Australia faces most API breaches as costs remain lower than peers

A recent study from Akamai Technologies has found that API security incidents are imposing significant financial and operational burdens on enterprises in the Asia-Pacific region, with Australia experiencing the highest frequency of such incidents.

The 2025 API Security Impact Study surveyed more than 800 IT and security professionals across Australia, China, India, and Japan, analysing the vulnerabilities, costs, and organisational challenges resulting from insecure application programming interfaces (APIs).

According to the report, Australian organisations have faced an average estimated cost of AUD $493,367 (USD $309,893) from API incidents over the past year. This was the lowest financial impact among the countries surveyed, with China registering the highest at USD $780,236, followed by India at USD $708,617, and Japan at USD $537,127. Despite having the lowest costs, Australia reported the highest rate of regular API security incidents, with 95% of organisations experiencing such events. This was notably higher compared to China (83%), India (82%), and Japan (80%).

The findings indicate that although API incidents are common in Australia, securing APIs was not viewed as a top cybersecurity priority. Among Australian respondents, "securing endpoints" (26%), "managing and securing developer secrets" (24%), and "SIEM" (24%) were ranked higher, while "securing APIs from threat actors" tied with "data loss prevention" at fourth priority, both at approximately 21%.

Reuben Koh, Director of Security Technology & Strategy, Akamai Technologies, Asia-Pacific & Japan, addressed the challenges highlighted by the study. "APIs have become mission-critical, powering everything from mobile banking to connected vehicles. But our research shows that organisations across Asia-Pacific are struggling to secure them," said Koh. "It is crucial for organisations to reach a consensus on the root cause, impact, and priority levels of API security incidents so that they can implement holistic security strategies to protect critical APIs from development to runtime."

The study found that in Australia, the most common causes for API security incidents were "API misconfigurations" and failures in API gateways, each cited by 23% of respondents. Other reasons included "authorisation vulnerabilities," "vulnerability due to API coding errors", and "API had unintended exposure to the internet", each at around 21%.

Although 81% of Australian respondents claimed their organisation had a full inventory of APIs, only 30% stated they knew which APIs returned sensitive data. This represents the lowest rate among countries surveyed. Only one company in Australia reported lacking an API inventory entirely.

Financial loss was seen as the second largest impact of API incidents in Australia, cited by 32% of respondents, following damage to departmental reputation with senior leadership or the board (33%). Fines from regulators emerged as the top cited impact among senior security professionals as well as organisations operating in insurance, energy/utilities, and manufacturing.

When it came to detecting API vulnerabilities, only 6% of Australian organisations reported conducting real-time API testing, the lowest rate among the surveyed countries. The majority tested daily (34%) or weekly (35%), and no respondents from the financial services, healthcare, or manufacturing sectors reported conducting real-time tests.

Across the wider Asia-Pacific region, the study reported that 85% of organisations had experienced at least one API security incident in the previous year, with the average cost of such incidents amounting to USD $580,000. The report also found a significant gap between organisational awareness and operational visibility, with 92% of senior executives acknowledging API incidents, yet only 37% of total respondents indicating that they knew which APIs disclosed sensitive data.

Country-specific trends showed that in China, securing APIs ranked as the top cybersecurity priority, although perceptions of costs varied between C-suite and frontline staff. In India, discrepancies between C-suite leaders and AppSec professionals were found, especially regarding full API inventories and awareness of sensitive data flow. Japanese organisations placed API security fourth in their cybersecurity priorities, even while high rates of API incidents were reported in sectors such as energy and retail.

The study also highlighted inconsistencies in API vulnerability testing, with only small proportions of organisations across countries performing real-time assessments: China (22%), India (15%), Japan (11%), and Australia (6%).

Koh noted the implications of this gap between risk and response, saying, "The problem is no longer theoretical. API abuse is happening right now, with real financial and reputational costs. Leadership teams must close the gap with security and AppSec professionals working closer together and invest in the right tools, processes, and alignment to protect this critical technology."

The research underlined that only 41% of organisations in the region incorporate APIs into risk assessments, and a similar percentage include them in compliance reporting. Japan lagged behind, with 22% of companies reporting that API security was not factored into compliance efforts.

The report points to increasing regulatory focus on API risks, citing legislation such as China's Data Security Law and Australia's Consumer Data Right regulation, and offers recommendations for effective API security management. These include maintaining a complete API inventory, ensuring APIs are tested for correct coding, implementing real-time runtime detection, and enhancing alignment between leadership and technical teams.