Sage Journals: Discover world-class research

Abstract

Data breaches are an everyday occurrence, exposing the personal details of millions globally. The victim impacts of data breaches can be considerable, including a range of financial harms such as fraud and identity crime, as well as non-financial harms, such as declines in emotional and psychological wellbeing. While these harms are documented, there is less research exploring how data breaches in particular expose victims to further victimisation, specifically through phishing attacks by offenders. Using survey data from 2,019 victims of the Optus and Medibank/AHM data breaches in Australia in 2022, this article examines factors which relate to phishing attempts on these individuals. Results indicate limited factors in predicting those targeted by phishing attempts. This highlights the opportunistic nature of phishing attacks in the aftermath of these two data breaches and a more generalised approach taken by offenders to gain additional details. It also demonstrates a need for continued community education and awareness to protect further personal information from being accessed by offenders into the future.

Keywords

data breach fraud identity theft phishing scam

Introduction

Data breaches are an everyday occurrence given the level of digitisation of personal information coupled with the difficulty of tracking the type of data shared with organisations (Andrew et al., 2023). There have been many examples of data breaches exposing the personal details of millions of individuals around the globe over the last two decades (Africk & Levy, 2021). In the United States, there have been several large-scale breaches including Twitter, Facebook, Equifax, Capital One, The Marriott, Target, and Office of Personnel Management (OPM) to name a few (Coffey, 2019; Khan et al., 2021). The ongoing prevalence of data breaches has seen a desensitisation from society to both their occurrence and their impacts (Khan et al., 2021).

Australia is not immune to data breaches, as many government and private sector organisations have been impacted including Australian National University (Andrew et al., 2023) and Red Cross (OAIC, 2017). In 2024, there were 1,113 data breaches reported to the Office of the Australian Information Commission (OAIC), up from 890 in 2023 (OAIC, 2025; 2024). This is indicative of an upward trend across several years. Most notably, in 2022, Australia experienced two of the largest recorded data breaches in its history in quick succession, targeting Optus and Medibank/AHM. These two breaches exposed an array of personal information from 9.8 and 9.7 million Australians, respectively (Optus, 2022; UpGuard, 2022).

As the number of known data breaches has increased in recent years, so has evidence that they cause both financial and non-financial impacts to victims (Harrell & Thompson, 2023; Maher & Hayes, 2024). Though beneficial, few have considered the extent to which data breaches create opportunities for subsequent victimisation outside of any direct losses incurred through the breach. The kinds of data compromised in breaches, particularly names, addresses, phone numbers, and email addresses, create immediate avenues for offenders to target individuals with phishing emails and related schemes (Coffey, 2019; Garrison & Ncube, 2011; Holt, 2013). Additionally, phishing attempts appear to increase in the aftermath of natural disasters and crisis events, such as the COVID-19 pandemic which enabled schemes targeting people around the globe (Bitaab et al., 2020; Chang & Chong, 2021; Taodang & Gundur, 2023; Verma et al., 2018). Large-scale data breaches that affect large segments of the population would seemingly fit with this pattern.

Given this gap in the research literature, there is a need to explore the extent to which data breach victims experience subsequent phishing and fraud attempts, and any factors that may be associated with this targeting. This study attempted to address this issue using quantitative analyses of survey responses from a general population sample of individuals who were affected by the Australian Optus and Medibank/AHM breaches. Using Routine Activities Theory as an analytical framework, two binary logistic regression models were estimated for individuals affected by each breach to assess any significant relationships between specific data losses and behavioural and demographic factors. The implications of this study for our understanding of data breach victimisation and cybercrime victimisation are discussed in detail.

Understanding Data Breaches

At a high level, data breaches can be defined as ‘an occasion when private information can be seen by people who should not be able to see it’ (Gaglione, 2019: 1137). A breach occurs when a third party gains unauthorised access to information which can lead to a range of negative outcomes, from exposure to theft or misuse (Spanca & Salihu, 2024). The data lost in most breaches falls into several categories, including personal health information, personally identifiable information, trade secrets, or intellectual property (Strzelecki & Rizun, 2022: 2).

