A Growing Wave of Identity Theft
In recent months, there has been an alarming uptick in calls from everyday Australians – particularly seniors – who have fallen victim to identity theft. Identity theft, once a sporadic nuisance, is fast becoming a widespread scourge. These are people who have had their personal details stolen and misused, leading to fraudulent loans, drained bank accounts, or new credit cards opened in their name. While organisations like IDCARE (Australia and New Zealand’s national identity support service) or the government’s Australian Cyber Security Centre (ACSC) can help victims recover, the surge in cases raises a critical question: how did we get here? The answer lies in an unsettling combination of rising data breaches, complacent data stewardship by companies, and now the added catalyst of artificial intelligence (AI)-enhanced scams. It’s a perfect storm – and Australian companies need to wake up and take responsibility for the customer data they hold before more people suffer.
Data Breaches: Fuel on the Fire of Identity Crime
High-profile data breaches have become dismayingly common, both globally and in Australia. Each breach pours fuel on the fire of identity theft by dumping thousands or millions of individuals’ personal data into the hands of criminals. Australia is experiencing an unprecedented surge – 527 breaches were reported in just the first half of 2024, up 9% from the previous six months. In fact, the Office of the Australian Information Commissioner (OAIC) noted this is the highest number of breaches in over three years, signaling a troubling trend. “Almost every day, my office is notified of data breaches where Australians are at likely risk of serious harm. This harm can range from an increase in scams and the risk of identity theft to emotional distress and even physical harm,” warned Privacy Commissioner Carly Kind in mid-2024. In other words, barely a day goes by without some company confessing that Australians’ personal information has been lost or stolen – and that loss often translates directly into identity crime.
It’s not just the frequency of breaches that’s concerning, but their sheer scale. The latter half of 2022 was a wake-up call, with two of the worst breaches in Australian history: the Optus telecom breach (exposing data of ~10 million customers) and the Medibank health breach (~9.7 million customers). These two incidents alone affected the equivalent of nearly 80% of Australia’s population, an almost unimaginable quantity of sensitive data spilled. And the hits keep coming – in early 2024, a breach at medical data provider MediSecure exposed records of 12.9 million Australians, the largest single breach since Australia’s mandatory notification scheme began. All told, since 2004 an estimated 37 million Australian online accounts have been breached, leading to the exposure of around 416 million personal records (including passwords) in Australia. Each of those records – whether it’s a name, address, Medicare number, driver’s license, or passport – can be the key that unlocks a person’s identity for fraudsters.
The cause of these data losses is often malicious. According to OAIC reports, about 67% of breaches are due to malicious or criminal attacks (e.g. hacking). Cybercriminals actively target the troves of customer data held by companies, knowing that many organisations have weak spots. In some cases, the breach is as simple as an exposed database or an unsecured API (as was reportedly the case with Optus). In others, it’s sophisticated ransomware gangs hacking in and stealing data to extort money – a tactic that turned the Medibank breach into a public nightmare when stolen health records were leaked online. Regardless of method, the outcome is the same: vast quantities of personal information wind up in the wrong hands.
Critically, data breaches serve as the fuel for identity theft. Once a breach occurs, the stolen data often circulates on dark web forums or other criminal marketplaces. From there, criminals use it as raw material for fraud. A recent investigation revealed how scammers capitalized on information from “previous hacks” to penetrate government services: Services Australia (which runs Centrelink and Medicare accounts) reported a 440% rise in breaches where scammers called up impersonating victims, using stolen personal details to pass security checks. In the first half of 2024 alone, that agency had to notify 14,000 customers that their Centrelink or myGov accounts were accessed by unauthorised persons – all traced back to data compromised elsewhere. As cyber intelligence analyst Jeremy Kirk observed, the steady stream of breaches provides a “drip-feed of fresh identity information” for bad actors to exploit in account takeovers, fraud, and other ID theft schemes. In short, data loss is the precursor to identity loss.
Real People, Real Consequences
Identity theft is not just a financial crime – it delivers a deeply personal blow. Victims often endure stress, anxiety, and a lengthy recovery process to reclaim their identity. The impact on victims of identity theft cannot be overstated. When a hacker or scammer uses your stolen data to impersonate you, the fallout can be devastating – financially, emotionally, even physically. A recent survey by Norton found 13% of Australian consumers have experienced identity theft in their lifetimes. Alarmingly, an Australian Institute of Criminology study revealed nearly one in five (20%) Australians were hit by some form of identity crime just in the past year. These aren’t just statistics; they represent thousands of individuals suddenly thrown into turmoil.
