Australia's mining and manufacturing sectors are taking up to two years to notice and report cyber breaches to authorities, prompting concerns about the cybersecurity of industries critical to the nation's economy.
New figures obtained under Freedom of Information (FOI) laws show 187 data breaches across the two sectors have exposed the personal information of up to 3.6 million people since 2018.
However, the data has been de-identified, making it impossible to know which companies have reported breaches.
The analysis, compiled by industrial cybersecurity firm Secolve, shows some companies took more than a year to detect a breach and almost two years to alert the Office of the Australian Information Commissioner (OAIC).
The OAIC's notifiable data-breach scheme covers incidents involving personal information, but there is no fixed deadline for reporting.
Instead, there is only an obligation to do so "as soon as practicable".
The FOI data shows one operator failed to detect an intrusion for 520 days, then waited another 84 days before notifying authorities.
Mining and manufacturing companies that detected breaches were also slow to come clean to the regulator, taking on average an extra 39 days to report incidents once detected.
Seven data breaches took more than a year to be identified and reported to the OAIC.
In other cases, businesses detected a breach on the same day it occurred but waited 30, 100 or even 300 days before informing the regulator.
Delays increase the harm
Macquarie University Cyber Security Hub executive director Dali Kaafar said the FOI data highlighted a "critical weakness" in Australia's data-breach regime.
"The real takeaway here is how long it's taking some operators to detect and report breaches. That delay is not just procedural, but it increases the harm," Professor Kaafar said.
"The longer a breach goes undetected, the more time attackers have to harvest credentials, exfiltrate data or deploy ransomware.
"It also drives up recovery costs once the incident is discovered."
He said the wording of Australia's data-breach notification laws was too vague, leaving companies room to interpret when they must disclose incidents.
"Reporting 'as soon as practicable' is open to interpretation," Professor Kaafar said.
He said the data also raised questions about whether some companies were under-reporting cyber incidents.
"Under-reporting is always possible," Professor Kaafar said.
"The number of late reports suggests some organisations may be sitting on breaches while they decide whether they're serious enough to disclose."
He said clearer and stricter reporting thresholds and timeframes were needed to close the gap.
"We need explicit deadlines for breach reporting, not just open-ended requirements," Professor Kaafar said.
"Even if an investigation is ongoing, the initial breach should be reported immediately."
Financial information among most exposed
Although miners and manufacturers do not typically deal directly with consumers, they hold large volumes of employee and contractor data.
More than half of reported breaches (53 per cent) exposed financial information, and 40 per cent included tax file numbers.
Nearly nine in 10 involved contact details such as home addresses, email addresses or phone numbers.
Professor Kaafar said the data also raised questions about whether some companies were holding onto more personal information than necessary.
"Organisations should be reducing their sensitive data footprint," he said.
"They shouldn't be storing financial information or other personal data they don't actually need."
Ransomware dominates
More than nine in 10 breaches in the mining and manufacturing sectors were the result of malicious or criminal attacks — far higher than the national average of 69 per cent across all industries, OAIC data shows.
Ransomware accounted for more than a quarter of breaches, followed by phishing.
A ransomware breach is a type of cyber attack in which criminals use malicious software (ransomware) to lock, encrypt, or steal a company's data and then demand payment (a ransom) to restore access or prevent the data from being released publicly.
Breaches caused by malware took an average of 146 days to identify, compared with just 2.5 days for "brute-force" credential attacks.
A "brute-force" attack is when an attacker tries to gain access to an account or system by repeatedly guessing usernames and passwords until they get one right.
'Quite confronting' delays
Secolve security architect Rhiana Cooke said it was "quite confronting" to see how long hackers were going undetected inside industrial systems.
"They [the hackers] are coming from all over — we see geopolitical groups, we see opportunistic hackers," she said.
"There's a lot of money to be made from the mining sector."
She said attacks on miners spiked during the initial stages of the Russia-Ukraine war.
"When sanctions were placed on Russia, Australia became the largest supplier of those materials," she said.
"We saw a surge in hackers targeting Australian miners — they were trying to impact that supply."
Ms Cooke said the biggest blind spot remained cyber attacks on operational technology — the systems that powered trucks, robots and fuel-monitoring equipment.
"There is a big gap in cyber attacks on operational technology, which is not compulsory to report, unless it involves personal data," she said.
"Critical-infrastructure operators must notify the Department of Home Affairs and the Australian Cyber Security Centre within 12 to 72 hours, but that rule doesn't apply to most miners and manufacturers."
In Norway earlier this year, a dam was remotely hacked and opened. Ms Cooke said the implications of similar attacks in Australia were "quite scary".
"When those attacks happen, if they are reported, it benefits everyone — because it helps identify where systems are most vulnerable," she said.
In a statement, peak mining body Minerals Council of Australia said its member companies responded "in a timely manner to all legal and regulatory requirements, including in relation to critical data breaches".
OAIC launches new dashboard
This month, the OAIC launched a new dashboard tracking notifiable data breaches across the five most affected sectors: government, education, finance, health, and legal and accounting. The dashboard does not include specific data for the mining and manufacturing sectors.
It shows 532 breaches were reported in the first half of 2025, down 10 per cent on the previous six months.
Malicious or criminal attacks made up the bulk (59 per cent), with the health sector again the hardest hit, accounting for nearly one in five breaches.
Twenty-three per cent of breaches took longer than 30 days to be reported.
Ms Cooke said there should be greater transparency about reported data breaches.
"We need more real-time information sharing across industries," she said.
"It's the only way to stay ahead of the threat."
The federal government is currently reviewing data-breach reporting rules as part of its 2023–2030 Australian Cyber Security Strategy.
