Australian businesses are facing an unprecedented wave of cyberattacks, with new data revealing the escalating financial and operational toll on enterprises across the nation. The latest statistics paint a concerning picture of a business landscape under siege from increasingly sophisticated cybercriminals.
The Numbers Tell a Stark Story
The Australian Cyber Security Centre (ACSC) recorded over 87,400 cybercrime reports in the 2023-24 financial year, representing a cybercrime incident reported every six minutes.
This marks a significant increase from the previous year’s 94,000 reports submitted during 2022-23, which already represented a 23% jump from the year before.
Small businesses are bearing the brunt of this digital assault. According to the latest Annual Cyber Threat Report, the average cost of cybercrime for small businesses has risen by 8% to $49,600 per incident, while individuals face an average cost of $30,700 per report—a 17% increase from the previous year.
The financial impact extends far beyond immediate losses. Global projections suggest cybercrime damages could reach $10.5 trillion by 2025, with Australia’s businesses contributing significantly to this staggering figure.
The average cost of a data breach reached $4.88 million globally in 2024, marking a 10% increase from the previous year.
Small Business Vulnerability
The data shows a clear gap in cybersecurity: while 91.9% of Australian businesses earn under $2 million, small enterprises face 43% of all cyberattacks.
More concerning is the investment gap in cybersecurity. Nearly half (48%) of Australian small-to-medium enterprises spend less than $500 annually on cybersecurity protection, according to ACSC data. This minimal investment leaves them vulnerable to increasingly sophisticated attack vectors.
The Australian Institute of Criminology’s 2023 research found that 22% of small-to-medium business owners reported their operations were negatively impacted by cybercrime in the 12 months prior to the survey, while 25% of all respondents experienced some form of cybercrime impact.
The Insider Threat Reality
Adding to external pressures, businesses face significant internal risks. Recent statistics reveal that 83% of businesses experienced at least one insider attack in 2024, highlighting the multi-faceted nature of current cybersecurity challenges.
Geographic and Sector Patterns
Australia’s more populous states continue to report higher volumes of cybercrime incidents, reflecting both population density and business concentration.
The majority of reports continue to come from small businesses, indicating that cybercriminals are increasingly targeting sectors with potentially weaker security infrastructure.
Critical Vulnerabilities and Response Times
The threat landscape is evolving rapidly, with cybercriminals exploiting vulnerabilities at unprecedented speeds. Data shows that one in five critical vulnerabilities was exploited within 48 hours of disclosure, despite patching or mitigation advice being readily available.
The Broader Impact
The escalation in cybercrime frequency and severity is creating ripple effects across the Australian economy. Identity theft, online fraud, and email scams rank among the top concerns for businesses, with significant data breaches resulting in millions of Australians having their personal information stolen.
The Australian Signals Directorate’s Cyber Security Partnership Program has grown to include over 110,000 organisations and individuals, reflecting the urgent need for collaborative defense strategies across both public and private sectors.
Australia Rocked by Major Cyber Breaches in 2025
Australia continues to face a growing cybersecurity crisis in 2025, with a wave of significant breaches impacting government bodies, major corporations, and educational institutions.
From ransomware gangs to accidental data exposures, here are five of the most serious incidents that have shaken the nation this year:
1. Australian Human Rights Commission – April 2025
On April 10, the Australian Human Rights Commission confirmed a data breach that exposed personal details submitted through its complaints portal.
Documents uploaded between March 24 and April 10—including addresses, health data, and contact information—were inadvertently made publicly accessible.
The exposure also impacted other web forms, including those for the Human Rights Awards and Speaking from Experience Project. The Commission is unable to confirm how many individuals were affected.
2. Nine Newspapers – March 2025
Personal data belonging to 16,000 subscribers of The Sydney Morning Herald, The Age, and The Australian Financial Review was leaked online due to a third-party service provider failure. Exposed details included names, email addresses, and postal information.
Nine was quick to reassure the public that no passwords or financial data were compromised, and said it has since worked with the provider to resolve the issue and notify affected users.
3. NSW Department of Communities and Justice – April 2025
A significant breach of the NSW Department of Communities and Justice led to the unauthorised download of 9,000 sensitive court documents, including affidavits and apprehended violence orders.
NSW Attorney-General Michael Daley stated that authorities are assessing the breach and tightening security on the court’s online registry. Legal experts have raised alarm over the potential risks to victims and witnesses whose private information may now be exposed.
4. Fullerton Hotels and Resorts – April 2025
Luxury hospitality group Fullerton Hotels and Resorts fell victim to the notorious Akira ransomware gang, which claimed to have stolen over 140GB of sensitive corporate data from the Sydney hotel location.
Documents such as NDAs, contracts, financial records, and IDs were allegedly compromised. The group posted threats to release the data on its darknet site, describing the incident as a “security audit.” The matter has been reported to the Australian Information Commissioner.
5. University of Notre Dame Australia – February 2025
The Fog ransomware group claimed responsibility for breaching the University of Notre Dame Australia, stealing an alleged 62.2GB of sensitive data.
The stolen information is said to include staff and student contact details, medical files, and confidential documents. The university confirmed an ongoing investigation in collaboration with the Australian Cyber Security Centre, but has not disclosed further information as inquiries continue.
Looking Forward
The data underscores an urgent need for Australian businesses, particularly small enterprises, to reassess their cybersecurity posture.
With cybercrime reports arriving every six minutes and costs continuing to rise, the question is no longer whether businesses will be targeted, but when and how well they will be prepared to respond.
The statistics reveal a business environment where cybersecurity is no longer an optional investment but a critical survival strategy.
As cybercriminals continue to evolve their tactics and target vulnerable small businesses, Australia’s economic resilience increasingly depends on strengthening the digital defenses of its most vulnerable enterprises.