Consider what happens when your identity is stolen: Almost immediately, fraudulent charges might pop up on your bank or credit card. You may start getting debt collection calls for accounts you never opened. Victims often must spend dozens of hours contacting banks, credit bureaus, and government agencies to set things straight. In Norton’s research, 45% of victims said they had to spend significant time resolving identity theft issues – a frustrating process of filing reports, proving one’s true identity, and undoing the damage. During this ordeal, nearly one third of victims (33%) suffered direct financial losses (money stolen or debts incurred) and 34% reported negative impacts on their mental health. It’s common for victims to feel violated and anxious; many lose sleep or feel constant stress knowing a stranger is out there impersonating them. The emotional toll is such that 28% reported sleep disturbances and 34% experienced mental health challenges as a result of identity theft.
One Australian charity is seeing this impact up close. IDCARE, which provides free counseling and support to identity crime victims, has been overwhelmed by demand. After the Optus and Medibank mega-breaches in 2022, IDCARE saw a 45% surge in people needing help. Many callers are elderly Australians, who are often targeted by scammers and may struggle to navigate digital recovery processes. IDCARE’s managing director David Lacey noted that victims of cyber-attacks commonly suffer from anxiety and poor emotional health, and need both technical and emotional support in the aftermath. This underscores a key point: behind every leaked database or hacked account is a real person who may endure months or years of hardship trying to reclaim their identity and security.
These consequences are why data protection is about far more than compliance – it’s about human safety and well-being. A stolen medical record isn’t just a privacy breach; it can be leveraged to scam someone with fake bills or expose sensitive health information. A leaked driver’s license or passport number can facilitate fraudulent loans or phone accounts that wreck a victim’s credit. As Attorney-General Mark Dreyfus crisply put it, “When Australians are asked to hand over their personal data, they have a right to expect it will be protected”. Failing to do so leaves customers “vulnerable to identity theft, which can also lead to financial crime,” as the fallout from the Optus and Medibank hacks demonstrated.
AI: A New Weapon in the Scammer’s Arsenal
If massive data breaches have super-charged identity theft, artificial intelligence is turbocharging the tactics scammers use to defraud people. In 2023 and 2024, law enforcement and consumer agencies began warning of AI-driven scams that take social engineering to a frightening new level. One of the most disturbing trends is the rise of AI-powered voice cloning. Using just a few seconds of audio (perhaps lifted from a social media video or a voicemail), criminals can now create an eerily realistic clone of someone’s voice. They then call the target’s family members, posing as, say, their panicked grandson or distressed daughter, and urgently beg for money. These “deepfake” phone scams have already tricked people worldwide – parents have been duped into believing their child was in a terrible accident or legal trouble, and have wired tens of thousands of dollars to scammers as a result. In one case, Canadian grandparents nearly lost $21,000 after AI perfectly mimicked their grandson’s voice pleading for bail money. “We were convinced we were talking to him,” the elderly victim said. It’s essentially the old “Hi Mum/Dad, I lost my phone” impostor trick – but supercharged with AI realism, making it much harder to spot the fakery.
Advances in AI have empowered cybercriminals to create “deepfake” voices and images, making scams and phishing attempts far more convincing. Even a brief sample of your voice can be cloned with frightening accuracy. Australia is not immune to these developments. Thus far, the ACCC’s Scamwatch program says it hasn’t yet received many scam reports explicitly citing AI impersonation, but they are “alert to the risks AI presents” as it makes scams more sophisticated and harder to detect. And Australians are experiencing related scams. In 2022, nearly 240,000 Australians reported scams totalling $568 million in losses – and a large portion of those involved some form of impersonation. Security experts predict AI-driven voice scams will keep increasing in 2024, as the technology to clone voices or even create fake videos (“deepfakes”) becomes more accessible to criminals. Already, 66% of Australians say they are increasingly worried about AI-powered scams in the wake of these developments.
It’s not just voice cloning. Generative AI text models (like ChatGPT) are being repurposed by threat actors to craft far more convincing phishing emails and malware. In underground forums, illicit tools such as “WormGPT” or “FraudGPT” – essentially uncensored AI chatbots – have emerged, specifically designed to help cybercriminals automate attacks. These AI tools can churn out flawless scam emails personalized to each victim, or even generate malicious code, at a scale and speed humans could never match. A security researcher noted that such generative AI “democratizes the execution of sophisticated [phishing] attacks. Even attackers with limited skills can use this technology,” making cybercrime more accessible to would-be fraudsters. In other words, AI lowers the barrier to entry – you no longer need to be a fluent English writer or a skilled coder to produce professional-looking scam content; the AI will do it for you. The threat is such that AI has been dubbed a “force multiplier” for cybercrime. It can sift through stolen data dumps to find useful identity details, script believable dialogues for scam calls, and even help guess passwords or security question answers by analyzing personal info.