There are multiple causes of data breaches which cut across both online and offline environments (Holtfreter & Harrington, 2015). There is a strong focus on those which are perpetrated by malicious actors outside of organisations, such as through phishing or malicious software-based attacks (Algarni & Malaiya, 2016). At the same time, breaches can result from accidental or unintentional actions, usually on a smaller scale, such as mishandling laptops or flash drives containing sensitive data (Romanosky et al., 2011, see also OAIC, 2025 for specific examples).

The type of information exposed in a data breach will arguably determine its impact on victims, such as the ability of victims to repair and/or restore their identity. This is evident in the categorisation of ‘reversible’ and ‘irreversible’ data breach victimisation (Ayaburi, 2023: 98). Reversible data breach victimisation is minimal, involving information that ‘could easily be repaired through mechanisms such as the closure of a compromised bank account or replacement of a stolen credit card number’ (Ayaburi, 2023: 98). Irreversible data breach victimisation includes instances where ‘the perception of loss of private information has long-term irreparable impact’ and may render victims unable to ‘completely forget about the damages resulting from the data breach’ (Ayaburi, 2023: 98).

Financial harms resulting from fraud and identity crimes are some of the most well-established consequences of a data breach (Acquisti et al., 2006; Aivazpour et al., 2022; Burdon et al., 2012; Gaglione, 2019; Gibson & Harfield, 2021; Ong, 2023). The loss of personally identifiable information can facilitate a range of fraud types, including existing account fraud or new account fraud (Harrell & Thompson, 2023; Roberds & Schreft, 2009). Acquiring social security numbers and other personal information allow offenders to sell this information to facilitate identity crimes (Burdon et al., 2012).

Research indicates that appearing in a breach creates an overall ‘low risk of identity theft’ (Smyth, 2013, p. 181), though some victims can experience identity theft within 2 weeks of a breach (Garrison & Ncube, 2011). For some victims, it is the perpetration of fraud or identity crime which alerts them to their details having been exposed in a data breach (Harrell & Thompson, 2023). One study suggests that 31.7% of data breach victims will have identity theft perpetrated against them (Coffey, 2019). This is largely supported by research into identity crimes more broadly. For example, one Australian study recorded 30% of respondents having experienced identity crime in their lifetime, and 20% of respondents having experienced identity crime in the past 12 months (McAlister et al., 2023).

Optus and Medibank/AHM Data Breaches

In the second half of 2022, Australians experienced two of the largest data breaches in Australia at that time. Optus was the first entity to experience a breach in September 2022. The company is the second largest telecommunications provider in Australia (behind Telstra). The scope of customers harmed was between 2.5 million to 9.7 million customers (Smith, 2022), though some reports indicate it may have been as many as 10 million (Riches, 2022). The breach exposed customers’ names, phone numbers, email addresses, dates of birth, addresses, and ID documents, as well as Australian Business Numbers and Australian Company Numbers (iDcare, 2022).

Less than a month later, Australians were notified of their involvement in another large-scale data breach affecting the large Australian private medical insurer, Medibank, who also supports a smaller company, AHM. In October 2022, hackers were able to acquire 200 GB of unauthorised customer data (Mason et al., 2022). The breach led to the compromise of the following credentials for 9.7 million customers:

first names and surnames; addresses; dates of birth; Medicare numbers; policy numbers; phone numbers; [and] some claims data, including the location of where a customer received medical services and codes relating to their diagnoses and procedures (UpGuard, 2022).

Data Breaches and Phishing

These metrics only reflect the ability of victims to directly connect their losses to a data breach and may not include instances where individuals’ data is used to facilitate other forms of cybercrime. Researchers have argued that phishing, which typically involves the use of deceptive email or other electronic communications to obtain sensitive information from the targeted person, is equally relevant for targeting individual victims in the wake of a breach (Gibson & Harfield, 2021; Lastdrager, 2014). Phishing can be used to gain personal information and credentials that can then be used to commit further crimes, such as fraud and identity theft.

