In the first-ever snapshot of just how often Australians’ data is being hacked or lost, News Corp Australia has learnt 31 companies have been forced to report major data breaches in the three weeks since the notifiable data breach scheme was introduced.

That’s more than one serious breach per day.

It means thousands of Australians have had their personal names, addresses, telephone numbers, date of birth, bank account details or other records exposed in the past two months alone.

Under the scheme, which came into force on February 22, companies or government agencies must notify the Office of the Australian Information Commissioner when personal information, that could cause “serious harm” if exposed, is lost, stolen or accessed by an unauthorised third party.

They face heavy fines of up to $2.1 million if they do not report the breach within 30 days.

Companies must also notify anyone affected by the breach.

FACEBOOK DATA SCANDAL: What you need to know

CHILDREN’S DATA: Concerns over Melbourne court theft

In one case, shipping company Svitzer reported a massive data breach it discovered on March 1 that could have affected up to 500 of its Australian employees.

Emails from accounts in its finance, payroll and operations departments were secretly autoforwarded outside the company for 11 months, potentially exposing employee tax file numbers, superannuation account numbers and the names of next of kin.

In another case reported by News Corp this week, the Toronto Workers Club in NSW informed its members hackers could have obtained the personal information of up to 20,000 members while poker-machine provider Aristocrat was doing cloud-storage testing.

Cyber security expert Nigel Phair, director of the University of Canberra’s Centre for Internet Safety, said the number of companies that had reported so far was “surprisingly high”.

Professor Phair said the NDB scheme should be reviewed in 12 months to see if it was tough enough.

A comparison could be done with Europe’s much stronger General Data Protection Regulation laws, set to come into force in May, which can fine companies up to 4 per cent of their gross annual turnover and has a 72 hour notification period, rather than a month.

“The Europeans take online privacy so much more seriously than we, and almost every other jurisdiction, do,” Prof Phair said.

“Let’s see how ours go, let’s look at what the trends are, and what the investigational outputs are, whether we need new legislation, whether we need more resources for the OAIC ... let’s see how that plays out.”

Previously, reporting has been voluntary in Australia.

The 30-day reporting time frame has drawn criticism from digital security expert Tony Hunt, an Australian who created globally renowned websiteHave I Been Pwned ?, which allows anyone to check for free if their email or password has been found in a data breach.

“When someone does illegally obtain data via a breach, and particularly when we talk about malicious purposes, when we’re looking at things like identities, often those identities are traded and they are abused to the detriment of the individual,” Mr Hunt said.

“They might be sold on the dark web [or] it might result people having account takeovers for important things like email addresses or even bank accounts.

“It does actually cause serious harm to individuals.

“And the premise that an organisation can discover a data breach and then take a month before they even tell people, I just find hard to fathom.”

All companies, not just those that make more than $3 million annually, should be forced to report, he said.

From his own work in the industry, Mr Hunt said he expected the number of breaches could actually be as high as three per day.

The Australian Government has taken the unprecedented move of partnering with Have I Been Pwned? to check if its own email addresses have been exposed in data breaches.

The partnership, which begins this Monday, will mean the Australian Cyber Security Centre is notified within minutes every time an Australian government email address appears in a data breach.