What if you suffer a data breach?
There are steps you can take after becoming aware of a data breach to reduce your chances of experiencing harm, we highly recommend that you review the Australian Government Information Commissioner office’s website for more detailed response plans https://www.oaic.gov.au/agencies-and-organisations/guides/data-breach-preparation-and-response
Data breaches can be caused or exacerbated by a variety of factors, involve different types of personal information, and give rise to a range of actual or potential harms to individuals and entities.
As such, there is no single way of responding to a data breach. Each breach will need to be dealt with on a case-by-case basis, with an understanding of the risks posed by a breach and the actions that would be most effective in reducing or removing these risks.
Generally, the actions taken following a data breach should follow four key steps:
Step 1: Contain the data breach to prevent any further compromise of personal information.
Step 2: Assess the data breach by gathering the facts and evaluating the risks, including potential harm to affected individuals and, where possible, taking action to remediate any risk of harm.
Step 3: Notify individuals and the Commissioner if required. If the breach is an ‘eligible data breach’ under the NDB scheme, it may be mandatory for the entity to notify.
Step 4: Review the incident and consider what actions can be taken to prevent future breaches.
At any time, entities should take remedial action, where possible, to limit the impact of the breach on affected individuals. If remedial action is successful in preventing a likely risk of serious harm to individuals, the NDB scheme notification obligations may not apply.
-
- China ‘behind’ huge ANU hack amid fears government employees could be compromised
- ANU breach a risk for security officials as China becomes key suspect
- Almost 20 years of personal data was stolen from ANU. It could show up on the dark web
- 19 years’ worth of personal data stolen from ANU – It could be sold on the dark web
-
- Patch now against wormable ‘BlueKeep’ remote desktop flaw: ACSC – Spectre of another WannaCry-style epidemic raised
-
- Aussie fashion e-tailer Princess Polly suffers data breach – Card info may have been captured as it was entered into site
-
- Canva under cyber-attack, with reportedly as many as 139 million users affected
- Aussie Canva Hit By Massive Data Breach: User Details Stolen
- Canva criticised after data breach exposed 139m user details
- “Marketing fluff”: What startups can learn from Canva’s data-breach response
-
- Instagram hit by two privacy breaches in a week – The Facebook-owned company fails it users.
- Instagram users’ data exposed to hackers
- Instagram has a MAJOR personal data breach 50 million users have had their personal details shared
- Perth socialite Melissa Graham held to ransom after Instagram privacy breach
-
- Wolters Kluwer takes down cloud services after malware infection – Impacts Australian users of CCH software
-
- Binance hackers shift stolen bitcoin, identity still unclear: researchers – Funds now sitting in several digital wallets
-
- WhatsApp flaw allowed spyware injection via calls | Pegasus comes calling whether you answer or not
- WhatsApp urges upgrade after ‘serious’ security breach allowed hackers to put spyware on phones
- WhatsApp major security flaw could let hackers access phones
- WhatsApp patches flaw after spyware revelation
- WhatsApp security breach likely a government surveillance attack, company says
-
- AusPost’s Bill Scanner caught up in Gmail privacy sweep – Works with Google to ensure API permissions aren’t revoked
-
- ASUS users targeted in large supply chain attack – Users infected via software update utility
- ASUS releases fix after ShadowHammer malware attack – But some users unable to update to non-backdoored software
-
- Bank warns of reported third-party data breach – The Bank of Queensland has announced that it has been made aware of a personal data breach by a third party provider
-
- Credit cards cancelled as Kathmandu reveals online store hacked – month-long breach during peak discount period
- Kathmandu hit by hackers
- Credit cards cancelled as Kathmandu reveals online store hacked
- Kathmandu flags suspected data breach
- Data breaches have possibility to ruin customer relationships
-
- Toyota Australia hit by cyber attack – takes down email and other systems
- Cyber Ransom Attacks On The Rise, Toyota Australia has confirmed it has been subject to an attempted cyber attack
- Millions of customers’ data accessed in second Toyota hack – Tokyo sales subsidiaries raided
- Toyota Australia hit by cyber attack
-
- Australian bank customers caught in valuation firm data breach | Caused by undisclosed ‘security vulnerability’
- Home loan details of 100,000 customers hacked in major data breach
- LandMark White blames exposed API for data breach – ANZ confirms it has suspended use of the property valuer
- Valuation firm hit by data breach LandMark White pleads for long share suspension
- Embattled LandMark White shares drop 10.6 pc after data breach
- NAB pulls plug on LandMark White as home loan breach scandal grows
- LandMark White blames ill-informed public commentary on its dark web data breach for further ASX share suspension
