International computer-hacking syndicates will be eyeing off more Australian targets after a string of recent data breaches, a cybersecurity expert says.
Companies — including Optus and Medibank — recently revealed that millions of customer records have been exposed.
Ben Walker worked in cybersecurity in the private health insurance industry for six years, and says hackers will now "see Australia as a soft target".
"I think [hackers] will be emboldened by this … they'll probably come again looking for another organisation to exploit as well," he said.
"They would be interested in … the fact that two massive companies in Australia have both been impacted in short succession."
While Medibank is yet to detail the cause of the breach, he fears the insurer may have left itself vulnerable.
"I think the truth is … [the company] would have either left the door unlocked, or a door open, or a window unlocked, or a window open," Mr Walker said.
Medibank's chief executive, David Koczkar, has offered an unreserved apology to those affected and promised to continue to provide customers and the public with updates on the investigation.
Mr Walker said he was surprised when the company announced it had been struck.
"Medibank is actually quite sophisticated and quite mature when it comes to [its] cyber defences," Mr Walker said.
"If it wasn't Medibank, it certainly could have been one of the other big private health insurers," he said, adding hospitals or general practice surgeries could be future victims.
"My advice to all Australian organisations would be: 'Be on the lookout'.
"I think there'll be an increasing prevalence of hacks, with millions of records exposed."
There has been a spate of cyber attacks in recent weeks, including a ransomware attack on a private IT provider to the Department of Defence, revealed on Monday.
Many breaches going unreported
University of Sydney data breach researcher Jane Andrew said smaller organisations that have been affected by cyber attacks were likely "keeping it quieter" to avoid scrutiny.
Australia's data breach notification laws only require companies with an annual turnover of $3 million or more to notify the privacy commissioner about exposed customer data.
Professor Andrew added that current legislation only required companies to disclose to the commissioner, but not to the public.
"Organisations [such as] Optus are telling us, not because they have to under the law, but because they know they're going to be subject to scrutiny," she said.
Attorney-General Mark Dreyfus last week introduced a bill to amend the Privacy Act, to increase fines for massive data breaches, to a minimum of $50 million.
The current maximum penalty for serious or repeated breaches of privacy is around $2 million.
Professor Andrew said stronger fines were helpful but "not enough", saying all companies should be forced to disclose breaches.
Medibank declined to respond to written questions from the ABC for this story, citing advice from the Australian Federal Police.
In a statement, an Optus spokesperson said:
"Optus apologises to customers who have been victims of this attack.
"We recognise the concern this has caused and have been working – and will continue to work – alongside government to minimise impacts on those affected.
"We have put in place a range of measures to protect customers, including replacement of documents with exposed numbers."
Watch ABC's 7.30, Mondays to Thursdays at 7.30pm on ABC iview and ABC TV