Australia has experienced some of the largest data breaches in the world. Optus, 2022: 9.8 million records. Medibank, 2022: 9.7 million records — including the most sensitive health data imaginable. Latitude Financial, 2023: 14 million records, the largest breach in Australian history. MediSecure, 2024: 12.9 million prescription records from a company that had already lost its government contract. These are not edge cases. They are the defining events of a digital society that collects more personal data than it knows how to protect.
But alongside the breaches, there is a quieter crisis. Data brokers — companies that legally collect, aggregate, and sell personal information about you — operate mostly invisibly and with minimal regulatory obligation to stop. In Europe, the GDPR gives you the right to be forgotten. In California, data brokers must register publicly and honour deletion requests. In Australia and New Zealand, the law is catching up. Slowly. This article covers where it stands today, who the biggest brokers are, what they hold, and how to fight back.
What Is a Data Broker?
A data broker is a company that collects personal information — from public records, loyalty programmes, social media, purchase histories, property transactions, electoral rolls, and other brokers — combines it, and sells it to third parties. Their customers include advertisers, insurers, banks, employers, private investigators, and governments.
Unlike a company you have a direct relationship with, data brokers typically have no relationship with you at all. You did not sign up with them. You cannot easily find out what they hold. And in Australia, they have very limited legal obligations to remove your data if you ask.
Data held by brokers typically includes:
- Full name, date of birth, gender
- Current and historical home addresses
- Phone numbers and email addresses
- Property ownership and purchase history
- Estimated income and wealth segments
- Vehicle registrations
- Purchasing behaviour and loyalty card data
- Credit history and financial behaviour
- Online browsing and ad engagement data
- Inferred attributes: political leaning, health status, religious affiliation, relationship status
In aggregate, a well-resourced broker can build a profile of you more detailed than your own records — without you ever knowing it exists.
The Legal Landscape: Australia
Australia's primary privacy law is the Privacy Act 1988, administered by the Office of the Australian Information Commissioner (OAIC). The Act sets out 13 Australian Privacy Principles (APPs) that govern how organisations must handle personal information.
The APPs require covered organisations to:
- Be transparent about what data they collect and why (APP 1, 5)
- Only collect information that is reasonably necessary (APP 3)
- Use data only for the purpose it was collected (APP 6)
- Allow individuals to access and correct their data (APP 12, 13)
- Protect data from misuse and unauthorised access (APP 11)
- Provide opt-out for direct marketing (APP 7)
What the APPs do not require: a right to have your data deleted, mandatory consent for most types of collection, or registration as a data broker.
There is also a critical gap in who the Act covers. The Privacy Act only applies to organisations with an annual turnover above $3 million AUD. Smaller organisations are largely exempt — including many data brokers, lead generation companies, and people-search sites. This is a loophole that the current Privacy Act Review is working to close.
The Notifiable Data Breaches Scheme
Since February 2018, organisations covered by the Privacy Act have been required to notify the OAIC and affected individuals when a data breach is likely to cause serious harm. Between 2018 and 2024, approximately 900–1,100 notifications were filed with the OAIC each financial year, predominantly from the health and finance sectors. Proposed reforms would tighten this to a 72-hour notification window for significant breaches — bringing Australia closer to GDPR's standard.
The 2022 Penalty Increase
Following the Optus and Medibank breaches, the Australian Government passed the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022, increasing the maximum civil penalty for serious or repeated privacy breaches from $2.2 million to the greater of:
- $50 million AUD,
- 3× the value of benefit obtained from the breach, or
- 30% of the entity's adjusted turnover during the breach period.
This brought Australian penalties closer in spirit to GDPR's 4% of global turnover model — though enforcement is still developing.