- Centrelink keeps LandmarkWhite, says data breach hit ‘very small’ client group
- LandMark White counts cost of data breach – LandMark White still unsure of financial impact
- LandmarkWhite knew of IT weakness in 2017, a year before data breach
- Landmark White’s stolen data re-appears on dark web
- Landmark White data disaster claims CEO scalp
- LandmarkWhite faces regulator scrutiny over IT response, disclosure
- LandMark White CEO exits after data breach – two directors step down from board
- CBA assures itself of LandMark White’s post-breach infosec
- LandMark White’s data breach just the beginning for cyber criminals
-
- Security breach strikes parliament’s IT network – all passwords reset
- Political party networks caught up in parliament’s IT breach – but no evidence of electoral interference
- The cyber attack on Parliament was done by a ‘state actor’
- Citrix | Australian parliament hackers gain remote access
-
- Bunnings exposed staff performance database – individual staffer did unwanted homework
-
- Apple Shuts Down Facebook Data Collecting App – Since 2016, Facebook has been asking users to install a “Facebook Research” VPN that lets the company monitor their phone and online activity, according to Tech Crunch
- Apple punishes Facebook over app that paid users to hand over data
- The Apple-Facebook Feud Hits a Breaking Point
- Facebook stored millions of user passwords in plain text – hundreds of millions of users to be notified
- Facebook says up to 111,813 Aussies in last year’s security breach
- Facebook’s lax security has left millions of users with a lot to worry about
- Facebook staff had access to millions of users’ passwords in plain text, violating security practices
-
- Global hacking scare nets Queensland MP, Surf Life Saving as millions of passwords breached – websites belonging to Queensland’s Deputy Opposition Leader, a real estate business and Surf Life Saving Australia are among thousands of pages caught up in the latest international data breach
-
- Breach Exposes a Record 773 Million Email Addresses – The massive trove of leaked data, which was posted to a hacking forum, also includes 21,222,975 unique passwords.
- Experts comment on record 772mil-user data breach – Cybersecurity expert and founder of website Have I Been Pwned Troy Hunt broke the news recently that the largest ever database of breached login details have been leaked on the dark web.
- Data leak – Collection #1 is the just the beginning
- Cyber watchdog warns on dark web PS data – The Australian Cyber Security Centre (ACSC) has urged organisations and individuals across the Australian Public Service to check if their email addresses and/or passwords are included on recently released lists of stolen data.
-
- Fisheries Qld blames bad update for password ‘fault – allowed fisherman to get into any account.
-
- Nova notifies listeners of data breach – Nova Entertainment has admitted that listeners’ data from the period of May 2009 to October 2011 has been “publicly disclosed”.
- Nova admits to huge data breach
- Nova Admits Listener Info Has Been Leaked
-
- Critics want My Health Record delayed again after recording 42 data breaches this year.
- My Health Record system data reaches rise
- As My Health Record opt-out ends, security concerns continue
-
- Victorian Public Servants hit by massive data theft – The work details of 30,000 of Victorian public servants were stolen from a government directory in a data breach just days before Christmas.
Major Australian Data Breaches in 2019 so far...
Symantec – June 2019
Australian Catholic University – June 2019
Revenue NSW – June 2019
Australian National University – June 2019
Microsoft – May 2019
Princess Polly – May 2019
Canva – May 2019
Instagram – May 2019
CCH software – May 2019
Binance – May 2019
Twitter – May 2019
WhatsApp – May 2019
WPA3 Dragonfly – April 2019
Wipro – April 2019
Speedrun.com – April 2019
Australia Post – March 2019
ASUS – March 2019
Bank of Queensland – March 2019
Kathmandu – March 2019
Citrix – March 2019
Melbourne Hospital – February 2019
CoffeeMeetsBagel – February 2019
9Honey – February 2019
Toyota Australia – February 2019
AMP – February 2019
LandMark White – February 2019
Department of Parliamentary Services – February 2019
Bunnings – February 2019
Facebook – January 2019
Global Hacking Scare – January 2019
SkoolBag – January 2019
Optus – January 2019
Collection #1 – January 2019
Fisheries Queensland – January 2019
First National Real Estate – January 2019
Department of Planning and Environment, NSW Major Projects – January 2019
Victorian Government – January 2019
Marriott Hotel Group / Starwood – January 2019
Early Warning Network – January 2019
Big W – January 2019
Hawthorn Football Club – January 2019
Nova Entertainment – January 2019
My Health Records – January 2019
Victorian Public Servants – January 2019
Major Worldwide Data Breaches
Recent Data Breach Notices
Data Breach Notice: Xiaomi (unverified) – 7,088,010 breached accounts
In August 2012, the Xiaomi user forum website suffered a data breach. In all, 7 million email addresses appeared in the breach although a significant portion of them were numeric aliases on the bbs_ml_as_uid.xiaomi.com domain. Usernames, IP addresses and passwords stored as salted MD5 hashes were also exposed. The data was provided with support from dehashed.com.
