#1 Victorian uni for graduate employment1
#1 in the world for sport science2
#1 Victorian uni for course satisfaction3
NEXT UP ON this.
Pieces of our lives are stored all over the world. Airlines know our passport numbers, health funds hold our Medicare details, real estate agencies store our drivers’ licences – and then there are all the online stores that keep track of our home addresses, phone numbers and credit cards. Even our faces can be held on file.
It’s not something we have to think about very often but, when our personal digital information is leaked in a data breach, it can be a serious problem. As professor at Deakin University’s School of Information Technology Gang Li explains, we might not even be able stop data breaches entirely.
‘We now live in a highly data-intensive society,’ Li says. ‘Complete personal data protection is not realistic, because much of our daily life depends on digital services that require some level of data sharing. The goal is risk reduction, not absolute protection.’
So, what exactly is a data breach? And how do those data breaches happen in the first place? With Li’s expertise, let us go once more into the (data) breach.
In the words of the Office of the Australian Information Commissioner, a data breach occurs when ‘personal information is accessed, disclosed without authorisation, or is lost.’ According to Li, this data has value that can be exploited – whether that’s ‘financial, strategic, or deeply personal.’
As Li explains, two main types of data happen to be at risk when it comes to breaches: personal and organisational.
TV shows and films paint pictures of Matrix-style hackers infiltrating databases. When we look at how data breaches happen in real life, though, the reality is less theatrical.
As Li explains, there are two main groups responsible for data breaches: external attackers (including organised cybercrime groups and opportunistic individuals), and internal opportunists.
In both cases, the motivation for why and how a data breach happens is usually the same: financial gain. As it turns out, even individual pieces of data can be valuable, with credit card numbers often fetching US$50 a pop, and retail store logins at US$9 – though these details aren’t being sold on regular, legitimate websites.
‘Stolen data is frequently traded in grey or underground markets,’ Li says. ‘The emergence of cryptocurrencies, such as Bitcoin, together with anonymising networks like TOR, has made these markets far more feasible and scalable. They allow buyers and sellers to transact across borders with reduced traceability, which lowers the barrier for monetizing stolen data.’
Australia has had its share of headline-grabbing data breaches in the past few years. Companies like Qantas, Optus and Medibank all had large-scale breaches affecting millions of Australians. If it seems like data breaches are happening more often, though, Li suggests that we might just be seeing more reported breaches.
‘Part of the increase in reported data breaches reflects stronger disclosure and reporting requirements in Australia, rather than a sudden deterioration in security,’ Li says. ‘Under related law/regulations such as Privacy Act 1988, organisations are now legally required to notify regulators and affected individuals when serious breaches occur. Incidents that may once have been handled quietly are now formally reported, which improves transparency and public awareness.’
Even still, Li suggests that data breaches seem to be happening as a common occurrence, and that could be because of an increased financial incentive, more data to access (thanks to increasing use of cloud service and mobile devices, for instance), and the rise of more sophisticated, AI-powered tools.
A data breach is a form of theft – though a purely digital version. Unlike the smash-and-grab of high-profile thefts like the 2025 Louvre Heist, which leave physical traces and video evidence, data breaches tend to be less obvious. So how are data breaches detected, then?
‘Most data breaches are not detected at the exact moment data is stolen,’ Li says. ‘In practice, detection is often retrospective and probabilistic, meaning systems infer that something is wrong based on patterns rather than directly observing data theft in real time.’
Li says that, instead of observing a data breach as it happens, security teams and automated detection software will usually pick up on ‘anomalies’ or unusual patterns of behaviour.
‘Imagine a bank account suddenly being accessed at 3 a.m. from another country, followed by large data downloads that do not match normal behaviour,’ Li says. ‘The system may not know that data is being stolen, but it recognises that this behaviour is unusual. That triggers alerts, allowing security teams to investigate and contain the breach. If no alert is raised and the customer later notices fraudulent charges, the breach has already progressed too far, and the response becomes largely reactive.’
Data breaches happen. If you suspect that your data has been breached, Li says there are a few ways to tell:
Data breaches aren’t just inconvenient – they can cause genuine pain and large-scale problems for individuals affected. If your information gets leaked, it is certainly possible to sue a company for a data breach – as seen in current class action suits against Qantas and Optus. And, while the potential for compensation is a small slice of justice for anyone affected, Li says that, however data breaches happen, lawsuits can be a mechanism for change.
‘Legal action plays an important role because it reinforces that data protection is not only a technical matter, but also a legal and ethical responsibility,’ he says. ‘When courts allow these cases to proceed, it sends a clear signal to organisations that failing to safeguard personal information can result in civil liability, not only reputational damage. This, in turn, encourages stronger governance, investment in security, and accountability at senior management and board levels.’
Li says that the remedies go further than lawsuits, too.
‘Legal action, regulatory enforcement, and public transparency work together to push organisations toward treating data protection as a core responsibility rather than an afterthought,’ he says.
Sharing data online has become a fact of life. Whether we’re buying groceries delivered to our door, doing our taxes or booking a family holiday, our personal data gets shared and stored.
While most of us have no control over organisational databases or cybersecurity processes, there are a few things we can all do to protect our data and prevent the worst effects of data breaches when they happen.
‘For individuals, the good news is that you do not need deep technical expertise to significantly lower your risk,’ says Li. ‘Simple habits make a real difference.’
The reality is that data breaches happen. But, with some extra care online and good behaviours, it’s certainly possible to protect yourself and your data.
Faculty of Science Engineering and Built Environment, School of Information Technology
Deakin Cyber Research and Innovation Centre
Read profile
