Inadequate data protection safeguards and the stockpiling of sensitive customer information have made Australia a lucrative target in the eyes of foreign hackers, cybersecurity experts told AFP after a series of serious data breaches.

Medibank, Australia’s largest private health insurer, recently confirmed that hackers had accessed the data of 9.7 million current and former customers, including medical records related to substance abuse and abortions.

Telecom company Optus was the victim of a data breach of similar proportions in late September, in which the personal information of up to 9.8 million people was accessed.

Both incidents easily rank among the largest data breaches in Australian history.

Australian National University cybersecurity expert Thomas Haines said many companies have been hoarding personal data that they shouldn’t have been holding.

“There was a famous line for a while: data is the new oil,” he told AFP.

“If data is the new oil, then we live in the age of the weekly oil spill.”

Haines contrasted Australia’s approach with that of the European Union, which passed sweeping privacy reforms in 2018 that limit how organizations collect, use and store personal information.

“There must be incentives to prevent companies from hoarding data they don’t need or to penalize those companies for large leaks. Europe has done this,” he said.

“Right now, the business incentives are basically, let’s just keep a bunch of data.”

Haines said Medibank appears to be an exception, as most of the sensitive information has been stored in its databases for good reason.

Australia’s comparatively weak protections against identity theft also meant it was easier to exploit stolen personal information, Haines said.

“All they need to know is your passport, driver’s license and a few other things – and then I can start borrowing on your behalf.”

Haines said European countries like Norway have much stricter face-to-face requirements.

Dennis Desmond, a former FBI agent and US Defense Intelligence officer, said most hackers are looking for certain types of data.

“Profit hackers are after health data, they are looking for identity data and access data to systems,” he told AFP.

“There’s a profit motivation there, otherwise they wouldn’t be risking jail and prosecution.”

Medibank hackers began leaking stolen data to a dark web forum this week after the company refused to pay a $9.7 million (Aus$15 million) ransom.

Optus’ breach resulted in the theft of customer names, dates of birth and passport numbers.

Australian Federal Police Commissioner Reece Kershaw on Friday blamed a Russia-based hacking team for the Medibank cyberattack.

“We believe that those responsible for the violation are in Russia,” he told reporters.

“Our findings point to a group of loosely affiliated cybercriminals likely responsible for past major security breaches in countries around the world.”

Medibank data leaked onto the dark web so far includes hundreds of potentially compromising medical records related to drug addiction, alcohol abuse and sexually transmitted infections.

Home Secretary Clare O’Neil acknowledged on Friday that the country’s cyber defenses have not always been up to date.

Data researcher Jane Andrew from the University of Sydney said a big mistake is that Australian companies are not always required to report data breaches.

“There are tons of data breaches happening all the time that we don’t hear about,” she told AFP.

“Companies collected data because it was considered valuable without fully understanding the potential risks.”