In the past month alone, seven companies with household recognition have publicly identified breaches to their cyber security systems, resulting in customer data being leaked.

Some like Optus’ large-scale breach saw millions of customers affected, while others have created public relations nightmares and consumer distrust.

Stream more tech news live & on demand with Flash. 25+ news channels in 1 place. New to Flash? Try 1 month free. Offer ends 31 October, 2022 >

Speaking to news.com.au, Global Solutions Engineer APJ at cybersecurity services firm Sophos, Aaron Bugal puts the increase in security breaches down to a mix of increased sophistication, and for some companies, a lack or pre-planning.

“The biggest issue I see today is that cyber criminals are as knowledgeable as the defenders. They’ve got access to the tools to the networks, they know how thinks work, and they’re spending all their time looking to exploit them,” he said.

“These days the threats are much more complex, the criminals have got much more opportunistic ways to get in, and they’re just going to keep leveraging it.”

Mr Bugal says that while there has been government support in order to help businesses become more resilient, the information has been “falling on deaf ears”.

“There is some complacency and in some cases almost negligence where organisations are not being responsible implementing correct and basic cyber controls, and cyber hygiene, and having a very ‘she’ll be right’ attitude towards security,” he said.

Without naming organisations, he criticised businesses for being a “deer in the headlights” in the aftermath of security breaches.

“It’s just going to get more and more customers to either take their business elsewhere or demand organisations become more responsible and implement proper cyber security,” he said.

EnergyAustralia: Customer details exposed

On Friday, electricity company Energy Australia became the latest entity to be involved in a data breach. A cyber attack of the online platform, My Account, saw the details of 323 residential and small business customers exposed.

The leaked data included names, addresses, email addresses, electricity and gas bills, phone numbers, and the first six and last three digits of credit cards.

Although EnergyAustralia said there no evidence of the information appearing on a third party site, the utilities supplier have updated their password policy.

Users are now required to implement 12-character passwords, including a mix of capital and lower case letters, numbers and special characters, whereas previously passwords only had to be longer then eight characters.

Medibank: Ransom demands, threats issued

One of Australia’s largest private health insurers, Medibank’s data leak scandal significantly escalated this week.

On Wednesday, the company confirmed it had been contacted by a group which wished to “negotiate with the company regarding their alleged removal of customer data”. Although Medibank are still verifying the claims, the Sydney Morning Herald said the message from the hacking group threatened to sell the 200 gigabytes of stolen data, and get into contact with the high-profile clients.

The escalation came just a week after the health insurer said that a “cyber incident” had not resulted in customer data being accessed.

“At this stage there is no evidence that any sensitive data, including customer data, has been accessed,” Medibank said in a statement.

“As part of our response to this incident, Medibank will be isolating and removing access to some customer-facing systems to reduce the likelihood of damage to systems or data loss.”

Speaking about the worst-case scenario of a potential breach, Mr Bugal said that as an insurance provider, Medibank would have access to customers’ personal details and personal ailments, like heart conditions, and chronic conditions.

“What could happen is limitless, “he said.

“Scammers could start using it against the individuals. I’d hate to see that being done on a level when it comes to medical conditions.”

MyDeal: Data ‘sold by the perpetrator’

A subsidiary of the Woolworths Group, MyDeal.com.au, also came under fire after 2.2 million customers had their names, email addresses and phone numbers exposed in a data breach.

In an update released on Wednesday, October 19, MyDeal said it believed customer data has “reportedly been sold by the perpetrator”. A statement from the company advised customers to closely monitor any uncertain activity on their online accounts and be weary of email, telephone and SMS scams.

“It is important to note that no passwords, payment details or ID documents were exposed in the MyDeal customer data breach,” the statement read.

“For around half the MyDeal customers affected, only their email addresses were accessed in the breach.”

Optus: 10 million customers breached

The recent Optus data breach showed the severity of a large-scale cyber attack.

The identification details of 10 million customers were exposed from passport details, drivers licenses and Medicare cards, leaving customers vulnerable to hackers and the potential for ID theft.

Nearly a month after the telco discovered the breach on September 22, the fallout has continued for those affected.

On Friday, one customer – who has since changed operators – said that without consultation, Optus has blocked customers from being able to use their passports in verification services. However, the document can still be used for international travel, the correspondence read.

“To prevent the misuse of your identity, we have asked the Department of Home Affairs to block the use of your passport through the Document Verification Service (DVS),” the letter read.

“This means it can’t be used to verify your identity online via the DVS. You can still use your passport to verify your identity in-person for up to three years past its expiry.”

Telstra and NAB details leaked in third party breach

Employees from Telstra and NAB were also involved in a data breach, after information stolen in 2017 had been made public.

Both companies confirmed the breach did not affect their internal systems and only affected the third party supplier, Pegasus. Owned by My Rewards International, the separate platform offers rewards programs for businesses.

According to the telco, 30,000 employee details dating to 2017 had been published on a platform linked to the Optus hack. The information included first and last names and email addresses which customers used to sign up to the site.

According to the Sydney Morning Herald, NAB and Telstra were among 15 companies which were impacted by the breach, which impacted up to 72,000 current and former employees.

Vinomofo: Potential 500,000 affected

On Tuesday, customers of online wine merchants, Vinomofo were made aware of a data breach made by a third party which may have affected up to 500,000 of its customer base.

Information which was at risk of exposure included details of customer names, birthdays, addresses, emails, phone numbers and genders.

However, in an email to customers, Vinomofo’s chief executive, Paul Edginton said details such as credit card information and formal identification were not stored by the business.

“Vinomofo experienced a cybersecurity incident where an unauthorised third party unlawfully accessed our database on a testing platform that is not linked to our live Vinomofo website,” he wrote.

“Vinomofo does not hold identity or financial data such as passports, driver’s licences or credit cards/bank details. While no passwords, identity documents or financial information were accessed, the database includes other information about customers and members.”

Cybercrime rates only to rise, Minister warns

Speaking to ABC Radio on Thursday, Cyber Security Minister Clare O’Neil said rates of cyber attacks would likely only increase, and were now the “main crime concern internationally”.

“This is the new world that we live in. We are going to be under relentless cyber attack, essentially from here on in,” she said.

Ms O’Neil also hinted that regulatory changes would be coming.

“So I think combined with Optus, this is a huge wake-up call for the country. And certainly gives the government a really clear mandate to do some things that frankly, probably should have been done five years ago, but I think are still very crucially important,” she added.

However, Mr Bugal says businesses would also need to adapt to more intelligent technology and hacking groups which have become increasingly aggressive in their attacks.

“I have a lot of sympathy for business owners today because you can’t have a five year plan of what’s going to happen in cybersecurity because it changes on a monthly basis,” he said.

“So you just need to have people who are cyberaware, have their finger on the pulse and can dedicate their time to it.

“That’s going to be a massive step forward to effectively running faster than the other people that are out there so that they don’t get caught up as a victim.”

More Coverage

Millions stung in shock data breach

Blake Antrobus

Major bank hit by third party data breach

Isabel McMillan and Eli Green

Originally published as Are data breaches becoming more frequent? A digital security expert explains