Australia is facing a trust crisis dressed in binary code. Qantas is the latest name to join a growing list of household brands that have failed to secure customer data. Six million people’s personal details were compromised via a third-party contact centre breach. It was, according to the company, swiftly contained. But public confidence, once fractured, is far slower to repair.
This comes less than three years after the Optus and Medibank cyberattacks exposed information of nearly 20 million Australians. By the numbers, that’s four out of five people. These weren’t obscure firms caught out by zero-day exploits. These were giants with legal departments, compliance teams, and billion-dollar revenues. If they can’t keep our data safe, the public is starting to ask whether they should be allowed to hold it at all.
The pattern is no longer subtle. The Office of the Australian Information Commissioner received 483 data breach notifications in the back half of 2023, up nearly 20% from the previous six months. From telcos to healthcare to finance, sectors that handle identity information daily have struggled with basic cyber hygiene. Open APIs, weak authentication, outdated software, and unnecessary data retention have all played a role. The breach at Latitude Financial, for instance, affected records going back to 2005. Fourteen million customer records, including 7.9 million driver’s licence numbers, were retained long after they were needed. The result: a jackpot for cybercriminals.
There are two kinds of failures here. The first is technical—outdated systems, human error, vulnerable entry points. The second is structural—a business culture that hoards data with no clear purpose and often little understanding of the risks involved. Companies frequently store more than legally required and lack adequate protocols for deleting outdated records. When breached, they scramble to plug holes, but the dam wall is already crumbling.
The cost to consumers has been severe. Some were forced to replace ID documents. Others found themselves targeted in phishing campaigns or extortion schemes. In one case following the Optus leak, a Sydney teenager was caught threatening customers via SMS, demanding money in exchange for not abusing their stolen data. Police intervened before any cash changed hands, but the episode laid bare how vulnerable individuals are when corporations fail.
And the psychological toll is mounting. Medibank customers, whose medical histories were posted online by ransomware gangs, reported panic attacks, insomnia, and a deep sense of violation. No money was stolen, but something just as personal was lost—the presumption that your health records, at least, were private.
For companies, the financial consequences have varied. Optus’s parent company set aside $140 million for clean-up and customer compensation. Medibank spent $25–35 million on immediate responses, but the long tail of class action lawsuits and regulatory scrutiny may drag on for years. Share prices dipped sharply in the wake of the incidents. CEOs resigned. Yet in most cases, customers didn’t flee in droves. Optus revenues even grew. Switching costs are high in telecoms and insurance, and inertia favours incumbents.
This raises a thorny question: if public outrage is intense but short-lived, and revenue barely flinches, is there enough incentive for companies to invest in real security upgrades?
The government thinks not. In late 2022, Canberra increased the maximum penalty for serious privacy breaches to $50 million. Regulatory bodies like ACMA and OAIC are pursuing Optus and Medibank for alleged failures to protect consumer information. Meanwhile, class actions loom, with some estimates putting Medibank’s potential liability at $700 million. That figure, if realised, might finally prompt a reassessment in boardrooms across the country.
But regulation alone won’t solve the problem. Technology, too, needs an upgrade—not in complexity, but in design philosophy. Instead of hoarding sensitive data in centralised databases, some security researchers argue for a decentralised model. Dr Eric Lim at UNSW proposes using blockchain-based digital identity systems. Rather than handing over your actual date of birth or Medicare ID, you’d simply allow a company to verify a credential cryptographically. The data never sits on their servers, so there’s nothing to steal.
Australia has already trialled blockchain identity pilots. These efforts remain in their infancy, but they point to a future in which verification doesn’t require vulnerability. The key challenge is scale, and whether private firms would be willing to forego data that doubles as a marketing asset.
Until then, some more basic fixes are within reach. Require multi-factor authentication. Encrypt data in transit and at rest. Impose limits on how long customer information can be retained. Shift from “trust but verify” to “never trust, always verify”. These principles are already common in cybersecurity circles, but not always implemented outside of the most regulated industries.
Education is key
Education matters too. Many breaches begin with an employee clicking a dodgy link. Others occur when systems are misconfigured by accident. Staff need better training, not just a rushed e-learning module once a year. Some companies are hiring ethical hackers to probe their own systems. Others are running phishing simulations to test resilience in real time. It’s no longer enough to build a wall. You have to test it regularly.
Consumers, meanwhile, need tools to help them respond. After the Optus incident, the government made it easier to obtain a new driver’s licence. Similar measures could be extended to other forms of ID. A centralised identity recovery service—something akin to the American model of offering tax protection PINs—could assist victims of future breaches.
And yes, part of the solution is cultural. For too long, cybersecurity was treated as an IT problem. It needs to become a governance priority. Directors should be asking as many questions about digital resilience as they do about liquidity or growth. The Qantas breach, while limited in scope compared to others, came on the heels of FBI warnings about an international hacking group targeting airlines. No company should be caught off guard.
Some advocates argue for a consumer right to sue directly for breach-related distress. At present, Australian law doesn’t recognise such a privacy tort. That may soon change. The Privacy Act review recommends expanding individual rights, which could introduce personal consequences for corporate negligence. If every breach meant a payout to customers, boards might finally treat personal data with the caution it deserves.
The problem isn’t going away. Cybercrime is growing more sophisticated, with state-linked actors and ransomware-as-a-service outfits targeting Australian firms. But the solution isn’t to retreat from digital services. It’s to build them better.
We need smarter regulation, less data hoarding, faster incident response, and deeper investment in security infrastructure. Above all, we need to stop treating privacy breaches as regrettable accidents. They are predictable outcomes of known weaknesses. And predictable failures are preventable.
Until that mindset takes hold, Australians will continue to brace for the next breach—inboxes pinging with corporate apologies, as if sorry is a substitute for security.
Sources: Australian Government statements and media reports on recent data breaches, including incidents at Optus, Medibank, Latitude Financial, and Qantas. Cybersecurity expert commentary from UNSW and UpGuard. Statistics from OAIC and company disclosures via ABC, Reuters, 7News, AFR, and The Guardian.
Support independent community journalism. Support The Indian Sun.
Follow The Indian Sun on X | Instagram | Facebook
🔐Australia faces growing #databreach crisis with @Qantas, @Optus & @Medibank #leaks. 📉20M+ affected since 2022. 🛡️Experts push for #blockchain IDs & stricter data retention laws. #TheIndianSun
More details 🔗 https://t.co/WhdId8KNRp pic.twitter.com/dz9GB5V1M0
— The Indian Sun (@The_Indian_Sun) July 5, 2025
Donate To The Indian Sun
Dear Reader,The Indian Sun is an independent organisation committed to community journalism. We have, through the years, been able to reach a wide audience especially with the growth of social media, where we also have a strong presence. With platforms such as YouTube videos, we have been able to engage in different forms of storytelling. However, the past few years, like many media organisations around the world, it has not been an easy path. We have a greater challenge. We believe community journalism is very important for a multicultural country like Australia. We’re not able to do everything, but we aim for some of the most interesting stories and journalism of quality. We call upon readers like you to support us and make any contribution. Do make a DONATION NOW so we can continue with the volume and quality journalism that we are able to practice.
Thank you for your support.
Best wishes,
Team The Indian Sun