Privacy Act Review 2023 — What Is Changing
The Privacy Act Review Report (February 2023) made 116 proposals. The Government agreed to most of them. Key reforms in progress:
- Right to erasure — agreed in principle; Australians would be able to request deletion of their data in many circumstances
- Right to opt out of targeted advertising
- Children's Privacy Code — passed in the Privacy and Other Legislation Amendment Act 2024
- Data broker regulation — proposals to require brokers to register, disclose data holdings, and provide opt-out mechanisms
- Removal of the $3M small business exemption — under active consideration
- Tort of serious invasion of privacy — passed in the 2024 Act, allowing individuals to sue for serious breaches
- 72-hour breach notification deadline — proposed to replace the current open-ended timeline
- Automated decision-making transparency — organisations using algorithms to make consequential decisions about individuals would need to disclose this
Much of this reform is still working through Parliament. The law is changing — but it has not yet caught up to what data brokers are doing today.
The Legal Landscape: New Zealand
New Zealand replaced its Privacy Act 1993 with the Privacy Act 2020, in force since 1 December 2020. It is a more modern framework with some important advantages over its Australian counterpart.
Key features:
- No turnover threshold — applies to all agencies, from multinationals to sole traders. No data handler escapes coverage on the basis of size.
- Mandatory breach notification — introduced for the first time in 2020, requiring notification to the Privacy Commissioner for breaches likely to cause serious harm.
- Privacy Officer requirement — every agency must designate a named Privacy Officer responsible for compliance.
- 13 Information Privacy Principles (IPPs) — broadly parallel to Australia's APPs.
Key gaps: no right to erasure, no data broker registration, and maximum penalties of only $10,000 NZD for offences — far lower than Australia's post-2022 penalties and a fraction of GDPR's scale. Enforcement is primarily through the Human Rights Review Tribunal.
How Australia and New Zealand Compare to Europe and the US
| Protection | EU (GDPR) | US California (CCPA) | Australia | New Zealand |
|---|---|---|---|---|
| Right to erasure | Yes | Yes | Proposed | No |
| Right to data portability | Yes | Yes | Proposed | No |
| Opt out of data sale | Yes | Yes | Proposed | No |
| Data broker registration required | Some member states | Yes (California) | Proposed | No |
| Explicit consent required | Yes | Partial | Mostly no | Mostly no |
| Coverage threshold | None | Revenue >$25M or >50K consumers | Turnover >$3M AUD | None |
| Max penalty | 4% global turnover or €20M | $7,500 per violation | $50M AUD or % of turnover | $10,000 NZD |
| Mandatory Privacy Officer | Yes (large processors) | No | Proposed | Yes |
The bottom line: Australian and New Zealand consumers have significantly fewer legal protections than their European counterparts. The right to know what a company holds about you exists — but the right to have it deleted does not yet. And data brokers are under no obligation to tell you they exist, let alone what they know.
The Invisible Crisis: Cybercrime Under-Reporting in Australia
The Australian Signals Directorate (ASD) received approximately 87,400 cybercrime reports via its ReportCyber platform in the 2023-24 financial year — a cybercrime report every six minutes. Total self-reported financial losses exceeded $3.1 billion. The ACCC's National Anti-Scam Centre estimated Australians lost $2.74 billion to scams alone in 2023.
These numbers are already alarming. The actual figures are likely far higher.
The ASD and the Australian Institute of Criminology consistently estimate that only 1 in 5 to 1 in 10 cybercrime incidents are formally reported. Victims do not report for predictable reasons: embarrassment, belief that nothing will be done, confusion about where to report (ReportCyber? Scamwatch? The police? The bank?), and the perception that small losses are not worth the effort. For businesses, the calculus is different but the outcome is similar — companies pay ransomware demands quietly, manage breaches internally to protect share price, and avoid mandatory notification thresholds where possible.
The result is a national cybercrime picture that is systematically under-counted. The gap between what gets reported and what actually happens is one of the biggest structural problems in Australian digital security — and it means that policy responses, resource allocation, and public awareness are all calibrated against a number that is far lower than reality.
