Nearly half of all Australians have likely had their personal data compromised or stolen because of data breaches, a new survey from the Office of the Australian Information Commissioner has found, with most suffering direct harms ranging from spam and scam attempts to identity theft and email account hijacking.
In the triennial representative sweep of the population by the OAIC — dubbed the Australian Community Attitudes to Privacy Survey (ACAPS) — the privacy and data watchdog reckons that 47% of people it polled “said they had been told by an organisation that their data was involved in a data breach in the prior year”, a figure that comes on the back of ransomware attacks on Optus, Medibank, Latitude and many others.
While the appalling statistic is somewhat predictable given the epic levels of targeting of Australian organisations by ransomware actors, it’s the cost and consequence of the attacks that are the real shocker because of the extent and severity of harm reported by victims.
The statistics have class action written all over them.
“Three-quarters (76%) of Australians whose data was involved in a breach said they experienced harm as a result. More than half (52%) of Australians whose data was compromised in a breach reported an increase in scams, spam texts or emails,” The OAIC said.
“Around 1 in 10 experienced significant issues such as emotional or psychological harm (12%), financial or credit fraud (11%) or identity theft (10%).”
There’s a big cost to the government in the mix here too. Ranking second in the harms experienced, “a need to replace key identity documents e.g. driver’s licence, passport” came in at 29%, which is very high.
Most alarmingly, really bad harms — the sort that you’d rate as a critical incident — actually make a noticeable showing. Blackmail came in at 3%, physical harm or intimidation at 2% and family violence at 1%.
Some 4% of people polled said they had their “credit rating affected” which we assume means credit became harder or more expensive to obtain.
Given some 11% of people said they’d been financially ripped off because of a data breach, that figure suggests the financial services industry and its regulators have some catching up to do in terms of restoring people’s good standing.
There are some important callouts on the OAIC’s data, including that it is based on a representative sample of just under 2000 Australian adults (n=1,926), so it’s an estimate rather than a literal figure.
This said, the ACAPS survey is specifically tasked with generating longitudinal information on “Australians’ attitudes to key privacy issues, their experiences and perspectives around the use and protection of their personal information and the action they take to safeguard their privacy.”
It certainly has longevity, having started out in 1990 (not bad considering the Privacy Act only commenced in 1989) so that’s 33 years of data.
Not everything is exactly like for like — new issues, often related to technology, have come up and are tracked as they arise. The impact of data breaches was the first time the OAIC had posed those questions, but the answers speak for themselves.
“The advent of technologies like artificial intelligence (AI) and facial recognition have introduced the potential for new privacy risks, some that deeply intersect with our human rights,” Australian Information Commissioner and Privacy Commissioner, Angelene Falk, said.
“While AI has the potential to provide major economic benefits, we know Australians are cautious about the use of AI to make decisions that might affect them, and there are low levels of comfort in the use of the technology.
“Despite the heightened awareness and concern about privacy among the community, there is limited knowledge of what to do about it.”
If you can’t manage what you can’t measure, at least Falk has the evidentiary yardstick out, and that’s a good thing.
READ MORE: