Cybersecurity Act forces business rethink as losses jump 50% and regulatory penalties reach $50 million

Australia is confronting an unprecedented wave of cybercrime, with federal data revealing a 50% surge in losses and 47 million online accounts compromised in 2024 alone—a rate of nearly one breach every second.

The escalating crisis comes as the Cybersecurity Act 2024 marks its first anniversary, fundamentally reshaping corporate accountability and forcing executives to treat cyber risk as a core business discipline alongside finance and supply chain management.

The Office of the Australian Information Commissioner recorded 1,113 notifiable data breaches in 2024, the highest figure since mandatory reporting commenced in 2018.

The breaches cut across multiple sectors reliant on customer data and digital infrastructure, exposing critical vulnerabilities in how Australian organisations safeguard sensitive information.

High-profile incidents have underscored the scale of exposure. Airline operator Qantas disclosed in 2025 that cybercriminals had accessed data on 5.7 million customers, including names and email addresses.

Industry analysts warn such information fuels dark web marketplaces and enables sophisticated phishing campaigns, identity theft and financial fraud.

“47 million online accounts were compromised in 2024, which is nearly one every second,” said Joe De Martino, Artificial Intelligence of Things expert at Dahua Technology.

The financial and reputational stakes have intensified sharply. Regulatory penalties for serious data protection failures now reach up to $50 million or a percentage of revenue, depending on the severity of the breach.

“It is in business’ best interests to implement robust cybersecurity. The penalties for failing to properly protect data are serious, reaching up to AUD$50million in some instances,” said De Martino.

Even incidents unrelated to malicious attacks have drawn regulatory attention. The 2023 Optus network outage, though not caused by cybercriminals, damaged the telecommunications provider’s reputation and triggered questions from customers and regulators about the reliability of essential services.

New Legal Framework Raises the Bar

The Cybersecurity Act 2024 establishes a national framework designed to improve transparency, coordination and baseline security standards across the economy.

Under the new regime, businesses with annual turnover exceeding $3 million must report ransomware payments within 72 hours.

The measure aims to enhance visibility of attack patterns and provide law enforcement with actionable intelligence on threat actors. The legislation includes protections for organisations that voluntarily share incident information.

Authorities can use disclosed data for cyber defence purposes but face restrictions on its use in civil or regulatory enforcement—a provision designed to encourage greater transparency without fear of immediate legal consequences.

A newly established Cyber Incident Review Board will conduct no-fault investigations following significant breaches, modelled on aviation safety inquiries. The board will publish sector-wide recommendations focused on learning rather than assigning blame.

Consumer Internet of Things devices face stricter requirements under the Act. New security standards prohibit universal default passwords, mandate public vulnerability reporting mechanisms, and require manufacturers to specify clear support periods for security updates.

The reforms align Australia with emerging international standards targeting insecure connected devices, which regulators increasingly view as entry points into corporate and residential networks.

Industry Adapts to Heightened Scrutiny

The federal government has outlined its vision for a cyber-mature economy, emphasising the need for a stronger cybersecurity workforce and safer technology deployment across industries.

Companies now face mounting pressure from customers, regulators and insurers. Early adopters of advanced security protocols aim to minimise disruption risk and avoid compliance shocks, while laggards face higher insurance premiums, restrictive coverage terms and reputational fallout following incidents.

Technology providers are adjusting operations accordingly. Dahua Technology, which specialises in video-centric Artificial Intelligence of Things systems, allocates approximately 10% of annual earnings to research and development, with a portion dedicated to cybersecurity initiatives.

The company operates a round-the-clock Product Security Incident Response Team to manage vulnerability reports and coordinate remediation efforts. It also maintains a Cybersecurity Centre supporting transparent disclosure of product issues and distribution of security patches.

Security advisers characterise such measures as part of a broader industry shift from minimum compliance toward continuous risk management.

“It’s important to remember this law (Cybersecurity Act) sets the floor, not the ceiling. The burden of implementation, and the benefits of resilience, sit squarely with boards and executive teams,” said De Martino.

Government data indicates cybercrime is now reported every few minutes in Australia. Policymakers and industry observers expect businesses that integrate cybersecurity into strategic planning and governance will shape the nation’s digital competitiveness over the coming decade.