There is Something Rotten in Australian Corporations Relating to Cyber Security

Australia finds itself in the midst of an escalating cyber crisis and its not going away. The past few years have delivered a relentless series of breaches, each one more sobering than the last. From the theft of sensitive medical records at Medibank to the sprawling compromise of telecommunications giant Optus, and most recently, the April 2025 attacks against Australian Super and multiple superannuation funds – the trend is no longer deniable.

These are not isolated incidents. They represent the symptoms of systemic weaknesses embedded deep within Australian corporate culture and governance. The attackers have evolved, but more importantly, they have identified Australia as fertile ground for exploitation. In my role as CEO of Cyber Impact Consulting, I have seen firsthand how fragile the defences of many of our largest enterprises truly are.

This paper is an evidence based, ground level examination of what is failing inside Australian boardrooms and IT systems alike. It is also a call to action. Using real world examples, expert insights, and recommendations drawn from both international best practice and our own hard earned lessons, this paper provides a roadmap to rebuild trust and resilience in our corporate cyber postures.

The stakes are human. Every breach compromises not just data, but the trust of our customers, the confidence of our investors, and the security of our nation’s economy and defence. Cyber terrorism is real. The moment to act is now.

A Wave of High Profile Breaches Across Industries

What is it going to take to get our attention?  How many more attacks are we going to allow before this is taken extremely seriously. The evidence clearly demonstrates Australia has a serious problem. Just look at some of the attacks.

Optus: Exposed API Leads to Massive Data Breach

In September 2022, Optus suffered a breach affecting 9.8 million current and former customers, triggered by an exposed, unauthenticated API endpoint1. Personal details such as names, addresses, dates of birth, phone numbers, passport numbers, and driver’s license numbers were stolen.

The impact on customers was severe. Thousands reported identity theft and financial fraud attempts. Melbourne customer Jasmine told ABC News: “I just keep thinking, how much more is out there that I don’t know about?”1. Many had to replace identity documents at their own cost, with over 100,000 affected according to the Office of the Australian Information Commissioner.

Medibank: Sensitive Health Data Published Online

In November 2022, Medibank confirmed a cyberattack affecting 9.7 million customers, including 480,000 health claims. Ransomware attackers accessed and later published sensitive data including treatments for mental health and chronic illnesses.

Samantha, a Medibank customer, described to The Guardian her devastation upon discovering her private health records were online: “It felt like my most private thoughts and vulnerabilities were suddenly public. I felt violated.” The emotional toll extended far beyond financial loss, compounding anxiety and leading many victims to seek further mental health support.

Latitude Financial: Old Data, New Risks

In 2023, Latitude Financial revealed a breach that exposed data from as far back as 2005, affecting over 14 million individuals. The incident highlighted failings in data retention and vendor risk management. Stolen data included driver’s license numbers, passport numbers, and financial details.

The Office of the Australian Information Commissioner criticised Latitude for holding excessive amounts of outdated sensitive data. This breach reinforced the urgent need for Australian businesses to practice rigorous data minimisation.

Australian Super: April 2025 Credential Attacks

In April 2025, credential stuffing attacks targeted multiple Australian super funds. Customers of Australian Super and others received notifications of suspicious login attempts and account takeover efforts.

Greg Thompson, a Brisbane retiree, shared his fears with The Age: “They tried to change my withdrawal settings. I was terrified – this is my retirement savings. I’ve worked my whole life for this.” The incident sparked widespread concern about the adequacy of superannuation cyber security and the potential for cascading fraud across the sector.

Deakin University: Phishing Targets Students

In July 2022, Deakin University confirmed a breach compromising personal details of over 47,000 students. Hackers used the stolen data for targeted SMS phishing campaigns, tricking students into providing banking details.

A student, Jake, told The Australian: “It looked real – the tone, the timing, everything. I clicked the link, filled in my details, and within hours my bank called me about suspicious activity.” The attack demonstrated how cyber incidents often snowball into secondary attacks, compounding damage.

