 2019
Impact: Multiple political party networks - Liberal, Labor, and the Nationals.
Australian Parliament House networks were breached by a nation-state criminal group. It's speculated that China was responsible for the attack, as a response to Scott Morrison banning Huawei and ZTE equipment from Australia's 5G network.
The attack resulted in the loss of some data, but according to the head of the Australian Signals Directorate (ASD) Mike Burgess, none of it was classified as sensitive.
"There was a small amount of data taken; none of that was deemed sensitive, but the assessment of that is a matter for the parliament themselves." Mike said at the Foreign Affairs, Defence and Trade Legislation Committee on April 5, 2019.
The cybercriminals used phishing methods to steal employee credentials and gain entry into the government's network. This precursor attack took place on an infected external website that a small number of parliament staff visited.
11. Tasmanian Ambulance
Date: January 2021
Impact: Every resident that requested an ambulance between Nov 2020 and Jan 2021.
At the time of the breach, the Tasmanian ambulance was using outdated radio technology to run its communications network. Cyberattackers intercepted the radio data, converted the conversation to text, and posted the stolen data online.
The breached data included the following patient information:
HIV status
Gender
Age
Address of each emergency incident.
The website exposing the compromised data has since been taken offline.
12. Northern Territory Government
Date: February 2021
Impact: 4400 emails
Personal and business emails across thousands of territories have been leaked following a breach of the Northern Territory's COVID-19 check-in app.
When the app was introduced, NT residents were assured that only Health Department officials and technical support personnel would have access to the collected data.
According to Sue Hawes, the head of the COVID-19 hazard management unit, the data breach was caused by an unintentional error.
3. Western Australian Parliament
Date: March 2021
Impact: Unknown
Western Australia parliament's mail server was accessed after a Microsoft Exchange Server Vulnerability was compromised. This incident was part of a global cyberattack frenzy targeting the zero-day exploit before Microsoft responded with a patch release.
WA's Executive Manager of Parliamentary Services Rob Hunter said that a forensic audit found no evidence of a data breach. A soon as security teams became aware of the malicious intrusion, they immediately disconnected the targeted email server.
But it's uncertain whether this consolation is true. The lack of transparency into the event is concerning.
The Australian Cyber Security Centre (ACSC) declined to comment about the WA parliament attack but said that many Australian organisations were exposed to potential compromise while their servers remained unpatched.
If the nation-state criminals were as sophisticated as the Prime Minister described them, may have had enough time to clandestinely exfiltrated some sensitive, even during such a brief visit.
All information has been reproduced from leading news sites for republication in 2024. For awareness an blog article updates on own Australian cyber security front line.
Comments