121 Cybersecurity and Cybercrime Statistics in Australia [UPDATED]

Profile picture of cyber insurance broker John Catibog Written by John Catibog – Updated May 10, 2019

This is the most comprehensive list on cyber security and cyber crime statistics in Australia.

I often talk to business owners about online dangers.

They’ve often seen something in the news. Or they know someone who clicked a dodgy link, received fake emails or lost money to a scam.

But when I ask about their own security, the usual response is along the lines of “it won’t happen to me.”

Look, I get it.

Insurance is not sexy.

At the best of times, my passion can be misinterpreted as just another broker trying to sell you cyber insurance.

Mix the complexity of insurance and technology and it’s easier to just ignore everything.

As if you didn’t have enough to worry about today, right?

In the past, businesses didn’t have to worry about the dangers of data.

Phishing, malware, social engineering – these are fairly new buzzwords.

And probably gibberish to a lot of people.

If insurance wasn’t my career and I didn’t study information systems then I’d likely respond the same way.

I’m aware of the dangers online because I know the facts and figures.

Many people think it won’t happen to them.

Until it does.

Then it’s too late.

If you want to increase your understanding to combat cybercrime then this is a good start.

Let’s get to it.


cybercrime is costing australia $1 billion per year
  • Cybercrime is costing the Australian economy up to $1 billion annually in direct costs alone. (ACIC, 2019)
  • Cybercrime is expected to cost $6 trillion globally by 2021 (Cyberventures, 2016)
  • Australia is ranked fifth in the number of exposed records by country at a whopping 20,035,981 – an average of 834,833 exposed records per breach (Risk Based Security, Inc, 2018)
  • ACORN received an average 12750 reports of cyber crime between January 1, 2017- June 30, 2018. (ACORN Snapshot, 2017-2018)
  • According to Norton, 516,380 Australian small businesses that fell victim to cyber crime in 2017 (SmartCompany.com.au)
  • Top 3 Crimes Reported to ACORN were Scams & Fraud (50%), Purchase or Sale (21%) and Cyber Bullying (7%) (ACORN Snapshot, 2017-2018)
  • Malicious software, Unauthorized bank access and Unauthorised email access were the Top 3 cyber crimes experiences by Aussies (Symantec, 2018)
  • Approximately 41% of cyber crime victims were aged between 20 – 40 years old and 34% were aged between 40-60 years old (ACORN Snapshot, 2017-2018)
Australia is ranked fifth in data breaches


  • $3 million or more – the annual turnover of Australian Government agencies, business and not-for-profit organisations required to report a data breach incident to the OAIC (OAIC, 2018)
  • 30 days – the number of days entities must report a data breach to the commissioner’s office (OAIC, 2018)
In the NDB quarterly report, 812 data breaches have been reported in first year
  • 114 – the voluntary data breaches that were reported to the Office of the Australian Information Commissioner (OAIC) during the 2017 financial year. This was the year before it was mandatory to report data breaches. (www.arnnet.com.au, 2018)
  • Since the introduction of the NDB scheme and the General Data Protection Regulation (GDPR) 55% of organisations believe they have been fined for being in breach of such legislations. (Telstra Security Report, 2019)
  • Failures to comply with the NDB scheme can attract fines up to $2.1 million for organisations and $420,000 for individuals (OAIC, 2018)
  • 63 — the number of data breaches the Office of the Information Commissioner was notified about in the first six weeks of mandatory data breach reporting.
  • Prime Minister Scott Morrison pledges $156 million to building cyber workforce and fight cybercrime if re-elected. (zdnet, 2019)
  • Proposed amendments to the Privacy Act may increase maximum penalties to $10 million or three times the value of any benefit obtained through misuse of information or 10 per cent of company’s annual domestic turnover – whichever is greater (Attorney-General for Australia, 2019)
  • New penalties of up to $63,000 for bodies corporate and $12,600 for individuals for failure to cooperate with efforts to resolve minor breaches are being proposed in the Privacy Act amendments (Attorney-General for Australia, 2019)


