This is the most detailed portrait yet of data breaches in Australia

The chart is based on the official record of data breaches reported to the Office of the Australian Information Commissioner (OAIC), obtained and published for the first time by the ABC.

The data does not name the organisations involved in each breach — among other notable omissions. However, it still provides the most detailed portrait yet of the scale of the problem.

The size of the bubbles represents the number of people worldwide affected in each data breach reported to the OAIC.

A handful of the anonymised entries in the log have been identified by the ABC.

A quick glance at the data tells us that we’ve missed a few things in recent years.

Significant breaches affecting more than 10 million people worldwide have occurred in both 2020 and 2021, and we still don’t know which companies they affected or what kind of data was breached.

But one thing the chart does make clear is that the breaches that led to the biggest headlines, like the Optus and Medibank breaches in late 2022, weren't isolated incidents. And they didn't come out of the blue.

There were 164 fewer data breaches disclosed last year than back in 2020.

What's missing from this picture?

Although this dataset reveals the scale of the problem more clearly than ever before, it still does not capture its full extent.

The ABC has confirmed that data breaches involving at least two multinational giants — Amazon and Spotify — did not fall into the scope of 'notifiable events' in Australia and therefore do not appear in the dataset at all.

And there could be many more.

Media reports have identified Zoom, Meta, Microsoft, Twitch and Panasonic as all allegedly suffering data breaches. These companies all declined to respond to the ABC's questions about whether their breaches triggered reporting requirements to Australian authorities.

Do you have inside information about a data breach? Contact julian.fell@abc.net.au.

With multiple significant breaches unreported and the possibility of many more, it's clear that the OAIC's disclosure log is not a complete record of the breaches affecting Australians.

That's at least partly because to be eligible for disclosure under the Privacy Act, a data breach has to put the affected individuals “at likely risk of serious harm”.

But who gets to decide whether there's such a risk?

Well, it turns out the organisation affected by the data breach can itself conduct that assessment — deciding whether there is a risk of serious harm and therefore whether the breach needs to be disclosed.

And Lyria Bennett Moses, a cybersecurity law expert at UNSW, believes organisations are not well placed to make that assessment.

The organisation that has been breached is "only going to know what information they're adding to the ecosystem, not what information is already out there", she explains.

"One bit of information might not tell anyone anything much [about an individual].

"But as you accumulate more information, you can start to put those things together to form quite a comprehensive picture."

This is known as the mosaic effect – and it's a big reason why Professor Bennett Moses says Australia's disclosure laws need to be strengthened.

An OAIC spokesperson said “entities must assess the risk of serious harm holistically".

The spokesperson did not provide further clarification on how the mosaic effect is accounted for in practice.

Amazon and Microsoft said they comply with their legal obligations. An Amazon spokesperson also stated that "where required, relevant regulatory agencies were informed."

Jane Andrew is co-lead of a research effort at the University of Sydney Business School that is tracking media reporting around data breaches.

After inspecting the anonymised disclosure data obtained by the ABC, her immediate reaction was that this tells us “there's a lot going on that is not being reported" to the public.

"It's only really a few data breaches that we're talking about as a community," she says, adding this level of opacity around data breaches is "quite extraordinary".

“Data breaches are now a regular occurrence, yet we are mostly unaware of their scale, the organisations they affect, the nature of the data made available, or how organisations attempt to mitigate these risks.

“And we cant even have a conversation about this if we don't know the scale of it."

When a breach is detected, organisations are only required to inform the regulator and the individuals directly affected by it.

The vast majority of incidents – including two of the three largest in the log – remain unidentified despite assistance from Professor Andrew's team.

Following further inquiries, the OAIC revealed that the number of Australians affected by the two largest unidentified breaches were 729,646 and 186,091 respectively.

These may be the largest breaches in terms of people affected, but their size doesn't tell us anything about the sophistication of the attacks that caused them.

Optus was responsible for the digital equivalent of leaving the window open, and a single compromised password was enough to access Medibank’s customer data.

But the nature of the other breaches in the data – which are needed to fully understand the cyber threat facing Australia – still remain frustratingly out of reach.

We don't even know when many of these breaches actually occurred.

The dates in the disclosure log only refer to when the OAIC was notified of them, and with the possibility of companies "sitting on" breaches before disclosing, their timing is thrown into question.

As with many other details, the OAIC has not provided further information about the timing of the disclosures on a case-by-case basis.

All we have to go on are the aggregated numbers – the latest report showed 29 per cent of breaches taking over a month to be reported.

Some of the breaches in the log took place months, or even years, earlier than the data indicates – only, we don't know which ones they are.

Building trust in the system

Professor Andrew believes the current disclosure laws leave too much discretion in the hands of organisations that have suffered a breach.

As things stand, “it is impossible to construct an informed view as to what we could or should expect from the organisations we have entrusted with our data”, she says.

A recent incident involving medical research institute QIMR Berghofer is the latest example of a data breach that was not formally announced to the public. A subset of the institute’s skin cancer survey data was potentially exposed in a breach of its third party contractor Datatime’s servers.

In accordance with its legal obligations, QIMR Berghofer notified all individuals who had been affected by the data breach and the relevant regulator, but it was not required to make any public disclosure.

The institute was continuing to run surveys without potential participants knowing about the breach that had occurred.

Professor Andrew is convinced of the need to implement reforms that require organisations to report data breaches to the public.

She likens the situation to the transparency expected of companies on the ASX.

“Our stock exchange benefits from stringent reporting obligations because they mean we can trust the information that’s being provided," she says.

"They underpin our trust in the system."

And she says that the same principles should apply when it comes to how companies manage customer data.

"I don't know why we think about data differently [to financial disclosures]," she says.

"We don't have a choice around participation in the digital economy. People don't feel in control of their data, and that needs to change."

There are signs of change

In Canberra, Attorney-General Mark Dreyfus is conducting a review into the Privacy Act, which includes the data breach disclosure laws.

In a statement to the ABC, a spokesperson for the attorney-general said "data breaches are not a new issue as the data from [the OAIC] indicates".

"Regrettably, previous Coalition governments did not act to strengthen the Privacy Act so authorities could better deal with these data breaches."

While it's easy to blame the previous government for inaction, the results of this review will have to speak for themselves.

The Privacy Act Review Report, released in February, makes a number of recommendations, though neither changes to the 'serious harm' rule nor public disclosure requirements are among them.

In their submission to the review, the OAIC suggested that the 'serious harm' rule be maintained.

An OAIC spokesperson told the ABC that "a targeted approach avoids causing unnecessary distress to individuals who are not at risk, limits notification fatigue and reduces the administrative cost for regulated entities".

The attorney-general's office declined to comment on these aspects of the review.

Under the limited changes proposed in the review, organisations will continue to self-assess the risks stemming from incidents that they themselves have played a part in.

And the incentives to underplay these risks are significant. Just look at how Optus tried to claim the cause of its breach was sophisticated, despite Minister for Cyber Security Clare O'Neil later saying it was a "basic" failure.

Late last year, the government increased the OAIC's investigative powers and raised the maximum penalties for breaches.

But what use will they serve if the regulator fails to hear about a breach in the first place?

And it's not just the regulator that needs to be informed.

As long as the details of these breaches remain behind closed doors at the OAIC, the full story of how the data of Australians is being managed – or mismanaged – will continue to go untold.

Credits

• Reporter and developer: Julian Fell
• Designer: Georgina Piper
• Editor: Matt Liddy