But we still lost more money in 2025 than in 2024, overwhelmingly due to investment scams. 

The latest report from the National Anti-Scam Centre – which combines data from Scamwatch, ReportCyber, the Australian Financial Crimes Exchange, IDCARE and the Australian Securities and Investments Commission – shows that slowing down the global scams juggernaut is as challenging as ever.

Reported scam losses peaked at $3.1 billion in 2022 and have fallen about 30% since then. But last year scammers still managed to steal a collective $2.18 billion from Australians.

Scammers focus on websites and social media platforms

There were 77,365 text scams reported in 2024, when scammers barraged Australians with fake notifications about package deliveries, government notifications, bank communications and more.

This tapered off in 2025, when significantly fewer text scams were reported (29,058). The world’s criminal scam organisations now appear to be focused on websites and social media platforms, and losses increased by 21% in these areas compared to 2024.

ĚÇĐÄVlog director of campaigns and communications Andy Kelly says the changing trends puts consumers at greater risk.

“The latest data shows that scammers are increasingly shifting from phone calls and text messages to online contact methods to target victims,” Kelly says. “The government cannot justify glaring holes in its proposed digital platform designation, which won’t capture email service providers, dating apps and online marketplaces.”

The federal government’s Scams Prevention Framework – which covers banking, telcos and digital platforms –  also leaves out app stores and gaming platforms, both of which have increasingly been exploited by scammers. Australians lost $139 million to romance scams in 2025, many of which would have been perpetrated by online contacts not covered by the framework. 

Global cooperation is key

Catriona Lowe, deputy chair of the Australian Competition and Consumer Commission (ACCC), says “collaboration and shared accountability” are needed both domestically and globally to gain the upper hand over the ever-evolving scams industry, adding that “scams are often described as a ‘wicked problem’ because they are complex, fast-evolving, and resistant to simple solutions”.

 â€œAs Australia and indeed the world faces increasing sophistication in scam activity through artificial intelligence and the industrialisation of criminal syndicates through scam compounds, it is clear more needs to be done, quickly and at scale,” Lowe says.

To this end, Australia joined other G7 countries in early March to endorse a Call to Action to Combat Fraud at the United Nations and Interpol Global Fraud Summit.

In addition, more than 100 organisations from around the world endorsed a Public Private Partnership Framework to encourage and improve global cooperation in the fight against scams.

Fake gambling sites target vulnerable consumers

Betting and sports investment scams also saw an increase in both number of reports and total losses in 2025, with almost triple the losses ($2.4 million) of 2024.

Most of this was attributable to a phenomenon known as “scambling”, where online gambling platforms are promoted that lead to scam websites where all bogus bets are lost to criminals.

Sports investment scams, which made up a smaller percentage of losses, involve convincing victims to invest money in fraudulent online betting systems that promise high returns.

Strikingly, there was a 91.5% increase in reports from First Nations people about betting scams and a 93.5% increase in reports from people with a disability.

“We know losses remain high, but coordinated interventions are key to combating scams, and we will continue working together to strengthen efforts, including through the Scams Prevention Framework,” Lowe says.

Another critical factor is that Australians continue to report scams.

“Without people speaking up, we simply wouldn’t have the insights needed to track and disrupt scam activity,” Lowe says. “We encourage people to report suspicious activity so we can continue improving our understanding and response to scams.”

The post Scams getting worse where new protections won’t apply appeared first on ĚÇĐÄVlog.

When a debit card arrived in the mail in mid-January with Patricia*’s name on it she knew it wasn’t a good sign.

The card was for Great Southern Bank (GSB) – Patricia was not a customer and never had been. She realised her identity must have been stolen.

“I acted quickly to try to limit the damage – placing credit bans, reporting the matter to police, and contacting financial institutions  – but I’m very conscious that many people would not detect something like this as quickly,” she says.

Her prompt attention to the matter paid off, because the fraudster had attempted in short order to open accounts under her name with AfterPay, American Express, and Wisr (a personal loan provider). The credit ban Patricia had placed on her file blocked these applications, and all three providers quickly acknowledged that they were fraudulent.  

She eventually discovered that her new driver’s licence had been stolen before she received it, and the fraudster had used it to open the GSB account.

But GSB was less than helpful.

“When I contacted the bank after discovering the fraudulent account, it was extremely difficult to get support because I was told repeatedly that I was not their customer,” Patricia says.

“Firstly, I wanted to understand how the account had been opened in my name, because that would indicate what personal information had been compromised and what steps I needed to take to protect myself. More broadly, what I was really looking for was acknowledgement and meaningful action from the bank regarding how this happened and how they would prevent it happening again, for myself and others.”

She wanted to know the email address and phone number that were used to open the account in her name. The bank’s reason for refusing to provide this may have been legitimate, but its representatives were also dismissive, unprofessional and rude, Patricia says.