Root Causes of Australian Corporate Cyber Failures

As we analyse these breaches, one theme emerges with clarity: these are not just technical failures. They are organisational and cultural failures, rooted in persistent underinvestment and short term thinking. Let’s examine the most critical causes.

1. Cyber Security as a Cost Centre

Too often, cyber security is seen purely as an expense, not as a risk mitigant or trust enabler. Before its breach, Medibank reportedly allocated less than 2% of its IT budget to cyber security. This misperception leads to underinvestment in proactive defences, making organisations attractive targets.

2. Short Termism in Executive Incentives

Executive KPIs are typically tied to short term financial outcomes rather than long-term resilience. Growth and market share dominate boardroom discussions, pushing risk mitigation to the sidelines until it is too late. In the Optus case, rapid customer acquisition goals overshadowed basic cyber security hygiene.

3. Underestimation of Risk Exposure

Many boards still mistakenly believe they are unlikely targets. Prior to April 2025, Australian Super reportedly assessed their cyber risk as low likelihood. This gross underestimation of the threat landscape left them vulnerable to credential stuffing attacks.

4. Board Level Cyber Literacy Gaps

A recurring issue is the lack of cyber fluency among non-executive directors. According to the Australian Institute of Company Directors, fewer than 30% of Australian board members consider themselves highly cyber literate. This inhibits meaningful challenge and oversight of management’s cyber risk handling. Other than perhaps one or two organisations (literally), there are no ex-senior CISO’s sitting on boards.

5. Misunderstanding Of Cyber Insurance

Organisations have, for too long, treated cyber insurance as a substitute for robust controls. However, post-breach, many companies face exclusions due to negligence. Optus encountered significant challenges with their cyber insurance coverage following their breach.

6. Outsourcing (Supply Chain) Without Adequate Oversight

Supply chain vulnerabilities have consistently been exploited. The Latitude Financial breach in 2023 originated from a third-party service provider, highlighting the dangers of weak vendor risk management.

7. Shortfall Of Demand

Australia faces a significant shortfall of demand for the cyber workforce. Deakin University, for instance, employed only two full-time cyber security specialists pre breach. In addition, trusted advisors, consultants, FTE budgets are being cut, whereas globally, the average incomes are much higher than Australia where there is real demand.

8. Reactive Security Culture

A reactive mindset pervades too many organisations. Security investment often spikes only after breaches occur. Following their incident, Latitude Financial accelerated their cyber uplift program – but far too late to prevent the compromise.

So What?

These are systemic issues, not isolated lapses. Until Australian corporations confront these root causes head on with urgency and sustained commitment, they will remain easy prey in an increasingly aggressive global threat environment.

International Comparisons: Lessons from Global Leaders

While Australian corporations continue to fall victim to cyber attacks, many global counterparts have shown what effective cyber security leadership looks like. Countries like the United States, the United Kingdom, and Singapore offer instructive contrasts.

United States: Regulation Meets Investment

In the wake of major attacks such as the Colonial Pipeline ransomware incident in 2021, the United States rapidly escalated both regulatory and investment responses. President Biden’s Executive Order on Improving the Nation’s Cyber Security mandated rigorous supply chain risk management, multi-factor authentication, and endpoint detection across federal systems.

Private sector companies followed suit. Leading American enterprises allocate an average of 10-12% of their IT budgets to cyber security, compared to Australia’s typical 3-5%. The cultural shift is clear: cyber security is viewed as a competitive advantage, not just a compliance requirement. That said, I am not a fan of comparing cyber security spend to IT budgets, as cyber security transcends IT. I’ve kept it here as an indicator because people can relate to numbers.

United Kingdom: Embedding Cyber Resilience

The UK’s National Cyber Security Centre (NCSC) has pioneered public-private collaboration models. Their “Exercise in a Box” initiative offers free, accessible cyber resilience testing tools for organisations of all sizes. Cyber security is deeply integrated into UK corporate governance through mandatory board-level risk reporting.

