Australia suffered two major cyberattacks in October, compromising the personal information of around 14 million people in total. A recent Reuters report suggests that under-recruitment of cybersecurity professionals could be partly to blame.
In late September, Australian telecoms firm Optus was hit by a massive cyberattack affecting around 10 million people. Just weeks later, insurance provider Medibank suffered a similarly devastating incident.
Further smaller—but still serious—data breaches have since hit Australian organisations since, including an attack on wine retailer Vinomofo affecting 700,000 individuals and a ransomware attack on military communications platform ForceNet.
The combined impact of the attacks is thought to have affected well over half of Australia’s population.
Some commentators argue that Australia’s lack of cybersecurity experts leaves the country unprepared for the wave of cyber incidents—and that copycat attacks could follow.
In 2021, following the reopening of borders post-Covid, immigration authorities reported a backlog of around one million visa applications submitted by people trying to find work in Australia.
Most of the jobs to be filled are in the cybersecurity and tech sectors—posts offered by firms aiming to fill vacancies abroad.
Sanjay Jha, chief scientist at the University of New South Wales Institute for Cybersecurity, told Reuters:
“They don’t have enough trained people to take it seriously and do what is needed.
“Sometimes you’re ticking a box in an Excel spreadsheet and you don’t understand what you’re doing, and then the outcome is not going to be great. You need people who are really skilled and trained properly.”
Broader analysis paints a picture of strained cyber defences across Australia, where malicious actors have grown in strength and numbers on the back of working-from-home trends and the availability of online hacking software.
This trend has hit business communities hard in Australia, largely owing to the high profile of firms targeted and the sensitive nature of the information—much of which is medical data—being exposed.
As reported by Reuters, cybersecurity risk expert Win-Li Toh, principal at Taylor Fry, said: “[Australia] is a rich country, a first-world country that does a lot of business, that has a lot of data, so therefore it is targeted.”
“Trying to employ people to defend your assets is getting harder because there just aren’t enough people coming out, and education will take one to two years.”
Australian officials met with fellow national counterparts at the White House earlier this week to discuss the situation and explore new ways to address the increasing ransomware and cyber-crime problems affecting organisations worldwide.
The data breaches have also left the Australian public and politicians calling for the expedition of long-planned reforms to the country’s privacy regime.
The country’s Privacy Act of 1988 is relatively weak compared to other countries with similarly advanced economies.
A review of the Privacy Act has been underway since December 2019. The outcome is likely to result in significant reforms to Australia’s data protection framework.
The law’s data breach notification rules could be expanded, which could lower the threshold at which organisations would be obliged to report a data breach.
Australia is also considering implementing a “private right of action” that would empower individuals to take organisations to court if their privacy rights are violated by the organisation’s non-compliance with the Act
The review is also considering changes to the scope of the act (which is currently unusually narrow for an advanced economy), which could mean that many more businesses are required to comply with the law.