New Zealand faces the same challenge. The NZ National Cyber Security Centre receives significantly fewer reports per capita, partly reflecting population size and partly the same reporting reluctance. Both countries operate fragmented reporting systems — multiple agencies accept reports, each counting incidents differently — which makes true national statistics impossible to establish.
Five Years of Major Australian Data Breaches (2020–2024)
| Year | Organisation | Records | Data Type | Notable Detail |
|---|---|---|---|---|
| 2022 | Optus | 9.8 million | Names, DOB, address, phone, passport/licence numbers | Unauthenticated API endpoint. OAIC civil penalty proceedings filed against Optus. |
| 2022 | Medibank Private | 9.7 million | Health claims data — including HIV, mental health, addiction treatment, termination records | Russian ransomware group. No ransom paid. Victims targeted individually by name. Perpetrator sanctioned by AU, UK, and US governments. |
| 2022 | MyDeal (Woolworths subsidiary) | 2.2 million | Email addresses, personal info | Compromised credentials. |
| 2023 | Latitude Financial | 14 million | Driver's licences (7.9M), passport numbers (53K), financial statements, DOB, addresses | Largest AU/NZ breach by volume. Supply chain attack via vendor credentials. No ransom paid. |
| 2023 | HWL Ebsworth (law firm) | 4 TB of data | Legal files for 65 government agencies including AFP, RBA, ASIC, state governments | ALPHV/BlackCat ransomware. Significant national security implications given government contract exposure. |
| 2023 | Dymocks Booksellers | 836,000 | Customer personal information | Data offered for sale on dark web forums. |
| 2023 | Pizza Hut Australia | 193,000 | Order history, personal information | Ransomware attack. |
| 2024 | MediSecure | 12.9 million | Prescription records — medications, doses, prescribing doctors, Medicare numbers | Former e-prescribing provider in administration. Government funded partial notification. Data offered for sale (~6.5 GB). Classic "data landfill" — held long after contract ended. |
| 2024 | Nissan Oceania (AU/NZ) | ~100,000 | Personal and some financial data | Ransomware group Akira claimed responsibility. |
The MediSecure breach illustrates a structural problem specific to the data broker and data handler world: the company held 12.9 million prescription records long after losing its government contract. This is the data landfill problem — data collected for a specific purpose, retained indefinitely, with no legal obligation to delete it when it is no longer needed. When a breach occurs, years of accumulated data becomes a liability for millions of people who had no idea it still existed. Australia's proposed right to erasure would begin to address this — but it is not yet law.
The 25 Biggest Data Brokers Holding Australian and New Zealand Data
Below are the major data brokers with significant AU/NZ data holdings. Where opt-out links are available, they are listed — but note that for most of these brokers, opt-outs are voluntary and not legally mandated under current Australian or New Zealand law. Processing may take weeks, compliance is not guaranteed, and data often re-enters their systems through other channels.
Credit Reporting Bodies (regulated under Privacy Act, Part IIIA)
- Equifax Australia (formerly Veda Advantage) — Australia's dominant credit bureau; holds credit history on virtually every adult who has applied for credit. Also operates identity verification, fraud prevention, and marketing list products.
Access/opt-out: equifax.com.au — free annual credit report and dispute process under the Privacy Act. - illion (formerly Dun & Bradstreet Australia and Baycorp) — credit files, commercial data, property data, identity verification. Significant presence in both AU and NZ.
Consumer access: illion.com.au/consumer / illion.co.nz - Experian Australia — credit reporting, fraud detection, identity verification, marketing data enrichment. Free annual credit report available.
Consumer access: experian.com.au/consumer
Global Data Brokers with AU/NZ Operations
- Acxiom / LiveRamp — one of the world's largest data brokers; holds marketing profile data on billions globally, including Australians. Primary use: advertising audience segmentation and targeting.
