It comes after another year of major leaks impacting organisations from telcos and tech companies through to ticket sellers and tea shops.

As many as 77,000 people were impacted by Australian government vulnerabilities alone in the first six months of 2024.

Web security expert and founder of hack check website Have I Been Pwned, Troy Hunt, said Australian organisations that experienced a data breach were obligated to notify the regulator but “notifying the regulator is very different to notifying the individuals”.

Individual victims only needed to be looped in if the organisation believed the incident was likely to result in serious harm.

Mr Hunt, who is also a regional director for Microsoft, said rules were similar in other parts of the world.

“All these data breaches are global in one way or another and I think consistently across the globe we should have an obligation to the victims,” he said.

“I expect to know from the company when my data is exposed.

“We should have laws for that and I don’t think that there should be a criteria of a company being able to self assess and decide how much harm it’s going to do. That should be up to (the impacted individual) to decide how much harm it’s going to do.”

Under Australia’s Notifiable Data Breaches scheme, any organisation or agency covered by the Privacy Act must notify affected individuals and the Office of the Australian Information Commissioner (OAIC) when a data breach is “likely to result in serious harm to an individual whose personal information is involved”.

But in 27 per cent of incidents between January and June, entities took more than 30 days to notify the OAIC after becoming aware of a breach.

And just because the OAIC has been made aware, that does not necessarily mean the individuals have been, too.

An OAIC spokeswoman said these were “two separate processes”.

“We work with entities that notify data breaches to ensure their response meets the requirements of the Notifiable Data Breaches scheme, including that individuals at risk of serious harm have been appropriately notified,” she said.

“Generally, most entities meet their obligations, though in some cases the OAIC may take action such as requesting or directing entities to reissue their notification to the affected individuals.”

In the first six months of 2024, the OAIC was notified of 527 data breaches – up 9 per cent compared to the previous six months.

Most came from private sector health service providers, followed by Australian government departments and agencies, the finance industry, the education industry, and retailers.

Two-thirds were the result of a malicious or criminal attack, while 30 per cent were due to human error, such as sending an email to the wrong recipient or misplacing a hard drive.

A heavily-redacted document produced after a Freedom of Information request revealed that between 29,300 and 77,600 people were affected by government-related data breaches reported in the first half of the year.

This included 39 separate incidents of “social engineering or impersonation” at Services Australia, which affected as many as 25,250 people.

These typically involved “impersonating a customer and gaining access to their customer account by using legitimate identity credentials that bypassed the agency’s identity verification procedures”, according to the OAIC.

There was also a data breach affecting a third-party organisation used by the Department of Industry, Science and Resources, which involved the names of approximately 25,000 people.

OTHER DATA BREACHES OF 2024

Trello

Project management tool

Breach date: January 16, 2024

Compromised accounts: 15,111,945

Compromised data: email addresses, names, usernames

Tangerine

Telecom

Breach date: February 18, 2024

Compromised accounts: 243,462

Compromised data: dates of birth, email addresses, names, passwords, phone numbers, physical addresses, salutations

DemandScience by Pure Incubation

Data aggregator

Breach date: February 28, 2024

Compromised accounts: 121,796,165

Compromised data: email addresses, employers, job titles, names, phone numbers, physical addresses, social media profiles

Life360

Family tracking app

Breach date: March 1, 2024

Compromised accounts: 442,519

Compromised data: email addresses, names, phone numbers

T2

Tea shop

Breach date: April 17, 2024

Compromised accounts: 94,584

Compromised data: dates of birth, email addresses, names, passwords, phone numbers, physical addresses, purchases, salutations

Ticketek

Ticketing company

Breach date: May 31, 2024

Compromised accounts: 17,643,173

Compromised data: dates of birth, email addresses, genders, names, passwords, salutations

mSpy

Spyware maker

Breach date: June 9, 2024

Compromised accounts: 2,394,179

Compromised data: email addresses, IP addresses, names, photos

Muah. AI

“AI girlfriend” website

Breach date: September 17, 2024

Compromised accounts: 1,910,261

Compromised data: email addresses, sexual fetishes

digiDirect

Electronics retailer

Breach date: September 29, 2024

Compromised accounts: 304,337

Compromised data: dates of birth, email addresses, names, phone numbers, physical addresses

Finsure

Mortgage broking group

Breach date: October 15, 2024

Compromised accounts: 296,124

Compromised data: email addresses, names, phone numbers, physical addresses

Source: haveibeenpwned.com

HOW TO PROTECT YOURSELF

* Use a password manager that generates strong unique passwords

* Set up multifactor authentication

* Consider a passkey, which uses your device to prove who you are before letting you into your account, without any need for a password

* Consider a hardware-based security key, a USB or fob key that has to be in physical proximity to the device

* Check if your email address has been part of a data breach via haveibeenpwned.com/

Source: Web security expert Troy Hunt

More Coverage

Drones or UFOs: You be the judge

Melanie Burgess

Creepy new way you’re being spied on

Melanie Burgess

Originally published as Worst data breaches in 2024 revealed amid new push for stronger hacking disclosure laws