Australians’ Personal Data Widely Exposed Online Amid Rising Cyber Threats

Research commissioned by the Australian Department of Home Affairs has estimated that 64% of Australians have personally identifying information publicly visible on their social media accounts.

A combination of government research and official data reports outlines the current state of cyber security and personal data exposure in Australia. Findings indicate a high prevalence of personally identifiable information on public social media profiles among Australians, concurrent with a reported increase in malicious data breaches affecting organisations across multiple sectors.

Personal Data Exposure on Social Media

The research used survey data to calculate its population estimate. Specific data points found to be publicly visible include:

32% of Australians had their birthday publicly visible.
28% listed an email address.
23% of those with personal information visible disclosed their residential suburb.
18% had a mobile phone number listed.

The research indicated demographic variations in risk perception. 86% of 19-24-year-olds and 74% of 25-34-year-olds stated it would take just minutes to find their personal information online. Previous federal government research last month suggested young people were among the most vulnerable to cybercrime.

Related online security practices were also surveyed:

57% of Australians did not review their privacy or location settings, with only 41% regularly updating them.
46% limited who could see their location on social media, and 29% hid their profile from search engines.
Regarding passwords, 30% of people used personal information in their passwords, 55% used the same password across multiple accounts, and 59% used variations of the same password.

Expert Commentary on Data Sharing

National Cyber Security Coordinator Michelle McGuinness stated that oversharing personal information, while often not deliberate, remains dangerous, as scammers can piece together details to commit fraud or identity theft.

Daniel Angus, director of the Digital Media Research Centre at Queensland University of Technology, noted that social media platforms are built on sharing personal details. He suggested the high number of people with visible personal information should not be seen solely as a failure of personal responsibility, but may indicate that platform defaults and incentives could be misaligned with safety.

Reported Increase in Organisational Data Breaches

Separately, Australia has reported a notable increase in cyber attack activity during the current year, affecting sectors including finance, health services, and government.

From January to June of the current year, 532 data breaches were recorded, with over half attributed to malicious or criminal attacks.

The Office of the Australian Information Commissioner (OAIC) launched a Notifiable Data Breaches (NDB) statistics dashboard last month. OAIC spokespersons indicated a higher number of notifications have been received in the second half of the calendar year, suggesting a continued increase.

A significant incident reported in February involved Australian fertility clinic Genea Fertility, which confirmed in July that patient and donor medical histories had been posted on the dark web.

Expert Analysis and Organisational Recommendations

Associate Professor Vanessa Teague from the ANU College of Engineering, Computing and Cybernetics stated that the most significant data breaches might remain undetected. She observed an ongoing improvement in cyber attack methodologies and suggested current cyber defenses are not progressing at a commensurate rate.

Key recommendations from experts include:

Enhanced Strategies: Dr. Teague recommended the government and businesses enhance strategies to reduce future breaches.
Data Encryption: A recommendation was made to add data encryption to the Australian government's "Essential Eight" cybersecurity framework.
Ransom Payment Advice: Dr. Teague advised against paying ransoms, citing that it incentivizes future criminal activity and does not guarantee data protection.
Legal Accountability: Dr. Teague suggested updating the Privacy Act to hold entities accountable for data security.

Privacy Commissioner Carly Kind reinforced that organisations must take all reasonable steps to secure information, which includes investing in cybersecurity, implementing governance measures like privacy training, and reviewing data collection to avoid unnecessary retention.

Cybercrime Context and Scale

The Australian Cyber Security Centre noted in its April 2026 security advice that social media platforms and messaging services typically collect extensive data as part of their business models.

According to the Australian Institute of Criminology's 2024 Cybercrime in Australia survey, almost half of all Australians aged 18 and over experienced some form of cybercrime in 2024. There were more than 84,000 cybercrimes reported in the 2024-25 financial year.

Business impacts are also reported, with each data breach potentially amounting to millions of dollars in expenses. For example, AustralianSuper reported 600 attempted cyber attacks in one month, resulting in $500,000 in losses for four members.

Recommended Protective Measures

For individuals, recommendations from officials and experts include:

Use unique and complex passwords and turn on multi-factor authentication.
Regularly update phone and laptop software and review privacy settings.
Avoid unnecessary data submission and exercise discretion with personal information online.
Utilize end-to-end encrypted communication platforms (e.g., Signal, iMessage, WhatsApp) for sensitive conversations.
Employ privacy-preserving browsers with robust ad blockers.

For organisations, emphasized measures include:

Investing in cybersecurity and implementing strong governance policies.
Securing data through encryption and minimizing data retention.
Ensuring board-level engagement with privacy and security risks.

Hey There!