Top Five catastrophic Aussie data breaches

August 11, 2020
Safety and Privacy

Top Five catastrophic Aussie data breaches

Is your financial and identity information online? Is it safe to hand over your financial and other information to financial, health, insurance and other companies online? You might be tempted to think the answer is NO, based on recent data from the Office of the Australian Information Commissioner (previously known as the Privacy Commissioner).

Buying, selling, joining, transacting online means handing over personal, financial and identity information to companies that may or may not hold your information securely.

While cash is safe, private and surcharge-free, card payments and online transactions are full of information that can be used by criminals.

Some of the companies that are asking for our information and payments don’t seem to be up to the job of keeping it safe. There were more than 500 notifiable data breaches in the first 6 months of the year, involving millions of customer details, including ID docs, bank accounts, card numbers, DOBs and addresses.

But many companies need to be told even the basics. Like delete your old emails that contain customer information. Human error breaches spiked in May but of more concern is that many companies are not adequately informing their customers when a breach has occurred.


Here are our Top Five recent Australian computer system data breach scandals:


5. May 2020: 774,000 migrants have their details exposed by Dept of Home Affairs

The names, birth country, age, qualifications, marital status, the “ADUserID” and the outcome of immigration applications of people applying to the Australian Department of Home Affairs between 2014 and 2020 were all exposed on an insecure app for years.

A media organisation exposed the SkillsSelect app that basically let anyone log in and look up the details of other users.

Monique Mann, an Australian Privacy Foundation board member, told Guardian Australia that the federal government has a “consistently poor track record that shows that we cannot trust them with our personal information.”

SkillsSelect was taken offline for maintenance but users were not notified of the breach.


4. In court in 2020: 300K Australian Facebook users politically profiled

In the biggest data breach in Facebook history, more than 300,000 Australian Facebook users had their private information exposed to now banned political consultancy Cambridge Analytica.

Cambridge Analytica’s ‘This is your digital life’ Facebook app allegedly breached the Privacy Act by selling and using user data for a range of purposes well outside what consumers were aware of, including political profiling.

Between 12 March 2014 to 1 May 2015, between 311,127 Facebook users were allegedly profiled according to court documents. The Office of the Australian Information Commissioner has taken Facebook to court over the breach.

Globally, 87 million people allegedly had their information illegitimately collected and used for purposes outside their consent.

Facebook banned Cambridge Analytica and made changes to how third-party apps store and use user information.


3. 2020: COVID-19 Netwalker crimewave hits Aussie companies

An advanced strain of ransomware called Netwalker is helping sophisticated brazen criminals take control of customer databases and hold them for millions of dollars in ransoms.

Netwalker is thought to have netted $35 million in ransoms in the last five months.

Aussie Garmin users were caught up in a major hack and ransom incident in July 2020. Garmin paid the ransom to the criminals to get user details back.

A WA company system was held for $30 million ransom in March 2020. Freight and parcel deliveries were disrupted in February when Toll Group was hacked and held to ransom. Telstra, Officeworks and Footlocker were impacted by the Toll incident in the which the company battled the criminals for control of its own system for weeks.

Car auction company Manheim collects customer driver’s licences, dates of birth, addresses and other personal information and was attacked by ransomware hackers on 15 February. Manheim has locations and customers throughout Australia and 145 other locations around the world.

The Office of Australian Information Commissioner identified a surge in ransomware attacks in the first half of 2020. The Commissioner identified a particular strain of ransomware as the main culprit.


2. March 2020: TAFE loses student information, doesn’t realise for more than a year

90,000 people were impacted when huge TAFE, Melbourne Polytechnic, lost 55,000 files and didn’t realise it.

Personal, health, financial data was accessed but not student performance records. Student’s Melbourne Polytechnic usernames, passwords and email addresses were hacked.

“It is possible that any information held in those Melbourne Polytechnic accounts at that time was exposed,” said Melbourne Polytechnic.

A small number of people may have had passport, driver’s licence, card, super account, TFN and Medicare details accessed.

Melbourne Polytechnic CEO Frances Coppolillo said:

“I offer my sincere apologies to all the people affected by this data breach, in sharing your information, you expected us to keep it safe and I am sorry that we were not able to do so.

“We are deeply sorry for the impact that the theft of this personal data might have.”

The privacy breach was notified in 2020 but occurred in 2018.



1. May 2019: Canva’s 139 million users hacked in media stunt by GnosticPlayers


Graphic design site Canva is based in Sydney, started in 2012 and grew to a top 200 global site with almost 140 million customer accounts.


Infamous hacker GnosticPlayers took over the Canva database, proved it to a media outlet and held stolen data including customer usernames, real names, email addresses, city & country information, password hashes and Google tokens.


The company said: "We securely store all of our passwords using the highest standards (individually salted and hashed with bcrypt) and have no evidence that any of our users' credentials have been compromised.”


“As a safeguard, we are encouraging our community to change their passwords as a precaution."


The hack has not greatly harmed the company Canva.com is now ranked #111 in global traffic rankings by Alexa, up from #170 at the time of the hack (24 May 2019).



Related posts