The Albanese government’s crackdown on corporates that “fail to take adequate care of customer data” has intensified, with a legislated rise in penalties easily clearing parliament in the wake of successive ransomware attacks that largely failed to encrypt corporate data.

Businesses will soon be on the hook for up to $50 million, or “30% of a company’s adjusted turnover in the relevant period”, under the big data crackdown, despite Treasury still backing the Consumer Data Right, whose proponents largely rely on insecure screen scrapers.

The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 increases the maximum penalties for serious or repeated privacy breaches from the current $2.22 million penalty that the government has criticised as ineffective as a deterrent.

“The Albanese Government is committed to protecting Australians’ personal information and to further strengthening privacy laws. Companies must do better to prevent breaches from happening,” attorney-general Mark Dreyfus said in a statement.

“The higher penalties and new powers will come into effect the day after it receives Royal Assent ahead of an overhaul of the Privacy Act following a comprehensive review by the Attorney-General’s Department which is now being finalised.”

The crackdown follows the naming and shaming of the allegedly Russia-based REvil ransomware crew for the Medibank Private hack, which has been leaching client data onto the dark web for weeks.

Usually, cyber extortion shakedowns work by crippling corporate systems via encrypting their primary data and the data on their backups. The current rash of attacks on Australian systems has exfiltrated customer data but does not appear to have been able to hobble enterprise systems.

Australian authorities have also gone to the extent of naming and shaming the current extortionists as working out of Russia, a move as good as informal attribution.

“Significant privacy breaches in recent months have shown existing safeguards are outdated and inadequate. These reforms make clear to companies that the penalty for a major data breach can no longer be regarded as the cost of doing business,” Dreyfus said.