“During multiple calls with their call centre I received inconsistent information about escalation, was refused access to the fraud team or a supervisor, and was essentially told there was nothing further they could do for me.”

AFCA unable to help

At this point she felt that her only option was to lodge a complaint with the Australian Financial Complaints Authority (AFCA). She called out GSB for failing to respond appropriately to her situation and for not having adequate identification checks in place to make sure people opening accounts were who they said they were. The only piece of identification used by the fraudster was her driver’s licence.

But the bank doubled down on its unhelpfulness, appealing to AFCA to have the case dismissed on the grounds that Patricia wasn’t a customer, and that only customers can lodge AFCA complaints. AFCA conceded that this aligned with its legislative charter at the time.

In fairness, GSB is not an outlier when it comes to identity verification. Most banks only require a single primary form of identification to open a bank account, such as a driver’s licence or passport.

GSB: ‘We escalated the matter appropriately’

A GSB spokesperson tells ĚÇĐÄVlog that the bank is prohibited from sharing information about scam perpetrators (including identity theft) with their victims by the both Privacy Act and the Anti-Money Laundering and Counter-Terrorism Financing Act. The bank says that it responded appropriately to Patricia’s requests for help.

“We have strong sympathy for the affected individual and have worked with her, as well as relevant organisations, to help reduce the risk of further identity theft and fraud,” the spokesperson says.

GSB says it provided sound guidance, advising Patricia to report the incident to the police and place a ban on her credit file. (This good advice aligned with the steps she had already taken.)

But the bank admits that it could have done better.

“We believe we escalated the matter appropriately, but acknowledge our communications could have been clearer, and we are taking steps to improve how we communicate in situations like this.”

AFCA gains new powers

Had Patricia’s experience with the scam of identity theft happened in mid-March rather than mid-January, AFCA’s response to her complaint may have been different.

As of 12 March this year, AFCA’s jurisdiction expanded to allow it to investigate scam complaints involving the unauthorised opening of accounts whether or not the complainant is a customer of the bank in question.

It means that when a scammer convinces you to send money from your bank account to an account at a bank set up by the scammer (known as mule accounts), AFCA can open investigations into both banks.

“This is an important step to establishing a broader, more coordinated framework for looking at scam complaints and it reflects how scams operate in the real world,” an AFCA spokesperson says, adding that the change “strengthens transparency and accountability across the banking system by ensuring all parties involved in the movement of scam funds are accountable”.

As for Patricia’s case, AFCA says it “expects banks to engage with identity theft victims based on consumer expectations and good industry practice”.

Along with the AFCA complaint, Patricia also complained to GSB’s Customer Advocacy team.

“I decided to reach out in a more direct and personal way to set out the full context of what had happened and to see whether there would be any acknowledgement, accountability or rationale around the bank’s role in the situation. Unfortunately, that wasn’t the case,” Patricia says.

The bank maintained that it had made no mistakes since the fraudulent account was opened using a valid driver’s licence.

(*Editor’s note: Patricia is a pseudonym)

The post Why wouldn’t the bank help this identity theft victim? appeared first on ĚÇĐÄVlog.

Very few of us read the privacy policies we passively consent to when engaging with a service provider. Fewer still would understand what these privacy policies actually say.

In recent years, ĚÇĐÄVlog has conducted several investigations that focused on the far-reaching permissions these documents give the businesses we regularly interact with.

In 2023, we reported on the privacy policies of rental platforms such as realestate.com.au’s Ignite as well as Ailo, Tenant Options, Rental Rewards, Snug, 2Apply and Simple Rent.

The conclusion? These RentTech platforms collected information that went well beyond what’s needed to assess a tenant’s ability to pay the rent. The questions often seemed designed to grab as much data as possible from people who had no choice but to provide it.

In 2024, we analysed the privacy policies of Australia’s ten most popular car brands to see how the vehicles monitored and tracked their drivers. Here again we found that the harvesting of personal driver information was often excessive, and the rights the manufacturers gave themselves to share the data with third-parties were both far-reaching and vague.

The ACCC has estimated that it would take the average Australian 46 hours to read all the privacy policies they encountered in a month, the average length of which is about 6876 words.

All of this makes the Office of the Australian Information Commissioner’s (OAIC) recent announcement that it will begin its first large-scale review of privacy policies in early January 2026 more timely than ever.

What’s changing in privacy law?

The Privacy Act requires privacy policies to contain certain details, such as what information is collected, why it’s needed, how it’s used, and how it can be corrected if necessary. 

An update to the Act in 2024 means businesses will also be required (as of 10 December 2026) to specify in their privacy policies whether a computer program will be using your personal information to make decisions that could go against you, such as when an application for a rental home is rejected. 

In addition, the 2024 update gave the OAIC the power to issue infringement notices for Privacy Act violations without going to court. And it gives individuals the right to seek legal redress and financial compensation in certain cases for invasions of privacy or misuse of their personal information.

