Your Data: The Honeypot

Posted on August 18, 2025 by Digital Rights Watch
Your Data: The Honeypot

Image credit: Khan Tran

On a global scale, there are an average of 285 breached accounts per 100 people. In Australia, that number skyrockets to 732 breaches per 100 people, meaning the average Australian has been affected by data breaches approximately seven times. Alarmingly, 30% of Australians believed their data was stolen in 2022 alone.

When a data breach occurs companies covered by the Privacy Act must report the incident to the Office of the Information Commissioner. Entities which are not covered by the act, such as political parties and most small businesses are not mandated to report data breaches. The OAIC compiles the data into a biannual report. The most recent findings reveal the top 3 causes of data breaches and the most affected industries (see below).

The number of breaches being reported is climbing every year.

While some breaches go unnoticed, others can have deeply personal consequences. The infamous 2022 Medibank data breach saw 9.7 million Australians’ personal information stolen, including sensitive medical records. When the health insurer failed to comply with ransom demands, the hackers retaliated by posting the personal information online. This included a list of Australian women who had accessed pregnancy terminations. Similar to this, in July of 2025 IVF corporation Genea confirmed that the sensitive information of patients has been published to the dark web following a data breach.

More recently Qantas has been subject to a data breach. In July of this year Qantas admitted a cyber attack occurred in a call centre resulting in some customers’ names, dates of birth, emails, and frequent flyer numbers being stolen. Approximately six million customers were impacted. Our chair, Lizzie O’Shea is a class actions lawyer as well and works on a lot of these cases, including against Qantas.

Why are Australians so disproportionately affected?

There are two major reasons.

First, we have weak privacy laws, and as such, companies and organisations are permitted to collect and hold vast amounts of personal information. As a result, many companies gather lots of personal information because they can, even if the commercial benefit might be unclear or remote.

Under the Privacy Act, which covers large businesses and federal Australian government agencies, once you have someone’s consent to collect and use their information, you have a lot of freedom to use that information however you like. Unlike in other parts of the world, there is no requirement to use the information responsibly, or actively consider whether it should be deleted for various reasons (there is not even a right to delete). We think bare consent is not enough, and for this reason, our privacy laws should be reformed. And on top of all that, the Privacy Act doesn’t cover small businesses, which are excluded.

Second, certain government policies mandate holding large amounts of personal information, and the cybersecurity risks of these policies are not always properly considered. Australian companies are legally required to store large volumes of data, often for years, due to overlapping and sometimes conflicting regulatory obligations:

Under Australian Privacy Principle (APP) 11.2, entities are supposed to destroy or de-identify personal information when it’s no longer needed. But that tension creates confusion.

APP entities often struggle to put good data governance into practice. They must first identify what data they store and then identify which regulatory and business maximums to apply. Given the overlapping and complex nature of regulations businesses can struggle here. Many companies keep more data than necessary out of fear of accidentally deleting something they were supposed to retain or simply because it’s cheaper to store than delete. Once data type is identified, the businesses then have to implement the regulations which can pose further challenges.

Is my personal information protected?

APP 11 requires APP entities to take reasonable steps to ensure personal information is not subject to unauthorised access or disclosure. However this requirement has integral flaws. Firstly, not every organisation is an APP entity, in fact given the small business exemption, over 92% of businesses do not have to comply with this obligation. Furthermore, the principled nature of what is ‘reasonable’ is open to interpretation and gives serious discretion to companies to decide how (or if) to protect your personal information.

It’s also hard because the regulator, the Office of the Australian Information Commissioner, only recently got stronger powers to issue fines for infringements of the APPs. But they are a relatively small regulator, and these are big problems. As a result, companies may not take the risk of being fined seriously enough.

Australia is a wealthy, digitally connected nation. We transact, stream, bank, shop, and work online. And because we’re legally required to hoard vast amounts of data often without strict, enforceable security standards, our personal information is one of the most valuable targets in the world.

It’s no coincidence that Australians are disproportionately affected by breaches. We’re a high-reward target with a weak shield.

What needs to change?

  • End the small business exemption

Over 92% of Australian businesses are exempt from the Privacy Act. Removing this exemption would make APP 11 meaningful in practice and ensure all companies are held to the same standard of data protection. It would also be better for small businesses, which often get sold off-the-shelf digital products that can cause serious headaches for them. If those vendors had to comply with privacy laws to sell their product, small businesses would benefit.

  • Introduce a fair and reasonable test

The test considers whether a reasonable person would consider the collection and handling of personal information to be fair or reasonable in the circumstances. Implementing this test will prevent unnecessary personal information being held about people, limiting the impact of data breaches.

For consent to be meaningful, it must be provided as a result of a genuine and informed choice. It must not be a transactional, box ticking requirement, that then serves as a licence to use personal information without limit. This currently allows for organisations to hold superfluous data, making users unnecessarily vulnerable to data breaches.

  • Clarify and limit data retention obligations

Businesses should not be compelled to store personal information longer than necessary. Clear, harmonised retention limits would minimise harm in the event of a breach because less personal information would be subject to the data breach.

  • Define ‘reasonable steps’ with precision

APP 11 requires organisations to take ‘reasonable steps’ to protect personal information, but this term is vague and inconsistently applied. It should be replaced with clear, enforceable standards that reflect the sensitivity and scale of the data held.

  • Enshrine a right to erasure

Individuals should have the right to delete personal information organisations hold about them. This process should be accessible and clear. This empowers people to remove their personal information from corporate databases, reducing risk and rebalancing control over their digital footprint.

  • Introduce Direct Right of Action

Direct right of action would allow individuals affected by data breaches to pursue legal action against organisations responsible without relying regulators such as the OAIC to take action. This means aggrieved individuals could seek compensation or other remedies in court for harm caused by data breaches, incentivising APP entities to maintain responsible privacy practices which adhere to the APP standards. This would enable Australians to have improved control over their personal information.