Data Breach Notice: Flash Flash Revolution (2019 breach) – 1,858,124 breached accounts
In July 2019, the music-based rhythm game Flash Flash Revolution suffered a data breach. The 2019 breach imapcted almost 1.9 million members and is in addition to the 2016 data breach of the same service. Email and IP addesses, usernames, dates of birth and salted MD5 hashes were all exposed in the breach. The data was provided with support from dehashed.com.
Data Breach Notice: Stronghold Kingdoms – 5,187,305 breached accounts
In July 2018, the massive multiplayer online game Stronghold Kingdoms suffered a data breach. Almost 5.2 million accounts were impacted by the incident which exposed emails addresses, usernames and passwords stored as salted SHA-1 hashes. The data was provided to HIBP by a source who requested it be attributed to "[email protected]".
Data Breach Notice: GameSalad – 1,506,242 breached accounts
In February 2019, the education and game creation website Game Salad suffered a data breach. The incident impacted 1.5M accounts and exposed email addresses, usernames, IP addresses and passwords stored as SHA-256 hashes. The data was provided to HIBP by a source who requested it be attributed to "[email protected]".
Data Breach Notice: Armor Games – 10,604,307 breached accounts
In January 2019, the game portal website Armor Games suffered a data breach. A total of 10.6 million email addresses were impacted by the breach which also exposed usernames, IP addresses, birthdays of administrator accounts and passwords stored as salted SHA-1 hashes. The data was provided to HIBP by a source who requested it be attributed to "[email protected]".
Data Breach Notice: Roll20 – 3,994,436 breached accounts
In December 2018, the tabletop role-playing games website Roll20 suffered a data breach. Almost 4 million customers were impacted by the breach and had email and IP addresses, names, bcrypt hashes of passwords and the last 4 digits of credit cards exposed. The data was provided to HIBP by a source who requested it be attributed to "[email protected]".
Data Breach Notice: EatStreet – 6,353,564 breached accounts
In May 2019, the online food ordering service EatStreet suffered a data breach affecting 6.4 million customers. An extensive amount of personal data was obtained including names, phone numbers, addresses, partial credit card data and passwords stored as bcrypt hashes. The data was provided to HIBP by a source who requested it be attributed to "[email protected]".
Data Breach Notice: Bulgarian National Revenue Agency – 471,167 breached accounts
In July 2019, a massive data breach of the Bulgarian National Revenue Agency began circulating with data on 5 million people. Allegedly obtained in June, the data was broadly shared online and included taxation information alongside names, phone numbers, physical addresses and 471 thousand unique email addresses. The breach is said to have affected "nearly all adults in Bulgaria".
Data Breach Notice: YouNow – 18,241,518 breached accounts
In February 2019, data from the live broadcasting service YouNow appeared for sale on a dark web marketplace. Whilst it's not clear what date the actual breach occurred on, the impacted data included 18M unique email addresses, IP addresses, names, usernames and links to social media profiles. As authentication is performed via social providers, no passwords were exposed in the breach. Many records didn't have associated email addresses thus the unique number is lower than the reported total number...
Data Breach Notice: Animoto – 22,437,749 breached accounts
In July 2018, the cloud-based video making service Animoto suffered a data breach. The breach exposed 22 million unique email addresses alongside names, dates of birth, country of origin and salted password hashes. The data was provided to HIBP by a source who requested it be attributed to "[email protected]".
Data Breach Notice: Animoto – 22,437,749 breached accounts
In July 2018, the cloud-based video making service Animoto suffered a data breach. The breach exposed 22 million unique email addresses alongside names, dates of birth, country of origin and salted password hashes. The data was provided to HIBP by a source who requested it be attributed to "[email protected]".
Data Breach Notice: BlackSpigotMC – 140,029 breached accounts
In July 2019, the hacking website BlackSpigotMC suffered a data breach. The XenForo forum based site was allegedly compromised by a rival hacking website and resulted in 8.5GB of data being leaked including the database and website itself. The exposed data included 140k unique email addresses, usernames, IP addresses, genders, geographic locations and passwords stored as bcrypt hashes.