Opt-out: isapps.acxiom.com/optout (US-focused; AU-specific pathway limited) / liveramp.com/privacy - LexisNexis Risk Solutions — identity verification, fraud prevention, due diligence, public records aggregation. Supplies AU financial institutions and government agencies for KYC and AML compliance. Primarily B2B; limited direct consumer opt-out.
- TransUnion — credit intelligence, fraud analytics, risk identity. Growing AU presence, particularly in identity verification and financial risk products.
Consumer access: transunion.com/consumer-privacy - Dun & Bradstreet — B2B commercial credit and business intelligence; holds data on Australian businesses and their directors and officers.
Privacy opt-out: dnb.com privacy opt-out (primarily US-oriented) - Nielsen — audience measurement (Australian TV via OzTAM, digital audiences), consumer purchase panels. Holds detailed media consumption and purchase behaviour on panel participants.
Consumer panels managed through explicit enrolment; opt-out via panel membership settings. - Circana (formerly IRI) — retail and consumer purchase analytics; aggregates loyalty card purchase data from major AU retailers for FMCG brand analysis. Primarily B2B; data sourced through retailer partnerships.
- Melissa Data — address verification, consumer data enrichment, phone and email validation; holds and processes AU/NZ address records for commercial clients.
Opt-out: melissa.com/privacy
Australia-Specific Data Companies
- Quantium — Australian data analytics firm partly owned by Woolworths. Holds Woolworths Everyday Rewards transaction data on millions of households — granular, item-level purchase history used to build audience segments sold to brands, government agencies, and health industry clients.
Consumer control: via Woolworths Everyday Rewards account settings. No direct consumer-facing opt-out page from Quantium itself. - Roy Morgan Research — Australia's largest independent research and polling firm. Maintains detailed consumer survey databases covering demographics, psychographics, political views, media consumption, and financial behaviour for hundreds of thousands of Australians. Developed the Helix Personas segmentation system — 56 lifestyle types covering all Australian households.
Primarily B2B; limited consumer opt-out pathway. - CoreLogic Australia / CoreLogic NZ — property data provider holding records on virtually every property transaction, valuation, and ownership in Australia and New Zealand. Used by banks, insurers, real estate agencies, and government. Not consumer-facing; data flows through institutional customers.
- Nearmap — high-resolution aerial imagery of AU/NZ properties, updated multiple times per year. Captures property condition, roof types, solar installations, and vehicles. Used by insurers, construction, government, and property industry clients.
- Qantas Frequent Flyer — holds travel, spending, and lifestyle data on approximately 15 million members. Operates a data monetisation business selling audience activation insights to brands through its loyalty ecosystem.
Consumer control: via Qantas Frequent Flyer account settings and data access requests. - Coles Group / flybuys — the flybuys loyalty programme holds detailed grocery, fuel, and retail purchase data on millions of Australian households. Data is used for commercial analytics and advertising targeting.
Consumer control: via flybuys account settings and Privacy Act data access requests.
People-Search Sites Operating in Australia and New Zealand
These sites aggregate publicly available records — electoral rolls (where legally accessible), phone directories, social media, and court records — to create searchable profiles on private individuals. Their legal position under the Australian Privacy Act is contested but enforcement has been limited.
- WhitePages Australia — the online White Pages directory; name, phone, and address searchable. Australians can request removal via their telco when setting up or porting their number.
Website: whitepages.com.au - Spokeo — US-based aggregator; Australian individuals findable via name, address, and phone search.
Opt-out: spokeo.com/optout - BeenVerified — US-based people-search platform; some AU/NZ coverage.
Opt-out: beenverified.com/faq/opt-out - Intelius — US-based; some AU/NZ individual coverage.
Opt-out: intelius.com/opt-out - TruthFinder — US-based; limited AU coverage but surfaces in search results for Australian individuals.
Opt-out: truthfinder.com/opt-out - PeopleFinders — US-based; some international individual coverage.
Opt-out: peoplefinders.com/manage - MyLife — US-based profile aggregation site that creates "reputation scores." Some Australian individuals findable.
