What’s the average cost of a data breach in Australia?

The financial impact of a data breach on organisations in Australia is approximately $4.03 million with the majority of businesses passing on the cost to customers through an increase in the prices of services and products.

Taking an average of 204 days to identify an attack in the first instance, companies then require an additional 73 days to contain breaches.

Only one-third of organisations discover data breaches through internal security teams however, with 67% of incidents reported by a benign third party or by the attackers themselves. When attackers do disclose a breach to the public, such a declaration costs organisations almost $1.5 million extra compared to an in-house detection.

The costs – calculated and reported in AUD based on a USD conversion rate of 1.4916 – place Australia as the 13th most expensive country or region in the world for a data breach, behind the US (#1), Canada (#3), UK (#6) and ASEAN (#11) among others.

That’s according to IBM findings – The Cost of a Data Breach Report – which examines the financial consequences of 553 data beaches locally and globally that occurred between March 2022 and March 2023.

While the cost of a data breach in Australia is down slightly from $4.36 million in 2022, the global average cost stands at $6.64 million.

Of all record types, customer and employee personal identifiable information (PII) is the costliest to have compromised – names and social security numbers cost organisations an average of $272 per record. The least expensive record type to have compromised is anonymised customer data, which costs organisations $206 per record.

More than half (52%) of all breaches involved some form of customer PII during 2023, up five percentage points from 2022. This is followed by employee PII (40%) and corporate data, such as financial information and client lists (21%).

“The threat of a cyber incident can no longer be classified as remote or novel,” said Paul Kallenbach, Partner at MinterEllison. “Cyber security and privacy by design must be embedded within the culture and planning of every organisation. Proactive and agile management and response to cyber risk are the new normal.”

During that period in Australia, and based on analysis in MinterEllison’s 2023 Cyber Risk Report, major cyber incidents included:

• Tasmanian Government (April 2023): Hacking group known as ‘Cl0p’ impacted 16,000 individuals, including the names and schools attended by minors, bank account details and birth dates of students.
• Latitude Financial (March 2023): Hackers exposed 14 million records, including copies of identification documents (drivers licences, passports and Medicare cards) and other customer information.
• Atlassian (February 2023): Hacking group known as ‘SiegedSec’ affected 13,000 employees through the sharing of names, email addresses, phone numbers employment information.
• LJ Hooker (December 2022): An unknown ransomware gang exposed 375 GB of customer and employee data which included passport details, credit card information and loans data.
• AirAsia (November 2022): Ransomware group known as ‘Daixin Team’ impacted five million passengers and all employees, affecting names, dates of birth, country of birth, location and ‘secret question’ answers.
• Medibank (October 2022): A Russian hacking group exposed the phone numbers, email addresses and medical information of 9.7 million customers.
• MyDeal (October 2022): Hackers stole data impacting 2.2 million customers, spanning names, email addresses, delivery addresses, phone numbers and dates of birth.
• Vinofomo (October 2022): Hackers exposed the private information of 500,000 customers – names, gender, email addresses, phone numbers and dates of birth.
• Optus (September 2022): More than 10 million customers were affected through the exposure of names, dates of birth, drivers licences, Medicare card numbers and passport numbers.
• Deakin University (July 2022): Hackers accessed the personal information of 46,980 current and former students – names, student IDs, email addresses and academic results.
• Amart (May 2022): Roughly 100,000 customers had names, addresses and phone numbers exposed.
• Cash App (April 2022): A former employee hacked into the personal information of 8.2 million customers – names, brokerage account numbers, stock trading portfolios and stock trading activity.
• Red Cross (January 2022): Hackers affected 515,000 individuals through the exposure of personal information of highly vulnerable individuals from 60 Red Cross societies globally.

During the final six months of 2022, malicious or criminal attacks comprised 70% of all notifications to the Office of the Australian Information Commissioner (OAIC). Ransomware remains the primary source of cyber incidents (29%), followed by compromised or stolen credentials and phishing.

Essential Eight framework under-utilised

According to MinterEllison findings, while 78% of organisations have a cyber security response plan in Australia, only 53% test such a plan annually and assess it against established frameworks such as the ASD Essential Eight or the NIST Cybersecurity Framework.

“A plan that sits in the bottom drawer without regular testing and refinement will not provide a roadmap to an adequate response to a cyber attack,” Kallenbach cautioned. “Cyber preparedness is a continuous journey, there is no destination.”

Within this context, 63% of local businesses are not confident that their organisation understands what and where their data is stored, and who has access to it. A notable outlier is the financial services sector in Australia with 62% of businesses confident their organisation understands where its data is stored.

Additional costs experienced by organisations that didn’t involve law enforcement in a ransomware attack is approximately $700,000 in Australia, according to IBM findings.

Of the 37% of business that excluded law enforcement following a breach, the financial impact was a 9.6% increase in costs and a 33-day longer breach lifecycle.

From a standards perspective, Kallenbach said almost all (91%) businesses locally understand the regulatory and contractual obligations in the event of a data breach.

“This is unsurprising, given the amount of new and overlapping regulation,” he added. “But on the other hand, regulators are actively advertising their aggressive approach to addressing poor cyber hygiene.”

As noted by Kallenbach, key regulatory developments during the past 12 months include:

• amendments and reform proposals to the Privacy Act 1988 (Cth) (Privacy Act)
• greater security obligations imposed on telecommunications carriage service providers
• the commencement of new risk management rules for critical infrastructure assets.

“These developments and reform proposals aim to enhance organisations’ capacity to manage
and mitigate cyber risk,” he explained. “However, implementation of these new obligations comes with considerable costs, and for many organisations, they will contribute to an already onerous web of overlapping cyber regulation.”

In December 2022, the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 (Cth) took effect. The legislation amended the Privacy Act as the first tranche of reforms resulting from the Privacy Act review.

This amending Act was an expedited response to the Optus and Medibank data breaches, in which maximum civil penalties for serious or repeated interferences with privacy significantly increased:

• for a person other than a body corporate – to $2.5 million (previously $444,000); and
• for a body corporate – to an amount not exceeding the greater of the following (previously $2.2 million)

“We are at an inflection point, where the likelihood of a cyber attack is far higher than the likelihood of not being attacked,” Kallenbach added. “We have just seconds to protect years of data – we need to use that time wisely.”