Her assessment comes as it emerged that the privacy watchdog’s investigations into those breaches could stretch into next year.

The high-profile Optus and Medibank breaches sparked calls for changes to information collection and retention laws, and the Office of the Australian Information Commissioner has issued notices to both companies to produce documents – and an outcome is now unlikely until 2024.

Both companies are also facing class action lawsuits brought by customers who say their personal information was not reasonably protected.

Speaking to The Australian, Ms Greaves said that while breaches like the Optus and Medibank incidents were often unavoidable, their impact could have been much smaller.

“With Medibank and Optus we saw the retention of old records for people who are no longer clients and who are no longer alive in some cases,” she said. “What we’ve previously seen is a culture of ‘just keep everything because maybe we can monetise it’.

“If you think about what negligence is, number one it’s recognising this problem and number two, knowing that the problem could cause serious harm.

“And number three, being able to remediate it and not taking those steps. And what’s happened with corporates historically is that they’ve been able to say ‘yep, we recognise this as a problem and yeah it would be really bad if this breach happened, but there’s no practical way for us to sanitise and destroy this information. There’s no practical way for us to do this work’.

“Well, there is now. And we’re starting to see the idea of negligence and therefore liability shift, and it’s clear now that it is possible. You can know all your data, you can know what you have and where it is and what it’s about.”

Ms Greaves started Castlepoint Systems with husband Gavin McKay, and they originally built their software for their own consulting projects to address the limitations of traditional software and its inability to meet regulatory and statutory obligations in government.

The company’s platform uses ethical AI to discover, classify and control every document, email, chat message, database, or web page in an organisation’s network, identifying rogue data and potential compliance risks based on regulatory rules and reporting.

Two thirds of Australian federal government portfolios have now implemented Castlepoint’s AI technologies, which Ms Greaves said reflected the public sector’s transition to leveraging ethical AI for information governance and risk management.

Over the 2023 fiscal year Castlepoint added lead and portfolio agencies in Agriculture, Fisheries and Forestry; Attorney-General’s; Climate Change, Energy, the Environment and Water; Education; and Employment and Workplace Relations among others to its user base.

Castlepoint posted growth of more than 100 per cent in FY23 and the company is on track to continue its expansion in FY24.

Castlepoint now manages more than 286 million records, which is more than 10 records per Australian citizen, across more than 1.6 million separate systems.

Ms Greaves said the company has identified more than a quarter of a billion sensitive and high-risk records in enterprises that required protection, and applied records retention rules to these so they could be appropriately preserved or lawfully destroyed, reducing the potential harm of any future data spill.

“Government has significant obligations for compliant information management,” Ms Greaves said. “The volume of digital records held by commonwealth entities has jumped from 51 terabytes in 2013, to more than 314,000TB in 2022.

“There is just too much volume, variety, and velocity of data for legacy control methods to be effective.”

The firm has grown its headcount to nearly 40, and is now on the hunt for additional capital, after raising $3m in a round led by CSIRO-linked deep tech investment fund Main Sequence in 2021.

“We’re looking at Australian, UK, EU and US bases to find the most appropriate ones to support the growth,” she said. “Because we’re a values-driven organisation, finding the right alignment is really key for us.

“We want to make it available across advanced economies and even beyond. So while we’re still first to market with this capability, while there’s still a really strong need for this kind of information protection, we want to make sure that we can take it globally in the most sustainable way and we’re raising funding to help us do that.”

More Coverage

Secret report into Optus hack under fire

Ellen Ransley

Cyber security funding spikes

David Swan

Originally published as Medibank, Optus breaches ‘should have been smaller’, Castlepoint Systems chief Rachael Greaves says