The OAIC’s privacy policy sweep is taking a different approach than our investigations of online privacy documents. It will occur in the real world, focusing on information demanded by businesses in person, such as when a real estate agent asks you for personal details when you’re inspecting a rental property or a car rental company presents you with a lengthy form before handing you the keys. The privacy policies of such businesses must include the above-mentioned information. 

Not having the right information in a privacy policy – or not having a privacy policy at all – could lead to fines from the OAIC of up to $66,000.

Which types of businesses will be targeted?

The privacy policy sweep will focus on sectors where the OAIC believes there are particular power imbalances – also known as information asymmetries – between the business in question and the customers being asked to provide the information.

“When confronted with in-person requests for their personal information from retailers, licensed venues, car hire companies or real estate agents, consumers often don’t have access to all the information they might need to make an informed decision,” says Privacy Commissioner Carly Kind.

“This makes them vulnerable to overcollection of personal information and creates risks to their security and privacy.”

The OAIC says it will review the privacy policies of around 60 businesses from the following six sectors, with a particular focus in each case.

• Rental and property – collection of individuals’ personal information during property inspections.
• Chemists and pharmacists – collection of personal information for the purpose of providing a paperless receipt and collection of identity information to provide medication.
• Licenced venues – collection of identity information to enable individuals to access a venue.
• Car rental companies – collection of identity and other personal information to enable an individual to enter into a car rental agreement.
• Car dealerships – collection of personal information to enable an individual to conduct a vehicle test drive.
• Pawnbrokers and second-hand dealers – collection of identity information from individuals who wish to sell or pawn goods.

Transparent communication is critical

In the OAIC’s view, a business’s explanation of how it will use personal information should be open and transparent.

“The Australian community is increasingly concerned about the lack of choice and control they have with respect to their personal information,” Kind says.

“The first building block of better privacy practices is a clear privacy policy that transparently communicates how an individual can expect their information to be collected, used, disclosed and destroyed.

“In conducting a compliance sweep, the OAIC intends to ensure that entities are meeting their obligations to be transparent with consumers and customers about how they’re using the personal information they collect in-person.

“We hope this will also catalyse some reflection about how robust entities’ privacy practices are, and whether more can be done to improve compliance with the Privacy Act writ large.”

The post Real estate agents, chemists, car hire companies and more under new privacy scrutiny appeared first on ĚÇĐÄVlog.

Australians reported $312 million worth of losses to Scamwatch last year.

That number is down slightly compared to the previous year, as scam awareness improves and businesses and governments introduce measures to crack down on online criminals.

But new laws, advances in technology, shifts in the economy and other changes impacting our lives are providing scammers with new avenues to exploit – and novel ways to do so.

We’ve put together a guide to some of the latest efforts from the world of scams to help you know what to look out for this year.

On this page:

• 1. Social media ban phishing
• 2. Popular sale cons
• 3. Fake events and tricky tickets
• 4. Pump and dump schemes
• 5. AI video clones

1. Social media ban phishing

One of the biggest stories of last year was the federal government’s introduction of age limits on social media.

Since December 2025, popular platforms like Facebook, Instagram and TikTok have taken steps to prevent anyone under 16 from creating or holding an account.

Much of the coverage of this world-first initiative has focused on the impact on teens, but regulators are warning that criminals may take advantage of the upheaval to target all of us who use social media.

Platform impersonation

State and national bodies are warning that scammers may impersonate social media platforms, the federal government or police and claim you’re at risk of losing your account or being fined unless you share personal details or money to prove your age.

These phishing criminals may ask you to click a link to a fake website, provide your account username and password or upload sensitive identity documents to prove you’re old enough to be on social media.

Clicking on fake links can put your device at risk, while sensitive details like personal ID numbers can be used by scammers to steal money under your name.

Accounts for cash

Regulators say criminals may also contact young Australians and their families and offer to sell them fake IDs or access to age-verified accounts so they can avoid the ban.

The eSafety Commissioner says these operators are unlikely to ever provide what they’ve promised and warns they may try to develop an unsavory relationship with the teens they talk to.

Hi Mum, revamped

There’s also a risk that scammers might use news of the ban to breathe new life into a well-worn phishing exercise.

The “Hi Mum” scam – where criminals contact people at random, claiming to be their children who are in need of help after losing their phone – has been a favourite ploy of scammers in recent years.

The eSafety Commissioner and the ACCC say Hi Mum operators may tweak their approach and pose as older teenagers or young adults accidentally caught up in the social media ban.

Their messages may claim parents have to click on a link or share copies of a child’s ID documents in order to verify their age and allow them to keep using social media.

