Data breaches in Australia are on the rise, particularly in the financial and healthcare industries. In an effort to DISRUPT this negative trend, the Australian government is revising its cybersecurity frameworks and policies to strengthen resilience against nation-state threat actors.

But Australian businesses cannot solely rely on the government's cybersecurity initiatives. Even the Australian Signals Directorate (ASD) admits that proposed security frameworks only raise the baseline of security. It's up to each individual business to continue lifting this standard with additional data breach prevention controls.

To help Australian businesses avoid some of the common malpractices that facilitate data breaches, we've compiled a list of some of the biggest data breaches in Australia, ranked by magnitude of impact.

If you're interested in a global perspective, you can also read our blog on the biggest data breaches globally.

Learn how UpGuard simplifies attack surface management >

upguard demo request cta

1. Canva


canva data breach

Date: May 2019

Impact: 137 million users

Australian unicorn Canva suffered a monumental data breach impacting 137 million of its users. To put that into perspective, the online design tool currently has about 55 million active monthly users.

A cybercriminal identified as Ghosticplayers breached Canva's defences but was stopped by Canva when they detected malicious activity in their systems. Unfortunately, this interception did not happen soon enough. The threat actor had time to access the following user data:

  • Usernames
  • Real names
  • Email addresses
  • Country data
  • Encrypted passwords
  • Partial payment data

After the cyberattack, Ghosticplayers contacted ZDNet to brag about the successful data breach. This is unusual behavior for cybercriminals who usually gloat about their cybercrimes on dark web forums.

Canva quickly notified affected accounts that had decrypted passwords to change their passwords and reset all accounts for those that had not changed their passwords in 6 months.

Learn how to comply with CPS 230 >

2. Latitude

Date: March 2023

Impact: 14 million customers

Latitude, the Australian personal loan and financial service provider, was affected by a data breach that impacted over 14 million people from Australia and New Zealand. Although the initial disclosure stated that only 328,000 individual customers were affected, that number quickly grew to 14 million after further investigation.

The Latitude breach was one of Australia’s largest breaches in recent history and follows a recent string of large-scale attacks (Optus and Medibank).

The attack occurred when one set of employee credentials was stolen, allowing access to Latitude’s customer data, mainly consisting of:

  • Full names
  • Physical addresses
  • Email addresses
  • Phone numbers
  • Dates of birth
  • Driver’s license numbers
  • Passport numbers

Much of the information was data stored from 2005, which drew questions on why companies continue to store customer records beyond the required seven-year timeframe. The government also considered extending the reach of federal cyber agencies to intervene in the case private companies come under attack.

Latitude is currently being investigated for its role in the attack and whether or not it had sufficient ability to prevent the attack from happening. The company is also being investigated for a class-action lawsuit.

Learn how to prevent costly data breaches. Download the free guide >

3. Optus

Optus logo

Date: September 2022

Impact: 9.8 million customers

The Optus data breach was one of the biggest security breaches ever in Australian history. As the second-largest telecommunications company in Australia, this security incident brought up questions about Australian data security policies and how companies handle them.

Cybercriminals believed to be working for a state-sponsored operation breached Optus' internal network, compromising personal information and impacting up to 9.8 million customers, almost 40% of the population. According to Optus CEO Kelly Bayer, the oldest records in the compromised database could date as far back as 2017.

Personal data included in this compromised data set includes:

  • Names
  • Birth dates
  • Addresses
  • Phone numbers
  • Passport information
  • Driver's license numbers
  • Government ID numbers
  • Medical records & Medicare card ID numbers

It’s speculated that the criminal group gained access through an unauthorized API endpoint, meaning a user/password or other authentication method wasn't required to connect to the API. Bayer said it was an extremely sophisticated attack that circumvented the company’s strong cyber defenses.

Hackers published the sensitive data samples on online forums just a few days later, demanding a A$1.5m ransom in cryptocurrency. However, the hacker reversed course just a few days after demanding a ransom due to pressure from law enforcement and claimed to delete all the data during an apology on the same forum.

The fallout of the attack saw major policy criticisms about the effectiveness of Australian cybersecurity. In April 2023, Optus was hit with a class-action lawsuit comprised of 1.2 million customers. Australian Cyber Security Minister Clare O’Neil admitted that the country was a decade behind other developed countries on cybersecurity and data privacy.