Data Breach Notice: SHEIN – 39,086,762 breached accounts
In June 2018, online fashion retailer SHEIN suffered a data breach. The company discovered the breach 2 months later in August then disclosed the incident another month after that. A total of 39 million unique email addresses were found in the breach alongside MD5 password hashes. The data was provided to HIBP by a source who requested it be attributed to "[email protected]".
Data Breach Notice: piZap – 41,817,893 breached accounts
In approximately December 2017, the online photo editing site piZap suffered a data breach. The data was later placed up for sale on a dark web marketplace along with a collection of other data breaches in February 2019. A total of 42 million unique email addresses were included in the breach alongside names, genders and links to Facebook profiles when the social media platform was used to authenticate to piZap. When accounts were created directly on piZap without using...
Data Breach Notice: Netlog – 49,038,354 breached accounts
In July 2018, the Belgian social networking site Netlog identified a data breach of their systems dating back to November 2012 (PDF). Although the service was discontinued in 2015, the data breach still impacted 49 million subscribers for whom email addresses and plain text passwords were exposed. The data was provided to HIBP by a source who requested it be attributed to "[email protected]".
Data Breach Notice: Evite – 100,985,047 breached accounts
In April 2019, the social planning website for managing online invitations Evite identified a data breach of their systems. Upon investigation, they found unauthorised access to a database archive dating back to 2013. The exposed data included a total of 101 million unique email addresses, most belonging to recipients of invitations. Members of the service also had names, phone numbers, physical addresses, dates of birth, genders and passwords stored in plain text exposed. The data was provided to HIBP...
Data Breach Notice: MindJolt – 28,364,826 breached accounts
In March 2019, the online gaming website MindJolt suffered a data breach that exposed 28M unique email addresses. Also impacted were names and dates of birth, but no passwords. The data was provided to HIBP by a source who requested it be attributed to "[email protected]". Stay safe out there!
Data Breach Notice: Wiener Büchereien – 224,119 breached accounts
In June 2019, the library of Vienna (Wiener Büchereien) suffered a data breach. The compromised data included 224k unique email addresses, names, physical addresses, phone numbers and dates of birth. The breached data was subsequently posted to Twitter by the alleged perpetrator of the breach.
Data Breach Notice: Social Engineered – 89,392 breached accounts
In June 2019, the "Art of Human Hacking" site Social Engineered suffered a data breach. The breach of the XenForo forum was published on a rival hacking forum and included 89k unique email addresses spread across 55k forum users and other tables in the database. The exposed data also included usernames, IP addresses, private messages and passwords stored as salted MD5 hashes. Stay safe out there!
Data Breach Notice: OGUsers – 161,143 breached accounts
In May 2019, the account hijacking and SIM swapping forum OGusers suffered a data breach. The breach exposed a database backup from December 2018 which was published on a rival hacking forum. There were 161k unique email addresses spread across 113k forum users and other tables in the database. The exposed data also included usernames, IP addresses, private messages and passwords stored as salted MD5 hashes. Stay safe out there!
Data Breach Notice: Emuparadise – 1,131,229 breached accounts
In April 2018, the self-proclaimed "biggest retro gaming website on earth", Emupardise suffered a date breach. The compromised vBulletin forum exposed 1.1 million email addresses, IP address, usernames and passwords stored as salted MD5 hashes. The data was provided to HIBP by dehashed.com. Stay safe out there!
Data Breach Notice: Illawarra drivers licenses details
Illawarra drivers may have had their private details leaked to the media as part of a "political smear campaign", according to Wollongong MP Paul Scully. At the last election, a file containing names, addresses, ages and driving history - including those of then Labor leader Michael Daley - was leaked to the media by the office of Customer Service Minister Victor Dominello. The leak occurred after Revenue NSW advised Mr Dominello's office the file was a privacy breach and it must...
Data Breach Notice: Ordine Avvocati di Roma – 41,960 breached accounts
In May 2019, the Lawyers Order of Rome suffered a data breach by a group claiming to be Anonymous Italy. Data on tens of thousands of Roman lawyers was taken from the breached system and redistributed online. The data included contact information, email addresses and email messages themselves encompassing tens of thousands of unique email addresses. A total of 42k unique addresses appeared in the breach. Stay safe out there!
Data Breach Notice: Appartoo – 49,681 breached accounts
In March 2017, the French Flatsharing site known as Appartoo suffered a data breach. The incident exposed an extensive amount of personal information on almost 50k members including email addresses, genders, ages, private messages sent between users of the service and passwords stored as SHA-256 hashes. Appartoo advised that all subscribers were notified of the incident in early 2017. Stay safe out there!