Opt-out: mylife.com — privacy policy opt-out section - PriceSpy Australia / New Zealand — price comparison and lead generation platform; holds consumer browsing, product search, and price alert behaviour data.
Consumer data handled under their privacy policy: pricespy.com.au - FastPeopleSearch — US-based aggregator with some AU individual coverage; surfaces in searches for Australian names.
Opt-out: fastpeoplesearch.com/removal
The Full List
The 25 above are the largest and most significant, but they represent only a fraction of the data broker ecosystem. A more comprehensive directory of companies operating in the AU consumer data space is maintained at:
What the Odido Breach Taught Europe — And What It Means for Australia
In March 2026, the ShinyHunters group published the complete Odido dataset — 6.2 million Dutch telco customers — for free download. The breach included IBANs, passport numbers, phone numbers, and account security challenge words. Within days, criminal actors began cross-referencing the data with other European breach databases to build enriched identity profiles suitable for SIM swapping, bank fraud, and identity theft at scale.
The pattern is identical to what Australian breach victims face — and Australia's breaches have been far larger. The 14 million Latitude Financial records alone represent more than half of Australia's adult population. Combined with Optus and MediSecure, a significant proportion of Australians now have passport numbers, driver's licence numbers, medical records, and phone numbers in active circulation on criminal forums.
Data broker databases accelerate this problem. When breach data is cross-referenced with legally-held broker databases, the resulting profiles are far more complete than either source alone. Your Medibank health data combined with your Equifax credit file, your Latitude passport number, and your Quantium grocery purchase history produces a criminal's complete picture of who you are, what you're worth, and how to impersonate you — assembled entirely from data held about you without your meaningful knowledge or consent.
What You Can Do Now
- Request your credit file from all three bureaus. Equifax, illion, and Experian are each legally required to provide you with a free copy once per year. Review it for accounts or credit enquiries you do not recognise — these may indicate identity fraud already in progress.
- Switch from SMS-based two-factor authentication to an authenticator app. Apps like Google Authenticator, Authy, and Microsoft Authenticator cannot be intercepted via SIM swap. SMS 2FA can be. Given the scale of Australian telco breaches, this is not an optional upgrade.
- Submit opt-out requests to the people-search sites listed above. A free opt-out guide covering 100+ brokers lists direct removal links and the steps for each. Each site has a separate process. This is manual, time-consuming, and requires periodic repetition — opt-outs do not last forever. But each removal reduces your searchable footprint.
- Check your breach exposure. Visit haveibeenpwned.com and enter your email addresses to see which breach databases include your data. If you appear in multiple breaches, your risk of profile-enrichment targeting is significantly higher.
- Be suspicious of all unsolicited contact that knows your details. Your name and address are not proof that a caller or message is legitimate — that data is in wide circulation. Hang up, look up the real number independently, and call back yourself.
- Contact your telco and add an extra security PIN for any SIM or account changes. Most AU telcos allow this. A SIM swap requires walking through customer service — an additional PIN creates friction that defeats a significant proportion of attacks.
- Consider a managed data removal service. Manually opting out of dozens of data brokers is a significant ongoing undertaking. Brokers re-acquire data over time and opt-outs expire. Managed services track and re-submit opt-outs continuously — reducing your exposure without requiring you to do it yourself.
Resources
- Office of the Australian Information Commissioner — The Privacy Act
- OAIC — Australian Privacy Principles
- OAIC — Notifiable Data Breaches Scheme
- ASD — Annual Cyber Threat Report 2024-2025
- SourceForge — Consumer Data Industry Australia
- Have I Been Pwned — check your breach exposure
- Equifax Australia — free credit report
- illion — consumer credit access
- Experian Australia — consumer credit access
- Office of the New Zealand Privacy Commissioner
Further Reading: Data Brokers in the United States · Data Broker Removal in Europe