Importantly, UK regulators have shown a willingness to impose hefty fines for negligence. British Airways and Marriott International both faced multi-million-pound penalties for data breaches in 2018-2019, reinforcing the seriousness of cyber accountability.

Singapore: National Scale Cyber Strategy

Singapore’s Cyber Security Act mandates critical infrastructure providers to meet stringent cyber hygiene and incident reporting standards. The nation has also heavily invested in cyber skills development, establishing the Cyber Security Associates and Technologists Programme to upskill mid-career professionals.

Singaporean businesses benefit from high levels of government-led cyber threat intelligence sharing, creating a collective defence ecosystem rarely seen in Australia.

What Australia Can Learn

The international lesson is clear: nations that treat cyber security as both an economic enabler and a security imperative consistently outperform reactive, compliance-driven approaches.

Australia must adopt a similar mindset. Our regulatory frameworks, while improving, remain fragmented. Investment levels lag global benchmarks. Boardroom engagement is still inconsistent.

If we continue to operate in isolation and underinvestment, we will fall further behind – and attackers will continue to take advantage.

Expert Opinions and Leadership Perspectives

The chorus of concern from Australia’s cyber security leaders is loud, clear, and unified. Across government, industry, and academia, there is consensus: Australia’s corporate cyber resilience is dangerously insufficient, and without urgent, coordinated action, the situation will only deteriorate.

The Australian Cyber Security Centre (ACSC): A National Alarm Bell

The ACSC, Australia’s foremost authority on cyber threat intelligence, has been unequivocal in its warnings. The 2025 Annual Threat Report painted a stark picture: a 23% year-on-year increase in cybercrime reports, with ransomware, phishing, and business email compromise continuing to dominate.

As the ACSC’s Director of Cyber Threat Intelligence articulated during the 2025 Cyber Resilience Summit: “We are seeing sustained targeting of Australian businesses and critical infrastructure. Cybercriminals are becoming faster, smarter, and more organised.”

The ACSC has emphasised the urgency of proactive threat detection and incident reporting, urging Australian businesses to participate in government threat-sharing initiatives and to embed intelligence-led defence strategies into their security architectures.

The Australian Prudential Regulation Authority (APRA): Elevating Board Accountability

For years, APRA has championed the integration of cyber risk into core governance structures. The release of CPS 234 established clear obligations for financial institutions to maintain information security capability, classify data assets, and ensure effective third-party management.

However, the superannuation breaches of April 2025 have spurred APRA to accelerate its reforms. The CPS 230 standard imposes even stricter requirements for operational resilience, explicitly framing cyber risk as integral to financial solvency.

As APRA Deputy Chair Helen Rowell warned: “Boards must understand that cyber risk is not optional risk – it’s systemic. Cyber resilience should be viewed with the same urgency as financial solvency.”

APRA’s leadership underscores the pressing need for directors and executives to take personal accountability for cyber posture, treating it not as a compliance exercise but as a critical component of fiduciary duty.

The Minister for Cyber Security: Cyber as National Sovereignty

Following the Australian Super breach in April 2025, the Federal Government made its strongest statement yet on the role of cyber security in national security.

Addressing the nation in an emergency briefing, the Minister for Cyber Security declared: “The attacks of April 2025 should be a final warning. Cyber resilience is fundamental to Australia’s economic sovereignty.”

The Minister’s comments reflect a shift in framing: cyber incidents are no longer viewed in isolation as corporate problems, but as matters of national economic stability and international competitiveness. The government has pledged to strengthen public-private collaboration and escalate investment in the national cyber security workforce.

The Australian Information Security Association (AISA): Bridging the Boardroom Gap

AISA, Australia’s leading professional cyber security body, continues to highlight the gulf between technical teams and executive leadership. The association has been vocal in its call for boards and senior executives to engage more deeply with their cyber teams.