  • According to the 2017/2018 BDO and AusCERT Cyber Security Survey, the top three cyber security incidents experienced by Australian and New Zealand organisations were ransomware (17.8%), phishing (19.3%), and malware (17.9%) (BDO, 2018)
  • In the quarterly data breach report, Malicious attacks (57-64%), Human Error (33-37%) and System Error (3-6% ) were the cause of reported incidents (OAIC, 2019)
  • In the 2018/2019 BDO and AusCERT Cyber Security Survey, data loss and the theft of confidential information incidents rose by 78.68 per cent in 2018 compared to 2017 (BDO, 2018)
  • Data breaches experienced through third-party providers and suppliers rose by 74.3 per cent (BDO, 2019)
  • 29 per cent of Australian organisations who have been interrupted by a data breach experienced an Advanced Persistent Threats (APT) attack at least monthly (Telstra Security Report, 2019)
  • Top 3 targets for cyber criminals were email, social networks and website advertising (ACORN Snapshot, 2017-2018)
  • Top 3 cost increasing factors: Compliance failures, Third party involvement, Extensive cloud migration (Ponemon Institute, 2018)
  • Web application attacks (38%) and incidents caused by human error (37%) were the most widespread types of incidents in Australia (Telstra Security Report, 2019)
  • 56 per cent of Australian businesses that reported a security attack, have experienced Business Email Compromise (BEC) on a weekly, monthly or quarterly basis (Telstra Security Report, 2019)
cybercrime attacks
  • The five most common types of cyber attacks were Phishing (48%), Malware (39%), Network scanning (24%), Brute force attacks (15%) and Man in the middle attacks (10%) (PWC’s 2018 Global Economic Crime & Fraud Survey: Australian Report)
  • 82 per cent of CEOs put cyber risk as one of their top 3 risk scenarios (PwC, 2016)
  • According to PwC Game of Threats, the number of detected security incidents increased by 109% (PwC, 2016)
  • Malware (29%), Google Drive (15%) and ransomware (12%) were the most prolific attack types (Carbon Black, 2019)
  • Phishing attacks (12%) and Process weakness (13%) were the cause of successful breaches (Carbon Black, 2019)
  • 65 per cent of Australian organisations are actively threat hunting (Carbon Black, 2019)
  • 26 per cent of actively threat hunting organisations have been doing so for more than 12 months, and over one-third of organisations have started threat hunting in the last year with 92 per cent reporting it has strengthened their defences (Carbon Black, 2019)