How to avoid them

• Ignore requests for payment: None of the platforms targeted by the ban are requesting payment as part of their compliance with the laws. Any demand to send money to secure your account is a scam.
• Double-check suspicious messages: Don’t act on unexpected texts or emails. Avoid falling for the Hi Mum scam by contacting family members on a number you’ve used before or found yourself. Ignore offers to help teens circumnavigate the ban with fake IDs or access to a verified account.
• Check platform information: Social media companies complying with the ban should provide info on how they’re verifying people’s ages. Check a platform’s website using a link you’ve found yourself. It should also say if it’s employing a third party to help with verification efforts.

2. Popular sale cons

The ACCC says shopping scams “surged” in 2025, becoming one of the most commonly reported cons of the year, while cyber security companies reported that the criminals running these schemes are expanding their methods to coincide with popular sales.

With events like Black Friday getting bigger every year and other perennial discounting periods like the End of Financial Year (EOFY) sales just around the corner, it’s likely we’ll see shopping scammers deploy more of their familiar cons in coming months.

Dodgy shopping sites

Look out for websites promising products at big discounts that are, in reality, phishing portals designed to steal your money and sensitive information.

Some sites are copies of the official pages of popular outlets, while others are “ghost stores” – wholly invented operations, claiming to be small local boutiques.

Shoppers making orders through any of these sites are usually left waiting for products that never arrive, or find their purchases are poor-quality knock-offs.

Note that the scammers running these pages have been able to promote them to appear on social media and in search engine results, so be careful of sponsored posts too.

Fake parcel alerts

Scammers know many of us will be shopping online in this year’s sales and will likely play on our eagerness to see our valuable packages delivered to us safe and sound.

Criminals often impersonate courier companies and send SMS messages urging you to click on links to secure upcoming parcel deliveries, arrange re-delivery or pay fees to receive a parcel.

These links often lead to pages designed to harvest your payment information or other sensitive details.

Note that scammers are currently still able to use technology to make it look like their SMS messages are coming from trusted delivery services like Australia Post, giving them an air of authenticity.

How to avoid them

• Don’t click on suspicious sale links: Don’t click on unexpected links claiming to connect you with shopping deals. Look up the store online and click on the first non-sponsored search engine result.
• Check that a branded website isn’t a dodgy copy: Avoid websites claiming to be major retailers that are offering suspiciously big discounts on all products or those that have an unusual URL and inconsistent supporting information.
• Scrutinise a store’s “local” connections: Avoid retailers that claim to be a small local business, but can’t be found on any maps of the town where they claim to be based and say in their fine print that their products ship from overseas.
• Double-check delivery demands: Don’t click on unexpected links demanding that you take action over a parcel delivery. Contact the company that is claiming to contact you independently using details you’ve sourced yourself to confirm any requests for information or money.

3. Fake events and tricky tickets

One in five Australians have missed out on an event due to fake or undelivered tickets, according to research by PayPal, with many losing significant amounts of money.

Scammers have been employing a mix of methods to carry out these thefts. These include selling tickets to wholly fake events, as well as the long-standing practice of selling fake tickets to real events like popular concerts and sports matches.

In September last year, Western Australian authorities warned consumers not to buy tickets for sky lantern festivals or drone shows around Perth that were being promoted on social media, revealing such events didn’t exist.

This came after authorities in South Australia urged fans of a local AFL team to be on the lookout after fake tickets were sold for hundreds of dollars by scammers looking to cash in on interest in the club following its strong performance.

Meanwhile, a New South Wales man was charged for allegedly being involved in a similar scheme where more than 100 fake passes were sold to a popular music festival.

How to avoid them

• Know what’s possible: Open flame lanterns that float into the sky are illegal in Australia, so a local event based around these is highly implausible.
• Be skeptical of secrecy: Beware of events advertised on social media whose promoters claim tickets and the exact location will only be issued 48 hours before the event.
• Stick to official sources: Watch out for tickets to major events being sold through social media. Ticketing for events at big stadiums and arenas is usually controlled by a large ticket company, which would usually be the authorised reseller.
• Compare prices: All states have some form of anti-scalping laws, which put a cap on how much a legitimate ticket reseller can charge. This cap is usually based on a percentage markup of the original price (usually 10%). Overcharging could be a sign of a scam, so compare what you’re being offered to the ticket’s original sale price.

4. Pump and dump schemes

The corporate regulator is warning anyone interested in investing this year to watch out for “pump and dump” schemes following a rise in reports of this type of scam in recent months.

A pump and dump is when people with a financial interest in a small company or obscure asset spread misleading rumours online in order to inflate the price of their investment.

Once their asset has been sufficiently “pumped,” these unscrupulous operators will “dump” (sell) their share for a profit. The following fall in the asset price often results in those who bought into the hype losing money.

Meanwhile, with inflation on the rise again, some market watchers expect the Reserve Bank to raise interest rates this year.

Such announcements often spur borrowers and savers to see where they could be getting a better deal, so scammers may use these times to spruik dodgy investment opportunities or fake loans.