Damien Manuel, former Chair of AISA, has been particularly blunt in his assessment: “We need to stop treating cyber security as an IT department problem and embed it into the DNA of Australian business.”

AISA advocates for cyber security representation in executive committees and strategic planning sessions, ensuring that cyber risk is integrated into business decision-making processes at every level.

Academic Voices: Building a Sustainable Cyber Workforce

Australia’s academic community is equally vocal about the looming cyber skills shortage. Dr Lesley Seebeck, Professor of Cyber Security at the University of New South Wales, has warned of a growing gap between demand and supply in cyber security expertise.

“Our research shows Australia risks a generational cyber capability gap. We must prioritise education and skills uplift alongside technology investments.”

Academic institutions are calling for expanded investment in STEM education, government-backed scholarships for cyber security disciplines, and closer collaboration between universities and the private sector to fast-track graduates into operational roles.

So What?

From intelligence agencies to regulators, from political leaders to industry advocates and educators, the message is unanimous: Australia cannot continue on its current trajectory. Cyber security is no longer a niche technical concern – it is a mainstream leadership responsibility.

Corporate Australia must listen to these expert voices, not as external commentary, but as direct guidance. Failure to do so will guarantee that the breaches of recent years are only the beginning.

Forward Looking Risks: The Threats on the Horizon

While Australian corporations struggle with today’s threats, the reality is that tomorrow’s cyber risks are evolving at an even faster pace. The global threat environment is intensifying, and without foresight, Australia risks falling even further behind.

AI Powered Attacks: The Rise of Automation in Cybercrime

Artificial intelligence is no longer just a defensive tool – it is increasingly weaponised by cybercriminals. AI enables attackers to automate phishing campaigns, craft convincing social engineering tactics, and rapidly identify network vulnerabilities.

The ACSC’s 2025 Annual Threat Report warns: “AI is allowing threat actors to scale their attacks faster than defences can respond.”

Australian organisations must anticipate AI driven attacks, invest in advanced detection capabilities, and upskill their security teams to understand and counter AI enabled threats. Granted, some organisations are doing this, but only those with massive budgets. Unfortunately those enterprises aren’t the only ones storing data that hackers prey on

Quantum Computing: Future-Proofing Cryptographic Defences

Quantum computing presents a future challenge with the potential to undermine existing encryption standards. While large scale quantum computers are not yet operational, the concept of “harvest now, decrypt later” is already a concern.

As Dr Michelle Simmons, Director of the Centre for Quantum Computation & Communication Technology, has explained: “Organisations cannot afford to wait for quantum computers to materialise before upgrading their cryptographic protections.”

Proactive investment in quantum-resistant encryption is essential to protect sensitive data that must remain confidential for years or decades into the future.

Geopolitical Tensions and Supply Chain Risks

Australia’s reliance on complex, global supply chains expose businesses to cyber risks beyond their direct control. According to the Department of Home Affairs, over 60% of Australian companies surveyed in 2025 reported limited visibility into their third-party cyber risks.

Addressing the Cyber Resilience Summit, the Minister for Home Affairs stated: “Australia must treat supply chain security as a frontline national defence priority.”

Organisations must scrutinise their vendor ecosystems, demand transparency, and ensure robust contractual obligations for cyber hygiene.

Critical Infrastructure Under Siege

Australia’s critical infrastructure sectors – energy, water, telecommunications, and transport – are increasingly targeted by state-sponsored and criminal actors alike. The Australian Government’s 2025 Security of Critical Infrastructure reforms have expanded regulatory oversight, but enforcement and compliance gaps remain.

Without sustained investment, these sectors will remain vulnerable to disruptive attacks that could cripple essential services and public trust.

So What?

The future threat landscape will not wait for Australian corporations to catch up. Proactive preparation for AI driven attacks, quantum computing disruptions, supply chain insecurities, and critical infrastructure targeting is essential.