  • In 2018, businesses reported 5846 scams with $7.2 million in losses. (ACCC – Targeting Scams, 2019)
  • Business email compromise losses reported to Scamwatch in 2018 exceeded $3.8 million. When combined with reports to ACORN, losses to business email compromise scams exceeded $60 million. This is a 170 per cent increase over the combined losses of $22.1 million reported in 2017. (ACCC – Targeting Scams, 2019)
  • Business Email Compromise (BEC) scams accounted for 63 per cent of losses reported to Scamwatch (ACCC, 2018)
  • $2.8 million – total losses reported to Scamwatch for BEC scams (ACCC, 2018).
  • $30,000 – the average for a BEC scam (ACCC, 2018)
  • In 2018, Scamwatch received 177 516 scam reports. This represents a 10 per cent increase over the 161 528 reports in 2017. (ACCC – Targeting Scams, 2019)
  • The year 2018 had the highest level of financial loss ever reported to Scamwatch with $107 million reported lost. This is an 18 per cent increase over 2017 which totalled $90.9 million. (ACCC – Targeting Scams, 2019)
  • Scamwatch, ACORN and other federal and state-based government agencies received over 378 000 reports about scams. The combined losses exceeded $489.7 million. (ACCC – Targeting Scams, 2019)
  • The percentage of Scamwatch reports that included a financial loss increased from 8.7 per cent in 2017 to 10.1 per cent in 2018. This means more reports were from victims who actually lost money, as opposed to reports of attempted scams that failed to part a victim from their money. (ACCC – Targeting Scams, 2019)
  • The average of losses reported to Scamwatch was $5997. This is a 6.7 per cent decrease from the average loss in 2017. (ACCC – Targeting Scams, 2019)
  • ‘Investment scams’ were the most financially damaging scams reported to Scamwatch in 2018 with $38.8 million reported lost. When combined with reports to other government agencies, ‘investment scam’ losses exceeded $86 million. (ACCC – Targeting Scams, 2019)
  • ‘Dating and romance scams’ were the second most financially damaging with losses of $24.6 million. When combined with reports to other government agencies, ‘dating and romance scam’ losses exceeded $60.5 million. (ACCC – Targeting Scams, 2019)
  • People aged 55–64 reported losing more money than any other age group with losses of $24.8 million. (ACCC – Targeting Scams, 2019)
  • Women reported more scams but lost less money than men. Women reported over 94 200 scams and reported losses of $48.8 million. Men reported over 79 600 scams and reported losses of $56.9 million. (ACCC – Targeting Scams, 2019)
  • Women reported losing most to ‘dating and romance scams’ with $19.5 million in losses, while men were most affected by ‘investment scams’, reporting losses of $29.1 million. (ACCC – Targeting Scams, 2019)
  • Australians aged 65 and older submitted over 26 400 reports to Scamwatch in 2018 with losses of over $21.4 million. (ACCC – Targeting Scams, 2019)
  • Scamwatch received over 7800 reports from those who identified as suffering a disability or chronic illness with over $8.7 million in losses. (ACCC – Targeting Scams, 2019)
  • In 2018 Indigenous consumers reported $3 million in losses (across 2434 reports). This represents a 79 per cent increase over the $1.6 million lost (across 1810 reports) in 2017. (ACCC – Targeting Scams, 2019)
  • In 2018, 46.8 per cent of scam reports indicated contact via phone calls and 23.2 per cent by email. There were over 83 200 reports of phone-based scams with $30.3 million lost. There were 41 170 email-based scam reports with $25.3 million lost. (ACCC – Targeting Scams, 2019)
  • Reports of phone and text-based scams increased in 2018, but reports of email scams decreased. Reports of phone-based scams increased from 40.3 per cent of contacts in 2017 to 46.8 per cent in 2018. This is partly because of large numbers of automated scam phone calls in 2018. (ACCC – Targeting Scams, 2019)
  • ‘Phishing’ and ‘threats to life, arrest or other’ scams were the most common phone-based scams with 27 318 reports combined. However, ‘investment scams’ conducted over the phone resulted in the highest losses of $19 million. (ACCC – Targeting Scams, 2019)


89 per cent of companies reported data breaches
  • 65 per cent of Australian businesses were interrupted due to a breach last year, (Telstra Security Report, 2019)
  • 89 per cent of Australian organisations reported being breached in the past 12 months (Carbon Black, 2019)
  • The average number of breaches per organisation is 4.28 (Carbon Black, 2019)
  • 81 per cent of organisations reported seeing an increase in attack volumes (Carbon Black, 2019)
  • 88 per cent of organisations said attacks are becoming more sophisticated (Carbon Black, 2019)


  • Incident response plan, Extensive use of encryption and Employee Training were the top 3 cost reducing factors (Ponemon Institute, 2018)
  • 87 per cent of SMEs believe their business is safe from cyberattacks because they use antivirus software (MYOB, 2017)
  • 72 per cent believe their information is safe when stored in the cloud (MYOB, 2017)
  • 56 per cent of Australian businesses keep 26-75% of their workload in the cloud today (Telstra Security Report, 2019)
  • 76 per cent of Australian businesses anticipate moving 26-75% of their workload to the cloud within the next 2 years (Telstra Security Report, 2019)
  • Data encryption, protection of data at rest and Protection of data in transit are the top 3 security considerations with use of the cloud (Telstra Security Report, 2019)
  • Half of SMEs plan on improving their business security in the next 12 months (MYOB, 2017)
cybercrime 87 per cent of SMEs believe they're safe because they use antivirus software
  • 86 per cent of consumer are concerned about privacy but 68% accept certain risks for convenience (Norton, 2018)
  • 14 per cent of Australian respondents have not done anything to protect their online privacy (Norton, 2018)
  • Limiting posting on social media, Clearing or disabling cookies and Changing default privacy settings are the Top 3 Steps taken by Aussies to protect online privacy – . (Norton, 2018)
  • One third of SMEs say they continuously back up their systems’ data. (SmartCompany, 2018)
  • The Top 3 Steps Taken by Aussies to Protect Devices, Identity, or Wi-Fi Networks in Australia are not sharing passwords, not opening suspicious files and Limiting their social media sharing (Norton, 2018)
  • 90% of organisations plan to increase cyber defence spending (Carbon Black, 2019)