How to avoid them

• Be careful of buying into hype: A rush of advertising, influencer and celebrity endorsements or online forum comments telling you to invest in a particular company could be the beginning of a pump and dump scheme.
• Follow up on communication: Your bank or other legitimate financial institutions shouldn’t contact you and create a sense of panic about your finances or advise you to make sudden changes. Verify any suspicious messages using contact details for the bank or institution you’ve found yourself.
• Know the common red flags: Beware of suspicious schemes involving cryptocurrency or requiring you to download remote access software. Watch out for conversations on social media or messaging platforms that unexpectedly turn to investing.
• Do your research: You should be able to find plenty of information about a legitimate investment company by searching online.

5. AI video clones

At the end of last year, NAB intervened to stop a customer from sending $100,000 to someone appearing to be Hollywood actor Kevin Costner.

Suspicious about the requested transfer, the bank says it discovered that the Kevin the customer had been talking to via video call was a copy created by scammers using AI – one so realistic it had convinced the customer she was speaking to the real actor and that he needed the money.

Mounting improvements in generative AI will be one of the consistent stories of this year and scam victim support organisation IDCare says it expects to see more cases of criminals taking advantage of these advances to better clone the voices and faces of individuals who can lend credibility to their schemes.

We’ve previously pointed out the devastating impacts of audio deepfakes used in phone-based scams, but combined with the latest visual cloning technology to create video messages, they now pose a greater threat.

How to spot them

• Be realistic: A celebrity is unlikely to ever contact you asking for money. If the request is coming from someone you know, verify it by contacting the person using details you’ve used before or found yourself.
• Check the source: See where the video came from. Official accounts of legitimate organisations or individuals are unlikely to create AI videos of themselves or their representatives.
• Read their lips: The audio in an AI video may not always match the mouth movement of the person depicted. Watch for instances of dodgy lip-syncing.
• Check if it looks too good: AI clones sometimes have an airbrushed, over-polished look. Check if the hair, lighting and skin tone looks believable. Beware of unnatural blinking or flickering around the eyes.
• Look at the body parts: AI struggles with hands – if these appear in the video, check that they look realistic. Look also at faces for any unusual asymmetries.
• Once more with feeling: Look for unusual facial expressions that don’t match the tone of what’s being said.

The post Five sophisticated scams to watch out for in 2026 appeared first on ĚÇĐÄVlog.

In February 2022 the personal medical information of 223,000 people fell into the hands of scammers after the IT systems at Australian Clinical Labs (ACL) were breached.

It was a major cybercrime incident, yet ACL dragged its heels – first by failing to properly investigate whether a data breach had occurred and then by taking too long to inform the Office of the Australian Information Commissioner (OAIC) once the business knew its systems had been infiltrated.

In a recent court judgement – the first of its kind under the Privacy Act – ACL was ordered to pay $5.8 million in penalties for these and other contraventions of privacy legislation.  

Most of the penalty ($4.2 million), however, was for failing to protect the data in the first place, something that far too many companies have failed to do.

Australian Information Commissioner Elizabeth Tydd calls the unprecedented legal outcome “a notable deterrent and signal to organisations to ensure they undertake reasonable and expeditious investigations of potential data breaches and report them”.

The Justice in the case said ACL’s negligence “had at least the potential to cause significant harm to individuals whose information had been exfiltrated, including financial harm, distress or psychological harms, and material inconvenience” and could have “a broader impact on public trust in entities holding private and sensitive information of individuals”.

ACL penalty could have been a lot higher 

Trust in how our data is collected and protected is already low. In September, Privacy Commissioner Carly Kind found that Kmart Australia had breached Australians’ privacy by grabbing their personal information without their consent in 28 of its stores through facial recognition technology (FRT), a system ostensibly designed to prevent refund fraud. How safe this data is remains unclear. (The Privacy and Information Commissioners are both part of the OAIC.)

Kmart’s secret use of FRT was originally uncovered through a 2022 ĚÇĐÄVlog investigation, which also revealed the use of ART at Bunnings and The Good Guys. The Privacy Commissioner recently made a similar ruling against Bunnings, a case that is currently under review by the Administrative Review Tribunal.

The OAIC did not pursue financial penalties in the Kmart case, but the financial penalties against ACL may be just the beginning – and they’re on track to get a lot higher. 

In August, Commissioner Tydd launched court proceedings against Optus following a cyberattack in September 2022 that resulted in the personal information of around 9.8 million Australians falling into the hands of criminals.

And in June last year, the OAIC filed a court case against Medibank Private following an October 2022 data breach that saw the sensitive health information of around 9.7 million Australians disappear into the criminal underworld.

The penalties against ACL would have been much higher had the data breach occurred after 13 December 2022, when maximum penalties went from $2.22 million per contravention of the Privacy Act to as much as $50 million. (Alternatively, fines can equal three times the benefit derived from the conduct or up to 30% of a business’s annual turnover per contravention.)