Australia must act now to future proof its cyber defences – not when these threats have already materialised.

Human Impact Stories: Real Victims of Cyber Negligence

Behind every headline and data breach statistic are real Australians whose lives have been profoundly disrupted. These human stories illustrate the tangible cost of organisational cyber failures.

Optus Breach: Jasmine’s Fight Against Identity Theft

Following the Optus data breach in 2022, Melbourne resident Jasmine found herself battling a wave of identity theft. Fraudsters used her stolen ID to open bank accounts and apply for credit cards in her name.

Jasmine shared with ABC News: “I just keep thinking, how much more is out there that I don’t know about?”

She spent weeks contacting banks, government agencies, and credit bureaus to secure her identity. The financial cost was significant, but the emotional toll was far worse. Jasmine described the experience as “frightening and exhausting”, and she remains vigilant to this day.

Medibank Breach: Samantha’s Private Health Records Exposed

Samantha, a Medibank customer, was devastated to learn her private health records – including sensitive mental health treatment details – were leaked following the Medibank ransomware attack.

She told The Guardian: “It felt like my most private thoughts and vulnerabilities were suddenly public. I felt violated.”

The breach left her grappling with anxiety and fear of stigma. Like many others, she required additional mental health support, compounding the distress caused by the exposure of her most personal information.

Australian Super: Greg’s Retirement Under Threat

In April 2025, Greg Thompson, a retiree from Brisbane, received alerts of suspicious activity on his superannuation account amid the credential stuffing attacks.

Greg described the ordeal to The Age: “They tried to change my withdrawal settings. I was terrified – this is my retirement savings. I’ve worked my whole life for this.”

While his funds were eventually secured, the incident shook his confidence in the safety of his life savings and forced him to engage costly professional advice to ensure ongoing protection.

Deakin University: Jake Targeted by Phishing Attack

Jake, a student at Deakin University, was one of many victims of the university’s 2022 breach. Using stolen data, cybercriminals sent him a convincing SMS scam that appeared to come from the university itself.

Jake recounted to The Australian: “It looked real – the tone, the timing, everything. I clicked the link, filled in my details, and within hours my bank called me about suspicious activity.”

The phishing attack drained Jake’s bank account and left him deeply concerned about his digital security. It also disrupted his studies, as he dealt with the administrative and emotional aftermath.

So What?

These are not abstract examples. Jasmine, Samantha, Greg, and Jake are real Australians who suffered real harm because of corporate cyber security failures.

Their experiences serve as a powerful reminder that cyber breaches do not just impact balance sheets – they upend lives. Cyber security is not merely a technical issue. It is a human obligation.

Conclusion: An Executive Call to Action

As we conclude this analysis, the evidence could not be clearer.

Australia is not facing isolated cyber security failures – we are confronting a systemic crisis in corporate cyber resilience. From Optus to Medibank, Latitude Financial to Australian Super, and Deakin University, these are not anomalies. They are the predictable outcomes of long standing underinvestment, board level disengagement, and cultural complacency.

While cybercriminals innovate and accelerate their attacks, too many Australian organisations remain stuck in reactive cycles of compliance and minimal investment. We are paying the price in real time: through financial losses, reputational damage, regulatory penalties, and – most importantly – the human cost inflicted on Australians whose lives have been turned upside down.

For those that know me, I can be direct, and I will be now. Australia is running out of time.

This is not a future hypothetical. It is happening now, and it threatens not only individual companies but our national economic resilience. If we continue to treat cyber security as a compliance tick-box rather than a core strategic pillar, the next wave of breaches is not a question of ‘if’, but ‘when’. Read that last sentence again. Can your organisation really afford that?

What Must Change – Now

1. Commit to Leadership Accountability

Cyber risk is a boardroom issue. Boards must demand clear, plain English cyber risk reporting and take personal accountability for their organisation’s cyber posture.

