A string of major data breaches hitting Australia

Australia experienced a significant increase in data breaches in 2024, often involving sensitive information like passwords and financial details. Major companies affected include MediSecure, Ticketmaster, Shell, Telstra, and Optus, leaving many individuals at risk of identity theft. 

Learn how to check if your data has been leaked, what steps to take if it has, and key lessons from these breaches to enhance your cybersecurity.

Jump to…
Data breach incidents in 2024 in Australia
How to tell if my data has been leaked?
What to do if your data has been involved in a data breach
How can businesses protect themselves from data breaches?
What are the consequences of a data breach?
What are some of the lessons we can learn from Australia’s data breaches?

Data breach incidents in 2024 in Australia 

In 2024, several high-profile data breaches occurred in Australia, impacting major companies and affecting millions of individuals. 

Below you’ll find a list of major data breaches in Australia in 2024:

1. MediSecure (May 2024)

Until late 2023, MediSecure was one of only two prescription delivery services in Australia, enabling prescriptions, both paper and electronic, to be sent from doctors to pharmacies of the patient’s choice. A ransomware attack compromised a MediSecure database, exposing personal information such as names, addresses, and limited health information related to prescriptions. This large-scale ransomware breach affected data from prescriptions filled before November 2023. 

Following the incident, MediSecure entered administration (a process where an external administrator takes control of a financially troubled company to restructure it and repay creditors). The Australian government and various agencies have been involved in responding to the impact on those affected.

2. Ticketmaster (May 2024)

A hacker group called ShinyHunters claims to have stolen the personal details of a massive 560 million Ticketmaster customers worldwide, including Australians. They say the stolen data includes names, addresses, phone numbers, and even partial credit card details. The group is demanding a $500,000 ransom to avoid selling this information to other parties (aka criminals).

While Ticketmaster has yet to confirm the breach, the Australian government is working with the company to address the issue. This is particularly concerning as Ticketmaster has a history of data breaches. According to Wired, ShinyHunters may have gained access by first compromising a contractor’s computer to log in to Ticketmaster’s accounts on Snowflake, a cloud storage platform. This alleged weakness highlights the importance of multifactor authentication, which could have prevented unauthorized access.

3. Shell (May 2024)

In May 2024, Shell experienced a major data breach that exposed sensitive information from 80,000 records. The breach, carried out by the hacker group “888,” impacted multiple countries, including Australia, the UK, France, India, Singapore, the Philippines, the Netherlands, Malaysia, and Canada. The stolen data includes personal and contact details, putting those affected at risk of identity theft and targeted scams.

In 2023, Shell also experienced a credential stuffing attack targeting employee logins. The ransomware group exploited a vulnerability in the MOVEit file transfer platform, leading to a data breach that affected personal information of employees, including those in Australia. 

4.Telstra (April 2024)

Telstra, a major Australian telecommunications provider, reported a data breach impacting customer information. Sensitive data, such as names, email addresses, and phone numbers, was compromised. 

The breach was part of a larger dataset that was posted on a hacking forum, claiming to contain data from 47,000 customers, although most of this was reportedly dummy data. While the breach didn’t involve a cyber attack, the exposure of personal information poses risks including identity theft and targeted scams.

5. Optus (September 2022)

Optus, a major Australian telecommunications company, experienced a significant data breach affecting up to 10 million current and former customers, roughly a third of Australia’s population. The stolen information included names, dates of birth, home addresses, phone numbers, email addresses, and passport and driving license numbers.

There were differing accounts of how the breach occurred. Optus described it as a sophisticated cyber attack, while an Optus insider and the Australian Government attributed it to human error that caused a vulnerability in the company’s API (Application Programming Interface, which allows different software applications to communicate with each other). Multiple class-action lawsuits were filed against Optus, seeking compensation for any loss or damage suffered due to a privacy breach.

How to tell if my data has been leaked?

In Australia, under the Notifiable Data Breaches scheme, many organizations must tell you if your personal data has been involved in a data breach. They must tell you: a) their name and contact details, b) what information is breached, c) what happened, d) what you should do (give you recommendations for how you can protect yourself). This notification could come via email, phone call, or physical mail.

You can also proactively use online tools like “Have I Been Pwned” to check if your email address or phone number has been involved in known data breaches. The ExpressVPN Keys password manager allows you to check if your email has been involved in a data breach using HaveIBeenPwned, which tracks breaches worldwide. If your email is found, it indicates that other personal information like passwords or payment details may be exposed.

Also look out for:

• Unusual account activity: Pay attention to unexpected changes to your online accounts, login attempts, unauthorized transactions, or unfamiliar accounts being opened in your name. Review your bank statements and credit reports regularly for any signs of identity theft​. Contact your financial institution immediately if you notice anything unusual.
• Phishing scams: Be vigilant for phishing emails, phone calls, and text messages. Scammers may use your stolen information to impersonate legitimate organizations. These emails or calls may try to trick you into revealing personal information or clicking on malicious links. Always verify communications by contacting the organization directly through their official channels.

What to do if your data has been involved in a data breach

If your data has been involved in a breach, it’s important to act quickly to help minimize potential harm. Here’s what you can do:

• Change your passwords for the affected accounts, including online banking passwords and PINs. If you use the same password on multiple sites, change those passwords as well. Use a strong, unique password for each account, ideally managed through a password manager (like ExpressVPN Keys).
• Enable multi-factor authentication (MFA) on all your accounts, if available, for an extra security layer.
• Monitor your bank accounts and credit cards for unauthorized transactions. Get your credit report and check for unauthorized loans or applications. Report any suspicious activity to your bank.
• Avoid phishing scams in your emails, texts, or messages asking for sensitive information. Verify the legitimacy of any communication before responding.
• Contact IDCARE theft support if you suspect your identity has been stolen. It’s a free identity and cyber support service. They can help you navigate the process of securing your accounts and recovering from identity theft.
• Stay informed by reading official statements and reputable news sources. This helps you understand the breach and what data was compromised.
• Make a data breach complaint by contacting the organization involved in the data breach. If you’re unhappy with their response or a lack thereof, you can file a written complaint with the Office of the Australian Information Commissioner (OAIC) after giving the organization 30 days to respond.

