Millions of Australians' personal details have been compromised by unpublicised data breaches – separate from the Optus and Medibank hacks – according to figures released by the national information watchdog on Wednesday.
The Australian Information Commissioner revealed there were three large-scale data breaches in the second half of last year, which affected between 1 million and 10 million Australians.
There was also another data breach which affected between 500,000 and 1 million people.
The commissioner did not name the enterprises involved in the breaches, but the numbers indicate that large-scale attacks are on the rise.
The stark figures track the period between July and December 2022 and reveal a 67 per cent rise in the number of attacks from the first half of the year, which only saw 24 large-scale attacks compared to 40 in the back half.
In total, there were 497 data breaches, mostly in the health and finance sectors, which represented a 26 per cent increase.
Almost three-quarters of those breaches were blamed on criminal attacks, while a quarter was due to human error.
Data breaches increase chance of scams, AIC says
Australian Information Commissioner Angelene Falk acknowledged there was a pronounced rise in wide-reaching cyber attacks and urged businesses and agencies to step up.
"Organisations should take appropriate and proactive steps to protect against and respond to a range of cyber threats," Commissioner Falk said.
"This starts with collecting the minimum amount of personal information required and deleting it when it is no longer needed.
"As personal information becomes increasingly available to malicious actors through breaches, the likelihood of other attacks, such as targeted social engineering, impersonation fraud and scams, can increase.
"Organisations need to be on the front foot and have robust controls, such as fraud detection processes, in place to minimise the risk of further harm to individuals."
The worrying new data comes after the federal Attorney-General's department called for Australia's Privacy Act to be tightened.
Under Australia's current data breach laws, there is no specific time frame for agencies or organisations to report that they have been hacked, but a new proposal by the department would shorten that period to 72 hours.
It is part of a suite of 116 recommendations made last month, which also recommended that Privacy Act exemptions for small businesses be scrapped, putting new obligations on millions of new Australian entities.
The federal government is also setting up a national cyber office that would consider a new Cyber Security Act and strengthening existing laws.