Should the Optus and Medibank cases result in financial penalties, they would be determined according to the regime in place before 13 December 2022. But it seems that data breaches aren’t going away anytime soon, and whether the threat of higher fines will stop the breaches is an open question. 

A turning point for privacy law

Referring to the recent ACL case, Commissioner Kind says “this outcome represents an important turning point in the enforcement of privacy law in Australia. For the first time, a regulated entity has been subject to civil penalties under the Privacy Act, in line with the expectations of the public and the powers given to the OAIC by parliament”. 

“This should serve as a vivid reminder to entities, particularly providers operating within Australia’s healthcare system, that there will be consequences of serious failures to protect the privacy of those individuals whose healthcare and information they hold.”

The post Pathology lab becomes the first business to be fined in Australia for a privacy breach appeared first on ĚÇĐÄVlog.

On Wednesday, Qantas revealed that they had detected “unusual activity” on a platform used by their contact centres earlier in the week, and that initial investigations found data such as customer names, emails, dates of birth and frequent flyer numbers had been compromised. 

The airline says some six million customers had data stored on the service platform in question and that a “significant” amount of customer data had likely been stolen. 

Qantas says that credit card details and passport details were not held in the system that was breached. 

Time for an ombuds scheme 

Bea Sherwood, senior campaigns and policy advisor at ĚÇĐÄVlog, says the data hack highlights the urgent need for a strong aviation ombuds scheme to support airline customers and facilitate complaints when events like this occur. 

“This is not the first time Qantas customers have had issues with the airline, with ĚÇĐÄVlog giving the company a Shonky Award in 2022 for unusable flight credits, delayed flights, and more,” she says.  

“Despite ongoing issues with Qantas and other airlines since, customers still don’t have an effective means of directing or resolving their complaints. The Australian Financial Complaints Authority and the Telecommunications Industry Ombudsman consider financial and telco complaints, including about data breaches,” she says. “There is currently no equivalent independent body for airline customers to raise concerns – a huge gap in our consumer protection system.”

“As airlines become more data driven, a robust ombuds scheme to protect consumers is needed more than ever,” says Sherwood.

The post Qantas data hack exposes alarming gap in consumer protections appeared first on ĚÇĐÄVlog.

Members of the super funds Australian Retirement Trust, Australian Super, Hostplus, Rest, Insignia and possibly others will not be having a relaxing weekend.

The major funds recently suffered a cyber attack from criminals who reportedly had familiarity with the Australian super system.

Passwords were apparently harvested from the dark web, and the latest media reports suggest that only AustralianSuper members have so far been hit with fraudulent withdrawals.

The question for affected super members – as well as for the industry as a whole – is which anti-scam protections were in place, and why didn’t they work?

Cyberattack ‘shocking and unsettling’

The recent passage of the government’s Scams Prevention Framework (SPF) requires banks, telcos and social media platforms to meet new obligations to protect Australians from scams, or risk fines of up to $50 million.

But the legislation doesn’t apply to superannuation funds. Recent cyber attacks on a number of major funds shows why this needs to change.

“Reports of this cyberattack on at least five big super funds are shocking and unsettling,” says Super Consumers Australia CEO Xavier O’Halloran. “This is people’s financial future at risk. And the details and extent of this attack are still emerging.”

The breach follows continual warnings from regulators and consumer advocates that the super sector as a whole is falling behind on cyber-resilience and scam protections. 

As Australians are legally required to put their money into super, this can’t be a good thing.

“Today’s news is chilling when we know super funds aren’t doing enough to protect Australians’ retirement savings,” O’Halloran says. 

“We’re calling on the next Government to urgently extend the new protections to safeguard Australians’ retirement savings against fraudsters, scammers and cybercriminals.”

The affected funds have reportedly been working with the National Cyber Security Co-ordinator to figure out just how big this hack is. 

What to do if you’re concerned your super may be affected

If you’re concerned about today’s news, Super Consumers Australia has this advice:

• If possible, log in to your super account to check your details are correct and change your password.
• Watch out for communications from your super fund.
• Contact your super fund if you see any unusual activity; for example, SMSs or emails about transactions or changes that you have not requested. 

The post Australian super system caught unprepared for cyber attack appeared first on ĚÇĐÄVlog.

Despite asking the company to dispose of her frozen eggs six years ago and having had nothing to do with them since, her data has now been compromised in a major data hack.

Genea was hacked in the early weeks of February and by late in the month the criminals reportedly began posting data relating to patients on the dark web. Some of the data stolen included contact details, Medicare card numbers, medical histories, test results and medications. 

Chloe heard about the hack from media articles, but thought that – given she hadn’t heard anything from the company – she wasn’t impacted. She later received a message from them saying that she had been affected, but not specifying how. 