For companies and individuals, this means the arms race between scammers and defenders is escalating. We now face attacks that are harder to distinguish from legitimate communication – voices that sound exactly like someone we know, emails that read as if a colleague wrote them, and on the horizon, even AI-generated video impostors. In this environment, traditional warning signs of a scam are harder to spot, and the cost of a data breach can be magnified (imagine stolen data being fed into AI to create ultra-personalized scams targeted at a company’s customers). It has never been more urgent for those holding customer data – especially companies – to bolster security and authentication measures, because the tricks of the trade used by attackers are rapidly evolving. As Scamwatch advises, the community must be extra cautious with unsolicited requests for info or money and verify identities through secondary channels. Likewise, businesses need to anticipate that a simple knowledge-based authentication (like asking for name, DOB, or a security question) may no longer be sufficient when so much personal info is out in the wild.
Australian Companies: Time to Take Responsibility
With identity theft surging and new threats like AI on the horizon, Australian companies must take a hard look in the mirror. Too often we’ve heard companies hit by breaches say, “cybercrime is a fact of life” – implying that they were just unlucky victims too. But this attitude is no longer acceptable. When a business collects and stores customers’ personal data, it is taking on a duty of care to protect that information. And if it fails, the damage doesn’t stop at the company’s bottom line – it hits the customer on a very personal level. Australian policymakers, as well as the public, are now demanding greater corporate accountability for data protection.
Regulators have already begun cracking the whip. In late 2022, in the wake of the Optus and Medibank debacles, the federal government moved swiftly to toughen privacy laws. Attorney-General Dreyfus fast-tracked amendments to the Privacy Act 1988 to greatly increase penalties for companies that suffer “serious or repeated privacy breaches.” The maximum fine leaped from a mere A$2.2 million to “the greater of $50 million, three times the value of any benefit obtained through the misuse of data, or 30% of the company’s adjusted turnover”. These eye-watering penalties (whichever is largest) send a clear message: data breaches are not just a cost of doing business. If you egregiously fail to protect customer data, it could cost you your profit margins or even your business. And more changes are coming: a Privacy and Other Legislation Amendment Bill 2024 is in the works to further enhance the OAIC’s enforcement powers, impose stiffer penalties, and explicitly require stronger security controls (like encryption and staff training) under the Privacy Act’s principles.
Beyond federal law, companies in certain sectors face additional obligations. For instance, banks and financial institutions must adhere to strict APRA CPS 234 standards for information security. Critical infrastructure providers come under the Security of Critical Infrastructure Act, which now includes cyber protections. But regulations and penalties only set the baseline. The truth is, no regulator can micromanage every company’s security – organisations themselves have to step up. The OAIC noted in 2024 that, six years into the Notifiable Data Breaches scheme, they expect “a higher level of accountability” and for organisations to treat personal data security “as a priority”. In plainer terms: by now, companies should know better and not be caught leaving databases unlocked or user passwords in plain text. The era of pleading ignorance is over.
If the moral imperative isn’t enough, consider the business consequences. When companies lose customer data, they lose trust – and that directly hits the bottom line. One recent survey found that 46% of companies had customers express concerns about their cybersecurity after a breach was reported. Would you readily continue to patronize a business that had exposed your personal info to hackers? Many won’t. In fact, studies indicate 83% of consumers will wait several months before trusting a breached company with their business again, and 21% may never return at all. Breaches can drive customers straight into the arms of competitors and tarnish a brand for years. This reputational damage is hard to quantify until it’s too late. So from a purely commercial standpoint, investing in robust data security is far cheaper than suffering a major breach – a point underscored by IBM’s research that the average cost of a data breach in 2023 reached $4.9 million in recovery expenses alone (not counting the long-term trust deficit).
There is also a shifting cultural expectation at play. We live in an age where data is effectively the new currency, and companies are its custodians. Australian society (and indeed consumers worldwide) are increasingly intolerant of negligent data practices. High-profile breaches have led to public outcry – why was so much data kept for so long? Why wasn’t it better encrypted? – and even shareholder pressure on executives. We’ve seen CEOs publicly apologising and even resigning in the wake of cyber incidents. The writing is on the wall: businesses must treat personal data with the same seriousness as they treat financial assets. After all, if you had millions of dollars of someone else’s money in trust, you’d have it under tight security; today, companies hold something potentially just as valuable – people’s identity information.