2. Invest Ahead of the Curve

Proactive investment is far more cost-effective than breach recovery. Prioritise cyber uplift programs, next-generation defences, and continuous improvement of controls.

3. Embed Cyber in Corporate Culture

Make cyber security part of everyday business practice – from the executive suite to frontline employees. Embed cyber awareness into policies, procedures, and behaviours.

4. Strengthen National Resilience

Engage in threat intelligence sharing initiatives and public-private partnerships. Support the development of Australia’s cyber workforce through apprenticeships, scholarships, and research funding.

5. Protect Australians – Personally

Recognise that behind every dataset is a human being. Protecting customer data is not just a legal requirement – it is a moral responsibility.

My Final Word to Australia’s Corporate Leaders

You want the truth? Can you handle the truth?  Sounds condescending, doesn’t it? Well, we are here for a reason. There is something rotten in Australian corporations relating to cyber security. But it is not irreversible – if, and only if, we choose to act decisively.

Cyber security is not just a technical challenge. It is a leadership issue. It is a cultural issue. And ultimately, it is a question of trust. The trust that our customers place in us, the trust our economy depends upon, and the trust our nation places in its institutions.

Be truly honest with yourself if you are a board member or in the role of executive leadership. Does this paper resonate with you and do you recognise you should be doing a lot more? Do you have the attitude “she’ll be right mate, it won’t happen to us”. Go talk to the parent who has just had the police tell them their child has died in a car accident. Do you think all the organisations I mentioned above (which are just a handful of examples) thought it couldn’t happen to them?

We must choose the hard path of sustained action over the easy path of complacency and changing the mind set of short term KPI’s. The time for passive analysis has passed. The time for courageous, unified leadership is now.

Sources

1. ABC News, “Optus data breach: ID theft leaves victims fearing financial fallout”, 27 September 2022.
2. Office of the Australian Information Commissioner, “OAIC investigation into Optus data breach”, December 2022.
3. The Guardian, “Medibank cyber attack: Australians report trauma as stolen health records published”, 10 November 2022.
4. Latitude Financial, “ASX Announcement: Update on cyber incident”, 27 March 2023.
5. The Age, “Super funds scramble to protect members after credential stuffing attacks”, 5 April 2025.
6. Sydney Morning Herald, “AustralianSuper reassures members after cyberattack wave”, 6 April 2025.
7. The Australian, “Deakin University students caught in phishing scam after data breach”, 14 July 2022.
8. ACSC, “Annual Cyber Threat Report”, March 2025.
9. Cyber Resilience Summit, Director of Cyber Threat Intelligence keynote, 4 April 2025.
10. APRA, “CPS 234 Information Security Standard”, July 2019.
11. APRA, “Speech by Deputy Chair Helen Rowell: Cyber resilience and operational risk”, 5 April 2025.
12. Ministerial Media Centre, “Minister for Cyber Security emergency press conference”, 5 April 2025.
13. InnovationAus, “Cybersecurity must be in business DNA: AISA”, 3 October 2023.
14. Australian Cybersecurity Conference, Dr Lesley Seebeck keynote, March 2025.
15. Quantum Future Forum, Dr Michelle Simmons address, 12 March 2025.
16. Department of Home Affairs, “Supply Chain Risk Review”, March 2025.
17. Cyber Resilience Summit, Minister for Home Affairs keynote, 4 April 2025.
18. Gartner, “IT Key Metrics Data: Global cybersecurity spending benchmarks”, 2024.
19. Information Commissioner’s Office UK, “BA and Marriott fined for GDPR breaches”, 2020.
20. White House, “Executive Order on Improving the Nation’s Cybersecurity”, 2021.
21. Cyber Security Agency of Singapore, “Cybersecurity Act Overview”, 2024.
22. NCSC UK, “Exercise in a Box”, 2024.
23. AustCyber, “Cyber Security Sector Competitiveness Plan”, 2024.
24. Australian Institute of Company Directors, “AICD Governance Survey”, 2024.