Survey finds Australians suffering cyber breach fatigue

A survey commissioned by law firm Herbert Smith Freehills Kramer suggests Australians are experiencing cyber security fatigue. Many report taking limited action after being told their data has been exposed, while a significant share see breaches as an unavoidable part of modern life.

The poll of 1,000 people found 52% said they have taken, or would take, all recommended steps immediately after a breach notification. Nearly a quarter (22%) said they would take no action. Another 16% said they would take only the steps they considered necessary and ignore advice they did not see as needed.

More than half of respondents (55%) said they had been notified of a data breach at least once in the past 12 months. Attitudes also appeared to be shifting towards resignation: 43% said they were worried about breaches but accepted the chance of their personal data falling into the wrong hands as a "risk of modern life".

Another 43% said they were very concerned about data breaches and felt they needed to remain constantly vigilant. Only 6% said they were not worried because they trusted organisations to protect their data.

Cameron Whittfield, APAC cyber security head at Herbert Smith Freehills Kramer, said the findings raised issues for both business and government, particularly around breach response and how affected people are supported.

"It seems many Australians now feel that a data breach is a foregone conclusion and that there's nothing they can do about it," Whittfield said.

"This approach is fundamentally misguided: it's like knowing someone has taken your keys and making no effort to change locks. Digital crime is not going anywhere, and it requires a collective effort to combat."

Generational gap

The research pointed to a pronounced age divide in responses to breach notifications. Among those aged 18 to 24, 36% said they would immediately take all recommended steps after a breach, compared with 63% of people aged 65 and above.

Views on whether post-breach action makes a difference also varied by age. Some younger respondents said their data was "already out there" or that remedial steps would not matter. The survey found 17% of 18 to 24-year-olds held that view, compared with 3% of those aged 65 and above.

Whittfield said the gap meant organisations needed to think carefully about how they communicate with different groups and how they structure post-incident support.

"The generational divide makes it clear a 'one-size-fits-all' approach just won't cut it anymore. If a large proportion of Australians are unlikely to take recommended precautions, we may need to change our support model and offer more tailored support," he said.

Whittfield also raised questions about accountability across technology providers, suppliers, and consumer-facing organisations after a breach.

"We need to ensure responsibility is best allocated to those most equipped or motivated to manage the risk - and this will often not be the consumer," he said.

Ransom debate

Australians were divided on whether organisations should pay ransoms after data extortion incidents. A small majority (52%) said ransoms should never be paid. About 9% said a ransom should always be paid, while 39% said it depended on what data had been accessed.

Whittfield said consumers may ask why a ransom demand was not paid in some cases. He also drew a distinction between incidents involving data theft and those that affect business operations, including services that underpin critical infrastructure.

"The potential for an attack to impact or cripple our critical infrastructure is our worst nightmare," he said.

Whittfield said paying an extortion demand carried its own risks because criminal groups can keep copies of stolen data and may still release it after payment. "There have also been cases of cyber criminals reneging on their promise and leaking stolen data after receiving payment, or putting the information up for sale on the dark web. Companies paying ransoms are placing their trust in criminals," he said.

Australia's federal government advises organisations against paying ransoms. Mandatory reporting of cyber ransom payments was introduced in 2025.

After-breach support

The survey also asked what Australians wanted organisations to prioritise after a breach. Clear, practical instructions on what to do topped the list (56%), followed by quick notification (54%). Improving security practices and reducing unnecessary data collection was cited by 50%.

Whittfield said organisations had limited options once data had been compromised. These include seeking injunctions to restrict access to stolen data, and referrals to support services such as IDCARE, credit monitoring, and document replacement. However, he noted many measures depend on individuals taking action - something the survey suggests does not consistently happen.

"Effective support that meets consumer needs will require a combination of organisational support mechanisms and third-party assistance services, as well as a level of personal accountability," he said.

"Australians should be able to trust that the organisations they give their data to will keep it safe. As well as focusing on preventing data breaches, as a community we need to think about better tools to support the ultimate victims of breaches, which don't rely on the individual to call upon the support," he said.