From Prevention to Proactivity: DSPM and DLP as Game-Changers
What concrete steps should Australian companies take to better protect customer data and prevent identity theft? The good news is that data security is a solvable problem, with an array of tools and best practices available. Two concepts gaining traction in cybersecurity circles are Data Loss Prevention (DLP) and Data Security Posture Management (DSPM). They represent a shift from reactive defense to proactive management of sensitive data – exactly the shift that’s needed.
Data Loss Prevention (DLP) isn’t new, but it’s more important than ever. DLP refers to a set of tools and processes designed to stop sensitive data from leaving an organisation’s secure environment – whether by accident or through malicious intent. Traditional DLP measures include technologies that can detect and block things like an employee emailing out a client database, or uploading files containing customer PII (Personally Identifiable Information) to an unapproved cloud service. For example, many companies deploy DLP software that scans outgoing emails and attachments for keywords or patterns (like credit card numbers or Medicare numbers) and prevents them from being sent if they’re not properly encrypted or authorized. DLP can also encompass enforcing encryption on data at rest and in transit, using access controls so that only authorized staff can view certain data, and monitoring file transfers and user behavior to catch anomalies (like a user suddenly downloading thousands of records after midnight). In practice, a strong DLP program means that even if hackers get in, or if an insider tries to sneak data out, there are barriers and alarms to stop large-scale exfiltration. It’s about plugging the leaks before they happen.
While DLP focuses on controlling data movements, Data Security Posture Management (DSPM) is an emerging approach that focuses on knowing exactly what data you have, where it is, and how it’s being protected at all times. In the modern enterprise, data is sprawling across on-premise servers, cloud storage buckets, SaaS applications, employees’ devices, backups, and more. This sprawl creates “shadow data” – forgotten or unknown caches of sensitive information – that might not be adequately secured and can easily become breach points. DSPM solutions tackle this by continuously discovering and mapping sensitive data across all environments. They identify, for instance, if a database in a cloud account contains customer tax file numbers or health records, then check who has access to it, whether it’s properly configured and patched, and if any unusual activity is happening around it. In essence, DSPM provides a real-time picture of an organisation’s data security posture – highlighting vulnerabilities like misconfigured storage, over-privileged access, or data stores that lack encryption. Gartner only formally defined DSPM in 2022, reflecting how new this field is, but it’s quickly gaining traction as a “data-first” security approach. Instead of just securing the perimeter (firewalls, etc.), DSPM says secure the data itself wherever it lives.
For companies, adopting DSPM can be a game-changer. It answers critical questions: Do we know all the places our customers’ personal data resides? Are we locking those places down appropriately? Often, the answer today is no – many breaches happen simply because a company didn’t realize an old dataset was still sitting unprotected on a test server, or that a development team made a copy of the customer database for testing and left it in a cloud storage bucket without proper controls. DSPM tools would flag those situations. They can automatically scan and classify data (e.g. detect “this file contains 10,000 credit card numbers”), then alert security teams to apply protections or delete unnecessary sensitive data. As one analysis describes, DSPM “inverts the protection model” – instead of focusing only on securing networks or devices, it puts the focus on the data itself, ensuring it’s protected at the source. This approach aligns perfectly with the need of the hour: since identity thieves are after data, make sure that data is locked down no matter where it resides.
Of course, technology alone isn’t a silver bullet. Strong DSPM and DLP should be part of a broader data protection strategy that includes: regular security audits, employee training on privacy and phishing (humans are often the weakest link), strict user access management (principle of least privilege), and robust incident response plans. Companies should also practice data minimisation – only collect what you need, and delete it when it’s no longer required. It’s striking how often breaches expose data that a company didn’t even need to retain (for example, identification documents for customers who haven’t been with the company in years). Holding onto mountains of old data “just in case” is a liability in the making. By reducing the trove of personal data stored, you inherently reduce the fallout if a breach occurs.
Finally, encryption deserves special mention. Encryption is now widely regarded not just as good practice but as a necessary compliance step (and likely to be mandated explicitly by updated laws). Properly encrypting customer data means that even if attackers steal the files, they cannot read the sensitive contents without the decryption keys. In the case of Medibank, for instance, the company controversially had not encrypted certain customer health data, which made the breach far more damaging since the attackers could directly access and threaten to publish personal medical information. That lesson should resonate: encryption, along with strong access controls, can dramatically blunt the impact of a breach. It’s essentially the difference between a robber stealing a locked safe full of your documents (hard for them to open) versus an unlocked file cabinet.
