In what cybersecurity experts are calling an "alarming trend," Australia has seen the number of massive data breaches exposing the personal information of more than one million people double in just five years, according to a comprehensive analysis of government records.

The findings, published in the latest StickmanCyber Report on Data Breaches in Australia, paint a disturbing picture of the country's digital vulnerability and raise serious questions about the adequacy of current cybersecurity measures across Australian businesses.

The report, which analyzed over 6,000 Notifiable Data Breach (NDB) reports submitted to the Office of the Australian Information Commissioner (OAIC) since 2018, reveals that mega breaches affecting one million or more individuals have increased from just four incidents in both 2019 and 2020 to ten such breaches in 2023.

The evidence clearly shows that cybercriminals are targeting larger datasets with greater precision than ever before, creating breaches of unprecedented scale.

Even more concerning is the surge in breaches affecting 10,000 or more individuals, suggesting that attackers are becoming increasingly sophisticated in their ability to access and extract large volumes of sensitive data.

Hidden for Weeks, Sometimes Months

Perhaps the most troubling aspect of these mega breaches is how long they remain undetected. According to the report, nearly a third (28%) of breaches exposing more than one million people went unnoticed for 30 days or longer.

A month is an eternity in cybersecurity terms. In that time, stolen data can be sold multiple times on the dark web, identities can be stolen, and financial accounts can be drained.

Some organizations failed to provide any breach identification date in their reports—a red flag that suggests significant gaps in their security monitoring capabilities.

While smaller breaches typically result from malware or phishing attacks, the StickmanCyber report identified compromised credentials as the leading cause of mega breaches. This finding indicates that stolen or leaked passwords and login information remain the Achilles' heel of many organizations' security infrastructure.

It's 2025, and major breaches are still being caused by password issues. The continued reliance on single-factor authentication by some organizations appears increasingly outdated given the sophistication of today's cyber threats.

Vast Underreporting Suspected

The report also raises serious concerns about systemic underreporting of breaches. According to StickmanCyber's estimates, approximately 200,000 organizations in Australia are required to report notifiable data breaches to the OAIC - including businesses with annual turnover exceeding $3 million and organizations that routinely collect sensitive data.

Yet only about 900 reports are submitted annually, with a third coming from just two sectors: finance and healthcare. The report estimates that a mere 0.04% of large businesses submitted reports to the OAIC last year - a figure that seems implausibly low given that a recent industry survey found 41% of businesses experienced a breach in 2023.

The gap between reported breaches and likely actual incidents suggests we're only seeing the tip of the iceberg. Many organizations may be either unaware they've been breached or choosing not to disclose incidents.

The Path Forward

Australian businesses need to move beyond mere compliance with privacy laws and embrace a truly security-first mindset. This means implementing multi-factor authentication across the board, investing in better breach detection capabilities, and establishing clear incident response protocols.

The report recommends five key steps for organizations: enhancing credential security, improving breach detection, implementing timely incident response, increasing reporting transparency, and conducting ongoing employee education.