Data Breach Notice: Club Penguin Rewritten – 1,688,176 breached accounts
In January 2018, the children's gaming site Club Penguin Rewritten (CPRewritten) suffered a data breach (note: CPRewritten is an independent recreation of Disney's Club Penguin game). The incident exposed almost 1.7 million unique email addresses alongside IP addresses, usernames and passwords stored as bcrypt hashes. When contacted, CPRewritten advised they were aware of the breach and had "contacted affected users". Stay safe out there!
Data Breach Notice: Morele.net – 2,467,304 breached accounts
In October 2018, the Polish e-commerce website Morele.net suffered a data breach. The incident exposed almost 2.5 million unique email addresses alongside phone numbers, names and passwords stored as md5crypt hashes. Prefer to get this by email? Sign-up to Data Breach mailing list Stay safe out there!
Data Breach Notice: Bukalapak – 13,369,666 breached accounts
In March 2019, the Indonesian e-commerce website Bukalapak discovered a data breach of the organisation's backups dating back to October 2017. The incident exposed approximately 13 million unique email addresses alongside IP addresses, names and passwords stored as bcrypt and salted SHA-512 hashes. Prefer to get this by email? Sign-up to Data Breach mailing list Stay safe out there!
Data Breach Notice: DataCamp – 760,561 breached accounts
In January 2017, the data science website DataCamp suffered a data breach. The incident exposed 760k unique email and IP addresses along with names and passwords stored as bcrypt hashes. In 2019, the data appeared listed for sale on a dark web marketplace (along with several other large breaches) and subsequently began circulating more broadly. The data was provided to HIBP by a source who requested it to be attributed to "[email protected]". Prefer to get this by email? Sign-up to...
Data Breach Notice: Knuddels – 808,330 breached accounts
In September 2018, the German social media website Knuddels suffered a data breach. The incident exposed 808k unique email addresses alongside usernames, real names, the city of the person and their password in plain text. Knuddels was subsequently fined €20k for the breach. Prefer to get this by email? Sign-up to Data Breach mailing list Stay safe out there!
Data Breach Notice: Verifications.io – 763,117,241 breached accounts
In February 2019, the email address validation service verifications.io suffered a data breach. The breach was due to the data being stored in a MongoDB instance left publicly facing without a password and resulted in 763 million unique email addresses being exposed. Many records within the data also included additional personal attributes such as names, phone numbers, IP addresses, dates of birth and genders. No passwords were included in the data. The Verifications.io website went offline during the disclosure...
Data Breach Notice: ShareThis.com – 40,960,499 breached accounts
In July 2018, the social bookmarking and sharing service ShareThis suffered a data breach. The incident exposed 41 million unique email addresses alongside names and in some cases, dates of birth and password hashes. In 2019, the data appeared listed for sale on a dark web marketplace (along with several other large breaches) and subsequently began circulating more broadly.
Data Breach Notice: MyFitnessPal – 143,606,147 breached accounts
In February 2018, the diet and exercise service MyFitnessPal suffered a data breach. The incident exposed 144 million unique email addresses alongside usernames, IP addresses and passwords stored as SHA-1 and bcrypt hashes (the former for earlier accounts, the latter for newer accounts). In 2019, the data appeared listed for sale on a dark web marketplace (along with several other large breaches) and subsequently began circulating more broadly. The data was provided to HIBP by a source who requested...
Data Breach Notice: MyHeritage – 91,991,358 breached accounts
In October 2017, the genealogy website MyHeritage suffered a data breach. The incident was reported 7 months later after a security researcher discovered the data and contacted MyHeritage. In total, more than 92M customer records were exposed and included email addresses and salted SHA-1 password hashes. In 2019, the data appeared listed for sale on a dark web marketplace (along with several other large breaches) and subsequently began circulating more broadly. The data was provided to HIBP by a...
Data Breach Notice: Dubsmash – 161,749,950 breached accounts
In December 2018, the video messaging service Dubsmash suffered a data breach. The incident exposed 162 million unique email addresses alongside usernames and PBKDF2 password hashes. In 2019, the data appeared listed for sale on a dark web marketplace (along with several other large breaches) and subsequently began circulating more broadly. The data was provided to HIBP by a source who requested it to be attributed to "[email protected]".
Data Breach Notice: Symantec breach revealed client list, passwords
A February data breach at Symantec gave hackers access to account numbers, passwords, and a purported list of prominent Australian clients, according to a Guardian Australia report. The platform security vendor characterised the breach as a "minor incident" since it involved a self-enclosed demo lab in Australia that wasn't connected to Symantec's corporate network. Symantec told Guardian Australia it didn't report the breach since the demo lab didn't host or have any sensitive personal data extracted from it. The Australian Privacy Act requires...