A Wake-Up Call for Data Responsibility
The rising tide of identity theft in Australia is a symptom – a symptom of years of explosive data growth, inadequate security habits, and now the advent of AI tools that turbocharge criminal misuse of data. Stopping this trend requires collective action and a change in mindset. For too long, the onus of dealing with identity theft has fallen on individuals – the grandparent sorting out a fraudulent bank loan, the young adult trying to reclaim a hacked email account, the family devastated by a drained savings account. It’s time for the burden of prevention to shift upstream. Companies that handle customer data must see themselves as guardians of their customers’ trust and safety, not just entities checking boxes on a compliance form.
The Australian government and regulators are tightening the rules, but real progress will be when companies internalize that protecting data is part of their core mission. We need business leaders to ask not “Are we compliant with the minimum standards?” but rather “Have we done everything we reasonably can to secure our customers’ information?” The tools and strategies are available – from AI-driven security monitoring to good old employee education – but they must be prioritized and resourced. Investments in cybersecurity should be seen in the same light as investments in quality or safety; just as a food company invests to ensure its products won’t harm consumers, a modern company must invest to ensure its data practices won’t harm customers.
There are promising signs. Many Australian businesses did boost security spending after the 2022 breaches, and efforts like the National Cyber Security Strategy 2023–2030 and industry frameworks (e.g. the Essential Eight mitigation strategies) are pushing things in the right direction. But it will ultimately come down to execution and vigilance. Data security is not a one-time project – it’s an ongoing commitment, a “posture” that must be maintained even as technology and threats evolve. The emergence of AI both complicates the threat and offers new defensive tools (AI can help detect anomalies or fraud patterns too), so companies should leverage those innovations for good even as criminals plot to abuse them.
In the end, addressing identity theft and data loss is about remembering what’s at stake: the people behind the data. Each record lost is a person’s privacy invaded, their peace of mind shattered, their financial security potentially in jeopardy. By acting with urgency and responsibility now, Australian companies can help turn the tide. The thought-provoking question for any organisation should be: If we were the customer, would we trust a company like ours with our own most sensitive information? If the answer is uncertain, then it’s a clear wake-up call to improve data security posture. The threats may be rising, but with awareness, accountability, and action, we can ensure that the right to feel safe in the digital world is preserved for all Australians.
Sources:
- Office of the Australian Information Commissioner – Notifiable Data Breaches Report (Jan–June 2024): https://www.oaic.gov.au/privacy/notifiable-data-breaches/summary-of-notifiable-data-breaches-reports
- Norton LifeLock – Norton Report on Identity Theft in Australia (2024): https://www.nortonlifelock.com/au/resources/cyber-safety/identity-theft-statistics/
- The Guardian – “Services Australia data breaches surge as scammers exploit stolen data” (Sept 2024): https://www.theguardian.com/australia-news/2024/sep/25/services-australia-data-breaches-surge-as-scammers-exploit-stolen-data
- ABC News – “Government to increase fines for data breaches after Optus/Medibank hacks” (Oct 21, 2022): https://www.abc.net.au/news/2022-10-21/government-increase-data-breach-penalties/101557066
- Insurance Business Australia – “Surge in data breaches, highest in 3 years” (Sept 2024): https://www.insurancebusinessmag.com/au/news/cyber/surge-in-data-breaches-highest-in-3-years-426312.aspx
- IT Pro – “IDCARE experiences surge in demand post-Optus and Medibank breaches” (Feb 2023): https://www.itpro.com/news/idcare-demand-optus-medibank/
- Information Age – “AI-generated voice scams have arrived” (Mar 2023): https://ia.acs.org.au/article/2023/ai-generated-voice-scams-have-arrived.html
- Cybertrace Blog – “AI Voice Scams in Australia” (June 2024): https://cybertrace.io/blog/ai-voice-scams-australia
- The Hacker News – “WormGPT: AI tool allows cybercriminals to launch attacks” (Jul 2023): https://thehackernews.com/2023/07/wormgpt-ai-tool-allows-cybercriminals.html
- Cybersecurity Intelligence – “Exploring the popularity of DSPM” (Mar 2025): https://cybersecurityintelligence.com/exploring-popularity-of-dspm-mar-2025