“The communication has been really poor, they haven’t told us anything and have kept us in the dark,” she says. “It has been almost a month now and I have emailed them and they still can’t tell me what was stolen,” she says. 

“I’m lucky I have already told my child about being born from a donor, because that information may be out there now,” she adds. 

Sensitive health data 

University of Melbourne’s professor of law and digital ethics Jeannie Paterson says under the law in Australia all health data is considered “sensitive data”, and companies that hold it have greater responsibilities to protect it. 

“Because this data is so sensitive it is very attractive to hackers, because the sensitive nature puts a lot of pressure on the company to pay a ransom rather than face the embarrassment of having this data leaked,” she says. 

While acknowledging that it takes time for the full extent of a data breach to come to light, Paterson says Genea should have done better at informing affected patients. 

“Companies have an obligation to report data breaches to the Information Commissioner, but they also should have a plan in place for keeping people whose lives have been infected informed,” she says. 

“The level of trauma and uncertainty that happens to people when there’s a data breach, it only goes up the longer they’re kept in the dark, particularly when information is being published in screenshots in the dark web,” Paterson adds.

OAIC and Genea respond 

The Office of the Australian Information Commissioner (OAIC) declined to comment on the Genea hack specifically, but said of all sectors, the health sector had notified OAIC of the most data breaches since the notification scheme commenced in 2018. 

“Organisations that collect, use and store personal information have a considerable responsibility to ensure that data is held safely and securely. This is very important for health service providers given the sensitive information they hold,” an OAIC spokesperson says. 

A spokesperson for Genea says they continue to liaise with the police and other authorities to investigate the data breach and that they will continue to update affected patients. 

“We understand the importance that people place on their personal information and that this incident is concerning for those patients potentially impacted. Genea is committed to communicating with patients as swiftly and transparently as possible, and we apologise for any concern this incident has caused,” the spokesperson says. 

*Not her real name 

The post ‘What was stolen?’ Victim of IVF data hack says company has kept them in the dark appeared first on ĚÇĐÄVlog.

Our main focus in the digital world these days should be on steering clear of scams, and deleting, reporting or ignoring all forms of contact that seem even remotely fishy. But large-scale data breaches that make our personal details available to scammers – pretty much forever – are worth paying attention to as well. 

With the stolen personal information, all the corporate-style global scam operations out there have a lot to work with. They can craft personalised scams that can fool the best of us. 

The biggest data breaches in recent years include the Optus case, where up to 9.8 million people had their data stolen; the Latitude Finance case, which affected around 14 million Australians; and the Medibank event, where the records of around 4 million customers were heisted. 

But these are just the well-publicised cases, and the reported ones. Under the Notifiable Data Breaches scheme, all organisations must report any data breach both to the Office of the Australian Information Commissioner (OAIC) and to affected people if the theft of the personal information is likely to result in harm to those it identifies. 

From January to June 2024, the OAIC received 527 data breach notifications, the highest number since the July to December 2020 period and a 9% increase on the previous six months.

Most of the breaches (63%) in the first half of 2024 affected 100 people or less, but the MediSecure data breach affected almost 13 million Australians. Many breaches likely go unreported. 

Twelve major breaches over two years 

According to the Sydney-based cybersecurity firm StickmanCyber, mega data breaches (those affecting a million people or more) have gone up and up in recent years. 

The firm – which is a member of the NSW Government Cybersecurity Taskforce and the Australian Cyber Security Centre – recently released a report it says is based on an analysis of all 6000 notifiable data breaches reports submitted to the OAIC since the scheme’s inception in 2018. The firm obtained the reports through a Freedom of Information request lodged in October last year. 

The main takeaway is that there were just two data breaches that affected a million Australians or more between 2018 and 2021. And then, from the beginning of 2022 to the end of 2023, there were 12. Breaches affecting at least a 1000 people went up 40% over that period as well, according to the report. 

Other noteworthy findings include that nearly a third of mega breaches went undetected for at least 30 days; that Australian Government organisations usually take longer than corporate entities to detect a breach; and that the healthcare and finance sectors have suffered the highest number of breaches. 

“For mega breaches to increase so much, so fast, is cause for concern,” says StickmanCyber CEO Ajay Unni. 

“The problem is that there are now more companies with more data on Australian residents than ever. When they are breached, we are accustomed to the contact, payment and identification details of millions of people falling into the wrong hands. But we should never accept this as the status quo. Businesses have to do better, or they must leave our data alone.”

Data breach details in OAIC reports 

The StickmanCyber report would be eye-opening for many, but it’s worth noting that the data breach information was already available by way of the OAIC’s , for those who take the time to delve into government reports. 

In its January to June 2022 report, when the OAIC started to notice an increase in large-scale data breaches, it introduced a breakout box showing the number of Australians affected.

An OAIC spokesperson tells ĚÇĐÄVlog the reasons for the increase in major breaches are multifold, the standout being “the increasing frequency and complexity of cyber attacks”, which are behind the majority of breaches. 