The alleged details of the Optus data breach as revealed by a cybercriminal claiming responsibility
The alleged details of the Optus data breach as revealed by a cybercriminal claiming responsibility - Source: Twitter - Jeremy Kirk.

If the cybercriminals are confirmed to be state-sponsored, the breach was likely caused by a ransomware attack - a style of attack preferenced by such well-financed hacker groups for its high success rates and significant dividends.

Learn how the Ransomware-as-a-Service criminal network operates.

Investigations are still underway, and Optus has yet to confirm whether it received a  ransomware note from the cybercriminals.

At this point, it isn’t clear whether this breach constitutes a violation of Australian privacy principles. To prevent such a costly conclusion, Optus needs to demonstrate that it took active measures to ensure the protection of all customer data from data breach attempts - a decision for the privacy commissioner to make.

Read the news article by TechCrunch about this Optus data breach event.

Text reading "is your business at risk of a data breach?"

4. Medibank

Date: December 2022

Impact: 9.7 million people

In December 2022, Medibank, the Australian health insurance giant, was the victim of a major data breach, affecting the personal details of 9.7 million customers. The attack was believed to be linked to a well-known ransomware group based in Russia, the REvil ransomware gang.

The privacy breach was first discovered when REvil posted on a dark web blog a folder that contained 6GB of raw data samples, indicating that they had larger amounts of data to release, and demanded a $10 million ransom. The data included:

  • Names
  • Birthdates
  • Passport numbers
  • Medical claims data
  • Medical records

Despite one of the largest data breaches in Australian history, Medibank stayed firm and refused to pay the ransom. Although the data is believed to have been fully released on the dark web, no cases of identity or financial fraud have occurred yet. Medibank also urged customers to stay vigilant on credit checks and phishing scams to ensure that they do not become victims, and the health giant invested significant amounts into its cybersecurity.

Medibank is currently under investigation by the Office of the Australian Information Commissioner (OAIC) for its information handling practices and could be subject to a $50 million fine if it is determined that it did not have sufficient security practices in place. Additionally, a class-action lawsuit could be underway for Medibank as well.

5. ProctorU

ProctorU data breach

Date: July 2020

Impact: 444,000 people

Sensitive information belonging to ProctorU, an online proctoring service for remote students, was leaked online for free on a dark web hacking forum. This incident was part of a larger data leak impacting 18 companies and exposing 386 million records.

The compromised database of 444,000 records included user records with email addresses belonging to:

  • The University of Sydney
  • The University of New South Wales
  • The University of Melbourne
  • The University of Queensland
  • The University of Tasmania
  • James Cook University
  • Swinburne University of Technology
  • The University of Western Australia
  • Curtin University and the University of Adelaide

Email addresses from prominent American universities were also included in the data exposure, including UCLA, Princeton, Harvard, Yale, Syracuse, Columbia, and more. However, despite the email address breach, ProctorU said no financial information was compromised.

proctorU data breach announcement on Twitter

6. Australian National University (ANU)

ProctorU data breach

Date: November 2018

Impact: 200,000 students

The Australian National University (ANU) fell victim to a highly sophisticated cyber attack that shocked even the most experienced Australian security experts. Furthermore, the attack wasn’t discovered until nearly six months later.

Cyber attackers accessed sensitive information dating as far back as 19 years. The following information was stolen:

  • Names
  • Addresses
  • Phone numbers
  • Dates of birth
  • Emergency contact details
  • Tax file numbers
  • Payroll information
  • Bank account details
  • Student academic results

The attackers deployed four spear-phishing campaigns to harvest network access credentials from staff. The successful phishing attack came down to a senior staff member who opened an infected email, which granted the attackers deeper levels of access until the University's Enterprise Systems Doman (ESD) was breached.

This is where the University's most sensitive records were stored. The attackers worked meticulously to cover their tracks, instantly deleted access logs, and used the anonymity software Tor to obfuscate their location details.

The phishing campaign continued to expand with a second round of emails directly from the staff member’s breached email, which invited more prominent school members to a fake event to increase the scope of the attack. Although there has been no evidence of information being exploited, ANU spent millions of dollars after the attack to upgrade its network security.

7. Eastern Health

eastern health data breach

Date: March 2021

Impact: 4 hospitals

Eastern Health, an operator of 4 Melbourne hospitals, fell victim to a cyberattack causing certain elective surgeries to be postponed.

The nature of the cyber attack is unknown, but it's suspected to have been a ransomware attack. This is likely to be true since, according to the Australian Cyber Security Centre (ACSC), ransomware attacks targeting the Australian health sector are growing.