notifiable data breaches scheme human error exposed records
  • Human error was responsible for the unauthorised disclosure of data of more than 270,000 people. (www.arnnet.com.au, 2019)
  • 36 per cent of Australian respondents report weekly or monthly events due to the, ‘accidental insider’(Telstra Security Report, 2019)
  • 62 per cent of Australian organisations are able to discover an ‘accidental insider’ breach within ‘minutes or hours’ (Telstra Security Report, 2019)
  • 68 per cent of Australian organisations were able to recover from ‘accidental insider’ related incident inside of two hours (Telstra Security Report, 2019)


ransom were paid by 51 per cent of cybercrime victims
  • 51 per cent of Australian respondents that were attacked by ransomware paid up (Telstra Security Report, 2019)
  • 79 per cent would do it again if they did not have backups available. (Telstra Security Report, 2019)
  • 77 per cent of Australian businesses which paid a ransom were able to retrieve their data after making the payment. This is a decrease of nine per cent year on year (Telstra Security Report, 2019)
  • 80 per cent of Australian organisations say they were struck by ransomware attacks (IT News, 2019)
  • A majority of SMEs paid an average $4,677 to retrieve their data from a ransomware attack (Smart Company, 2019)
  • $8164 — the price of one Bitcoin in Aussie Dollars at the time this article was first published.
  • A third of Australian organisation are being interrupted on a weekly or monthly basis by ransomware attacks (Telstra Security Report, 2019)


number of organisations without an incident response plan
  • 1 in 4 Australian businesses don’t have an incident response plan in place to deal with damaging cyber-attacks when they happen. (Telstra Security Report, 2019)
    34 per cent of Australian organisations are testing and reviewing their Incident Response Plan monthly (Telstra Security Report, 2019)
  • 77 per cent of local businesses have incident response plans and are better prepared than ever for cyber-attacks (Telstra Security Report, 2019)
  • The top 2 security challenges globally for organisations surveyed is the ability to timely detect and respond to incidents and the impact of new technologies. (Telstra Security Report, 2019)
  • 52 per cent of Australian organisations are able to detect data breaches within ‘minutes or hours’, which is a decrease from 61 per cent compared to 2018. (Telstra 2019)
  • Some 40 per cent of Australian businesses have been able to identify security breaches within ‘days, weeks or months’ compared to 29 per cent in 2018 (Telstra 2019)


Top 3 cost reducing factors for cyber crime
  • Loss of productivity, Corrupted business data and Loss of customers are the top 3 concerning potential impacts of a major security breach (Telstra Security Report, 2019)
  • The average cost of a data breach is $1.99 Million (Ponemon Institute, 2018)
  • The average cost per record is $108 (Ponemon Institute, 2018)
  • The average time to identify a breach is 185 days (Ponemon Institute, 2018)
  • The average time to contain a breach is 75 days (Ponemon Institute, 2018)
  • Almost 18 per cent of SMEs were impacted by a cyber incident (BDO, 2018)
  • 30 per cent of respondents were affected by a cyber incident of some kind – and it is important to note that these incidents were not confined to large corporations. (BDO, 2018)
  • FirstWave Cloud Technology scanned over 1.5 billion inbound and outbound emails across its customers’ mail servers and blocked over 800,000 suspicious inbound emails. (Telstra Security Report, 2019)
  • A year after the NDB scheme was initiated, human error has been responsible for the unauthorised disclosure of data of more than 270,000 people (www.arnnet.com.au, 2019)
  • 1 in 4 businesses hit by a cyber attack suffered 25 hours or more of downtime (ASBFEO, 2017)
  • According to a Webroot research, Australian businesses that employ between 100 and 500 employees can expect to lose approximately $1.9 million if hit by a cyber attack.(SMARTCompany)
  • 84 per cent of Australian organisations report that budgets for cyber and electronic security will increase within the next 12 to 24 months (Telstra, 2019)
  • 20 per cent of overall IT budget will be allocated to security spending. (Telstra Security Report, 2019)
$900,000 per annum spent of security budget for cybercrime protection
  • The average cyber and electronic security budget was over $900,000 per year (Telstra Security Report, 2019)
  • 33 per cent of Australian organisations are increasing the frequency of executive and board meetings to discuss security due to recent regulatory and compliance requirements. (Telstra Security Report, 2019)
  • 32 per cent of Australian organisations that reported being interrupted due to a security breach in the past 12 months indicated that their business had been interrupted ‘on a weekly or monthly basis’ from ransomware attacks (Telstra Security Report, 2019)
  • 65 per cent of Australian organisation have experienced business interruption due to a breach in the past 12 months, up five per cent from our 2018 (Telstra Security Report, 2019)