More businesses reporting breaches to the regulator as required following the high-profile Optus and Medibank cases is another probable reason, OAIC says. Other reasons for the increase include the growing use of external service providers by businesses, particularly cloud and software services. 

Data breaches also give criminals the tools they need to launch increasingly effective cyber attacks, leading to further data breaches. The OAIC’s spokesperson referred to these as “credential stuffing attacks”. It means the criminals are using our personal information to steal yet more personal information. 

Ajay Unni says his firm’s research provides further evidence that the organisations that have our data continue to fall short on protecting it. 

“The Australian public sector is notably poor at both identifying and responding to breaches in a timely fashion. But at least the public sector is reporting to the OAIC. The data suggests that underreporting is a chronic issue in the private sector. There are suspiciously few breaches in many industries like retail, which we know collect large volumes of data and struggle to protect it.”

The post Major data breaches go from rare to routine appeared first on ĚÇĐÄVlog.

New data reveals a majority of Australians support changes to privacy regulations being championed by ĚÇĐÄVlog, with approximately 80% backing several key reforms.

It comes as authorities reveal almost 13 million people may have had their health information and other personal details accessed by hackers following a cyber attack on former prescription delivery service provider MediSecure in April.

This follows years of data breaches affecting major companies, including Optus, Medibank and Latitude Financial, putting the sensitive information of millions of Australians at risk.

To help protect our data, ĚÇĐÄVlog is calling on the federal government to urgently implement four key improvements as part of its reform of the Privacy Act, which governs how our data can be collected and used.

Australians back better privacy protections

In our latest ĚÇĐÄVlog Consumer Pulse survey*, a nationally representative survey of over 1000 households conducted in June 2024, consumers told us they back many of the reforms we’re presenting to the government.

ĚÇĐÄVlog senior campaigns and policy adviser Rafi Alam says that after years of data leaks, people are fed up and want change.

“Privacy reform has never been more urgent,” he says. “Consumers want and deserve strong protections for their personal information. They tell us daily that they are worried about their data and they expect the government to act to protect them.”

These are the four key reforms we’re pushing for.

1. Stop the over-collection of data

Of those surveyed, 77% said they believed businesses should only be allowed to use your personal data in ways that are fair to you.

We’re calling on authorities to institute a “fair and reasonable use” test or, as Alam refers to it, “the privacy pub test” – something that would be considered reasonable and fair to most everyday Australians.

A privacy pub test would seek to ensure businesses can only collect and use your data in ways that are fair, regardless of consent or tricky terms and conditions.

Alam says a requirement for this in the Privacy Act will discourage organisations from collecting more data than they need and prevent them from using data in ways that hurts consumers. 

“For too long, businesses in Australia have had a culture of rampant over-collection of data that has led not only to massive data breaches, but also unfair practices like price discrimination and manipulative data-driven marketing,” he says.

2. Bring ‘personal information’ into the digital age

ĚÇĐÄVlog also believes more of our sensitive details ought to be brought under the protections of the Act.

“Unfortunately our privacy laws were written in the 1980s, long before cybersecurity and artificial intelligence were everyday concerns,” says Alam. “We need fit-for-purpose privacy laws that offer consumers the protection they deserve in the digital age.” 

Currently, ‘personal information’ is protected in the Privacy Act, but is defined only as information about a person, such as names, addresses and phone numbers.

We want the definition changed to information relating to a person, safeguarding more of the data collected on us by our devices, such as IP addresses and our exact location.

Consumers are already well aware of the power this information has. Over 70% of survey respondents believe it could lead to them being identified.

3. More protections from businesses of every size

Consumers also believe more businesses should be required to abide by privacy laws.

According to Australia’s privacy commissioner Carly Kind, 95% of Australian businesses aren’t complying with any privacy legislation.

Most small businesses, with a turnover less than $3 million per year, are currently exempt from the Privacy Act, but 81% of survey respondents told us that they think these firms should be required to follow the same rules as big businesses when dealing with personal data.

“Australians expect the same protections, regardless of the size of the business,” Alam says.

“Whether it’s a real estate agent, supermarket or social media site, consumers want assurance that their personal information will be used fairly.”

4. Help authorities keep data collectors in line

Finally, ĚÇĐÄVlog also wants the national privacy regulator, the Office of the Australian Information Commissioner (OAIC), to be given similar authorities to other regulators, like the ACCC and ASIC, to mitigate wrongdoing. 

This would include giving OAIC stronger investigative powers and the ability to issue infringement notices for smaller breaches of the Act. 

“Stronger powers for the regulator will uplift compliance across the economy and restore trust in the market,” says Alam.

In our survey, 88% of respondents agreed that the regulator should be able to fine businesses that misuse our personal data.

The post Most Australians want tougher privacy laws following data breaches appeared first on ĚÇĐÄVlog.