Australians appear to have developed an increasingly cavalier attitude to cyber safety after a string of high-profile data breaches, with a new survey finding only half (52%) have immediately taken, or would take, the recommended actions to keep themselves safe after a breach.

A national survey of 1,000 Australians conducted for law firm Herbert Smith Freehills Kramer (HSF Kramer) found a sense of acceptance or resignation is also setting in, with almost half (43%) of all people saying that while they’re worried about breaches, they accept the chance of their personal data falling into the wrong hands as a ‘risk of modern life’.

One in ten (8%) went even further and said they felt fatigued or resigned because breaches seem ‘unavoidable’.

With the majority of Australians (55%) experiencing at least one data breach over the last year, Cameron Whittfield, partner and APAC Cyber Security Head at HSF Kramer, said the findings should raise concerns for both business and government alike, particularly in the way breach response is managed.

“It seems many Australians now feel that a data breach is a foregone conclusion and that there’s nothing they can do about it,” he said. 

"This approach is fundamentally misguided: it's like knowing someone has taken your keys and making no effort to change locks. Digital crime is not going anywhere, and it requires a collective effort to combat." 

Generational divide means one-size-fits-all approach no longer enough

The survey also found a significant generational divide in approaches to data safety, with just 36% of people aged 18-24 immediately taking the remedial steps recommended after a breach, compared to almost two-thirds (63%) of respondents aged 65 and above.

Younger (digitally native) Australians were more likely to feel that their data was ‘already out there’ or are otherwise complacent about the risks, believing that any remedial action they take following a breach wouldn’t make a difference (17%), compared to just 3% of those aged 65 and above who felt similar.

Whittfield, whose team advises companies impacted by cyber incidents, said the results are an important reminder that organisations and their advisers cannot get complacent. 

"The generational divide makes it clear a ‘one-size-fits-all' approach just won’t cut it anymore. If a large proportion of Australians are unlikely to exercise recommended precautions, we may need to change our support model and offer more tailored support," he said.

Noting it's also common for technology providers to exclude responsibility for the security of their services, pushing it down the supply chain, Whittfield said the industry must also change its attitudes about who is responsible for keeping people secure after a breach.

"We need to ensure responsibility is best allocated to those most equipped or motivated to manage the risk - and this will often not be the consumer," he said. 

Australians split on ransom payments to keep data safe

The survey also found Australians are split on whether organisations should pay ransom demands following a data extortion attack: a small majority (52%) believe ransoms should never be paid, while one in 10 (9%) believe a ransom should always be paid in order to keep data safe. A further 39% are on the fence, believing the decision to pay should depend on the data accessed.

Whittfield said the split opinion shows that payment of an extortion demand may not have the reputational harm we once thought. Based on experience, Whittfield believes many consumers will likely ask why an extortion demand has not been paid.

“In some respect, the general understanding of ransom demands comes from Hollywood fantasy or high-profile kidnapping. But in the cyber context, a payment for a data breach is typically for a promise not to release stolen data. This commitment is inherently unreliable. When an attacker has your data, there’s no guarantee they won’t keep a copy after receiving payment; in fact, they usually do,” Whittfield explained.

“There have also been cases of cyber criminals reneging on their promise, and leaking stolen data after receiving payment or putting the information up for sale on the dark web. Companies paying ransoms are placing their trust in criminals."

Whittfield said it's important to distinguish between incidents that are simply about data theft, and those that impact on the operation of a business, as this is an important factor in making a payment decision.

"The potential for an attack to impact or cripple our critical infrastructure is our worst nightmare,” he said.

The Australian Government advises organisations against paying ransoms, and in 2025 introduced mandatory reporting on cyber ransom payments. However, Whittfield believes the survey results may create a growing pressure point for organisations, particularly when not paying a ransom demand may cause material harm to an individual or create an operational incident with impacts on both individuals and the wider economy.

"With almost half of consumers believing a payment should at least be considered as something that could protect them, organisations may face questions no matter what they decide," he said.

“On the one hand, paying a ransom may help a company avoid a catastrophic operational impact, but on the other, paying a ransom sustains an attacker's business model, rewards criminal behaviour, and creates the incentive to do it again.”

Urgent rethink needed on support for victims

With thinking on ransom payments mixed, Whittfield said a key issue is organisations have only a handful of tools at their disposal to keep affected individuals safe once data has been compromised.

An organisation can pursue an injunction through the courts, which aims to stop third parties from accessing and disseminating the stolen records. The other tools available, including referring people to support services such as IDCARE, providing credit monitoring services, or providing document repeat services. These rely on affected individuals taking action to make use of the suggested services.

However, with the survey finding young Australians aren't taking these recommended actions and putting themselves further at risk, Whittfield said the cyber community may be coming to a crossroads.

"Effective support that meets consumer needs will require a combination of organisational support mechanisms and third-party assistance services, as well as a level of personal accountability," he said.

"Australians should be able to trust that the organisations they give their data to will keep it safe. As well as focusing on preventing data breaches, as a community we need to think about better tools to support the ultimate victims of breaches, which don't rely on the individual to call upon the support.”

Key national insights at a glance

  • More than half (55%) of Australians have been notified of a data breach at least once in the past 12 months
  • 52% immediately took all the actions a company advised after a data breach, while 16% took only the steps they felt were necessary and ignored advice they thought wasn’t needed. Almost a quarter (22%) took no action at all
  • 43% are very concerned about data breaches and feel they need to be constantly vigilant, while 43% are worried but accept the risk of breaches as a risk of modern life
  • Just 6% are not worried about breaches because they trust that organisations are protecting their data
  • 9% think ransoms should always be paid, 39% think the decision to pay should depend on the data accessed, and 52% believe ransoms should never be paid.
  • Australians want organisations to prioritise providing clear, practical instructions on what they should do (56%), notifying affected individuals quickly (54%), and improving security practices and reducing unnecessary data collection (50%) following a breach

The survey, undertaken for HSF Kramer by SenateSHJ, can be accessed below.

Download the survey

Key contacts


Media contact

For further information on this news article, please contact:

Gina Baldassarre

External Communications Manager

Sydney

Stay in the know

Receive timely insights and briefings from HSF Kramer, tailored to keep you informed and ahead

Subscribe now
Australia Brisbane Melbourne Perth Sydney Cyber risk advisory Cyber Security Cameron Whittfield