industries most effected by cyber crime
  • Retailers (62 per cent), social media sites (57 per cent) and banks (53 per cent) are most at risk of suffering the consequences of a breach, with Australian consumers prepared to avoid their business in future. (CMO, 2019)
  • In the NDB quarterly data breaches report, the health services provider industry reported breaches the most, a total of 163 in 12 months. Finance came as a close second with a total of 119 reports in 12 months, followed by legal with 87 and education with 62. (www.arnnet.com.au, 2019)


consumers would walk away from companies that were victims of cybercrime
  •  Gemalto’s Customer Loyalty 2018 Report found Australian consumers are more likely than their global counterparts to walk away from a company (retail, financial, healthcare) that experiences a breach, with over two-thirds (70 per cent) admitting they would look elsewhere if financial and sensitive information such as card details and bank accounts were stolen. Over half (55 per cent) admitted they would also walk if passwords alone were stolen. (CMO, 2019)
  • Two-thirds of Australian consumers are worried that at some point their online personal information will be stolen. (CMO, 2019)
  • 38 per cent of Australian respondents indicated that the level of concern from customers on data privacy has increased over the past 12 months (Telstra Security Report, 2019)


  • The Cabrini Hospital data breaches locked 15,000 patient records and demanded a ransom payment. (The Age, 2019)
  • Approximately 137,500 unique valuation records, and approximately 1,680 supporting documents and approximately 250,000 individual records in total (with many duplicate records) were accessed in the Landmark White data breach (Landmark White, 2019)
  • 3 Executives resigned as result of the Landmark White data breach (AFR, 2019)
  • 10.6 percent share price drop in the wake of the Landmark White data breach revelation. (Sydney Morning Herald, 2019)
  • 10 days – The availability of the Landmark White data breach records on the dark web. Landmark White continues to monitor the internet to for further disclosure of personal information related to the breach (IT News, 2019)
  • 1,194 customer records and staff names and logins were involved in the Bunnings Warehouse data breach (Yahoo Finance, 2019)


  • According to Lloyd’s general representative in Australia, Chris Mackinnon, “In 2017, we wrote about $30 million worth of premium on cyber and we would expect to see that continue obviously in the new environment we are trading in here.” Lloyd’s “have gone from $6 million, to $17 million, to $30 million in premium.” (Insurance Business Mag, 2019)
  • The size of the cyber market globally is now around US$4 billion(Allens, 2019)
  • Standalone cyber insurance premiums range between $900 – $2,500, depending on the limit of cover, activities and security of an ‘acceptable’ small business. (AB Cyber Pro, 2018)
  • Only 37 per cent of survey respondents had cyber insurance cover. (BDO, 2018)
  • 2 – the minimum number of signatories you should have to authorise an electronic funds transfer
  • ONE cyber attack can put you out of business


Some of these numbers are mind boggling.

The scary thing is it just takes one incident and you’re in trouble.

Similar to Neo in the Matrix, you can choose to see these facts and figures in two ways.

  • Blue pill – you can ignore everything and continue to believe what you want to believe, or
  • Red pill – be a little more open-minded about these threats and the possibility it can happen to you.

If you choose the red pill then you can proactively take the right steps to protect your business.

Contact us to get started with a cyber insurance quote for when your cyber security fails.

All written content on this post is for information purposes only. Opinions expressed herein are solely those of John Catibog, unless otherwise specifically cited. Material presented is believed to be from reliable sources and no representations are made by our company as to another parties’ informational accuracy or completeness. All information or ideas provided should be discussed in detail with an adviser, accountant or legal counsel prior to implementation.