Eastern Health assured the public that no patient data was compromised in the attack.

Eastern Health data breach announcement on Twitter

8. Service NSW

Service NSW data breach

Date: April 2020

Impact: 104,000 people

47 Service NSW staff email accounts were hacked through a series of phishing attacks. This led to 5 million documents being accessed, 10 percent of which contains sensitive data impacting 104,000 people.

A major contributing factor to the seamless breach was the lack of multi-factor authentication

9. Melbourne Heart Group

Melbourne heart group data breach

Date: February 2019

Impact: 15,000 patients

Melbourne Heart Group, a specialist cardiology unit in Cabrini Hospital, fell victim to a ransomware attack impacting 15,000 patient files.

Ransomware attacks are still classified as data breaches because cybercriminals access sensitive data and hold it hostage unless a ransom price is paid. This data breach compromised personal patient details and medical data, exposing victims to potential phishing attacks and identity theft.

Melbourne Heart Group was locked of it its compromised data for almost 3 weeks.

A spokesperson for the cardiology unit said that no sensitive data was leaked while it was in possession of the cybercriminals.

But such a claim assumes ransomware criminals are true to their promise that damages will be completely reversed if demands are obeyed

Melbourne Heart Group, reportedly, paid the bitcoin ransom.

Most of the encrypted files were restored, but not all of them.

10. Australian Parliament House

Australian Parliament House data breach

Date: February 2019

Impact: Multiple political party networks - Liberal, Labor, and the Nationals.

Australian Parliament House networks were breached by a nation-state criminal group. It's speculated that China was responsible for the attack, as a response to Scott Morrison banning Huawei and ZTE equipment from Australia's 5G network.

The attack resulted in the loss of some data, but according to the head of the Australian Signals Directorate (ASD) Mike Burgess, none of it was classified as sensitive.

"There was a small amount of data taken; none of that was deemed sensitive, but the assessment of that is a matter for the parliament themselves." Mike said at the Foreign Affairs, Defence and Trade Legislation Committee on April 5, 2019.

The cybercriminals used phishing methods to steal employee credentials and gain entry into the government's network. This precursor attack took place on an infected external website that a small number of parliament staff visited.

11. Tasmanian Ambulance

Tasmanian Ambulance data breach

Date: January 2021

Impact: Every resident that requested an ambulance between Nov 2020 and Jan 2021.

At the time of the breach, the Tasmanian ambulance was using outdated radio technology to run its communications network. Cyberattackers intercepted the radio data, converted the conversation to text, and posted the stolen data online.

The breached data included the following patient information:

  • HIV status
  • Gender
  • Age
  • Address of each emergency incident.

The website exposing the compromised data has since been taken offline.

12. Northern Territory Government

Northern Territory Government data breach

Date: February 2021

Impact: 4400 emails

Personal and business emails across thousands of territories have been leaked following a breach of the Northern Territory's COVID-19 check-in app.

When the app was introduced, NT residents were assured that only Health Department officials and technical support personnel would have access to the collected data.

According to Sue Hawes, the head of the COVID-19 hazard management unit, the data breach was caused by an unintentional error.

13. Western Australian Parliament

Western Australian Parliament data breach

Date: March 2021

Impact: Unknown

Western Australia parliament's mail server was accessed after a Microsoft Exchange Server Vulnerability was compromised. This incident was part of a global cyberattack frenzy targeting the zero-day exploit before Microsoft responded with a patch release.

WA's Executive Manager of Parliamentary Services Rob Hunter said that a forensic audit found no evidence of a data breach. A soon as security teams became aware of the malicious intrusion, they immediately disconnected the targeted email server.

But it's uncertain whether this consolation is true. The lack of transparency into the event is concerning.

The Australian Cyber Security Centre (ACSC) declined to comment about the WA parliament attack but said that many Australian organisations were exposed to potential compromise while their servers remained unpatched.

If the nation-state criminals were as sophisticated as the Prime Minister described them, may have had enough time to clandestinely exfiltrated some sensitive, even during such a brief visit.

Recommended Reading:

UpGuard Helps Australian Businesses Prevent Data Breaches

UpGuard helps Australian businesses strength their cyber threat resilience by discovering vulnerabilities and data leaks exposing sensiveit resources. This detection and remediation solution extends to the entire third-party vendor network.

Ready to see
UpGuard in action?