Focus on accounts and services where the compromised data type matches the information leaked in the breach to minimize the risk of potential damage. Seek help from the police and other support services if necessary.

How can businesses protect themselves from data breaches? 

Here’s a list of the most important actions a business can take to protect itself from data breaches:

• Cybersecurity training for all: Provide ongoing cybersecurity training to help employees recognize social engineering (phishing). Train employees on handling and protecting customer data.
• Require strong authentication practices: Set company accounts so that they require multi-factor authentication.
• Secure remote work: Use an Australia VPN to secure data transmissions and protect sensitive information when accessing the internet, especially while working outside of the office.
• Conduct security audits: Perform regular security audits to identify and mitigate vulnerabilities in your organization. This could also involve targeting particularly vulnerable employees with spear phishing and similar attacks to see how they respond to them.
• Regularly update software: Require all software, applications, and operating systems to be using the latest versions.
• Minimize data collection: Collect and store only the data essential for your business operations and legal requirements. Unnecessary data should be securely disposed of.
• Limit employee access to data: Restrict data access to only what employees need for their jobs. 
• Prevent unauthorized software installations: Set company computers to disallow installations not approved by IT.
• Respond promptly to breaches: Have an incident response plan in place, assign roles, review and improve security measures continuously.

Read more: Cybersecurity tips for small businesses

What are the consequences of a data breach?

Data breaches—the unauthorized access and exposure of sensitive information—pose a significant threat to both individuals and businesses. The consequences of a data breach can be far-reaching and long-lasting.

For individuals 

When personal information is exposed, individuals face a wide range of serious consequences, impacting their financial security, privacy, and even mental well-being. Here’s a breakdown of the potential consequences of a data breach for individuals:

• Identity theft and fraud: Exposed personal details like names, Social Security numbers, dates of birth, and addresses can be used by criminals to commit identity theft.
• Financial loss: Stolen personal information, such as credit card details, bank account numbers, and social security numbers, can be used by cybercriminals to commit fraud and theft. Financial institutions may freeze your accounts or tighten security measures to prevent further damage. This can disrupt access to your own funds and cause significant inconvenience.
• Stress and anxiety: Victims can feel violated and helpless, knowing their personal information is in the hands of criminals. The constant vigilance required to monitor for further fraudulent activity can lead to chronic stress, anxiety, and even depression. 
• Loss of privacy: If data accessed includes medical records, private communications, or other confidential information. 
• Out-of-pocket costs: Individuals may face fees for credit monitoring services to track suspicious activity, costs for canceling and replacing compromised cards, and legal fees to resolve disputes.
• Long-term credit damage: Unauthorized activities and identity theft can lead to a (sometimes significant) drop in credit ratings, making it challenging to obtain loans and mortgages. The process of correcting credit reports and restoring creditworthiness can be time-consuming.
• Declining trust: Frequent data breaches can erode trust in companies and institutions that handle personal information.

For businesses

Below you’ll find some of the costly consequences of a data breach for businesses:

• Financial losses: Including direct expenses related to incident response, legal fees, regulatory fines, and compensation to affected individuals.
• Reputational damage: The trust and confidence of customers, partners, and the public can be severely damaged following a data breach.
• Loss of business: Customers may choose to switch to competitors if they lose trust in a company’s data security practices.
• Legal and regulatory consequences: Facing legal actions and regulatory fines is possible if found to be in violation of data protection laws.
• Operational disruption: Cyberattacks, such as ransomware, can lock critical systems and data, rendering them inaccessible until a ransom is paid or the system is restored. Responding to a breach can disrupt business operations and employee productivity. Businesses may experience downtime due to security investigations, system repairs, and customer service demands following a breach.
• Loss of intellectual property: Possibly including trade secrets, proprietary information, and sensitive business data. This loss can be detrimental to a company’s competitive edge and future growth prospects.

What are some of the lessons we can learn from Australia’s data breaches? 

These are some lessons we can learn from Australia’s data breaches highlighting the importance of comprehensive and proactive cybersecurity strategies:

• Shield from ransomware: MediSecure’s ransomware attack highlights the need for layered security measures and continuous monitoring to reduce vulnerabilities.
• Strong encryption for sensitive data: Based on the nature of the Ticketmaster breach (stolen personal details and partial credit card information), any sensitive data should be encrypted both at rest and in transit using robust encryption algorithms. This makes the data unreadable even if attackers gain access to it.
• You’re only as secure as the weakest link: If one business has airtight security, but sends data to another company with flaws in their system, that data is vulnerable. All partners must verify, not just trust, that any data sent to their partners is safe there.
• File transfer security: Shell’s exploited vulnerability in MOVEit file transfer vulnerability shows the importance of securing file transfer platforms. Businesses need to assess and patch vulnerabilities in all systems holding sensitive data.
• Securing data throughout its lifecycle: The Telstra breach highlights the need for classifying and encrypting sensitive data, managing access controls, and securely disposing of outdated information.
• API security & mitigating human error risk: The Optus breach emphasizes securing APIs to prevent unauthorized access and the importance of robust cybersecurity practices to minimize human error as a vulnerability.