As noted by Acquisti and colleagues (2006: 1565), ‘even when no actual fraud directly follows from a breach, the victim may be at an increased risk of phishing’. Data breaches allow offenders to harvest massive email lists from companies and retailers that facilitate targeted phishing campaigns that may increase the likelihood of victim responses. For instance, online illicit markets regularly sell email addresses and other contact points for spam and phishing email distribution (Dupont et al., 2017; Holt, 2013; Holt & Lampke, 2010).

There are two ways that offenders can deploy phishing attacks relevant to data breaches. The first is to target individual victims who were involved in the data breach. In these cases, offenders may have relevant credentials of individuals, like email addresses and phone numbers. They must acquire additional information, such as bank account details, in order to perpetrate subsequent offences like financial fraud (e.g. Brown, 2016; FTC, 2025; Thomas et al., 2017). Offenders will then tailor the phishing attack to the individual with the specific purpose of extracting the additional personal information they need.

The second is to target the general population more broadly, regardless of whether they were directly affected by the breach or not. The sheer size and scale of many data breaches (Optus and Medibank/AHM included) enables offenders to deploy large-scale phishing attacks and potentially contact individuals who have been involved in the incident (Brown, 2016; Thomas et al., 2017). These generalised approaches can solicit a wide range of personal details and have the same intention as more targeted approaches to facilitate other criminal activities. Phishing attacks may be successful when deployed in relation to data breaches as they frequently invoke a sense of urgency and authority (Steinmetz & Cross, 2023; Thomas et al., 2017). Furthermore, they often demand instant decision making as opposed to thinking it through and consulting with family, friends or authorities.

Offenders could easily tailor fraud campaigns to victims, using strategies like posing as the retailer who was compromised to get victims to provide credentials to log into accounts or confirm their identity to avoid further victimisation (Leukfeldt, 2014; van’t Hoff-de Goede et al., 2024). A similar dynamic was observed by Verma and colleagues (2018) who examined phishing emails targeted at individuals in the aftermath of Hurricane Harvey. This study demonstrated an increase in vulnerability of those affected by Hurricane Harvey to click on links in emails or downloaded attachments that they would not have previously actioned.

The quantities and qualities of the Optus and Medibank breaches suggest there is significant potential for phishing attempts in the weeks and months after the public acknowledgement of the breaches. Several organisations issued warning and alerts to the general public, such as the Australian Competition and Consumer Commission which released public statements on the potential for phishing attacks in the wake of both the Optus and Medibank breaches (Scamwatch, 2022a, 2022b). Fact sheets were created for both incidents, highlighting the perceived risk of phishing and educational materials on how to protect oneself from harm. The Australian Media Communications Authority (ACMA) put out a warning to Optus customers several months later, reiterating the ongoing threat of phishing emails (ACMA, 2023).

Understanding Correlates of Phishing Stemming from Data Breaches

The potential for phishing schemes to be launched in the wake of a data breach calls to question what factors increase individual risk of victimisation. One of the key frameworks to assess such risks is Cohen and Felson’s (1979) routine activity theory. This well-tested theory argues that crime occurs as a result of the convergence of motivated offenders, a lack of guardianship, and a suitable target in time and space. Researchers have used this theory to account for victimisation in on and offline settings (e.g. Ahmad & Thurasamy, 2022; Engström, 2021; Hayes & Maher, 2024), and in multiple studies related to phishing victimisation risk (e.g. Lee et al., 2022; Leukfeldt & Yar, 2016; Maimon et al., 2023; van’t Hoff-de Goede et al., 2024).

One of the key arguments of this framework is that individuals’ personal characteristics and routine behaviours make them suitable targets for specific forms of crime (Cohen & Felson, 1979). Target suitability has largely been categorised around the symbolic or economic value of an individual or item, depending on the offence, and its value, inertia, visibility, and accessibility to the offender (Leukfeldt & Yar, 2016; Newman & Clarke, 2003; Yar, 2005).

Prior research on phishing and fraud targeting generally suggests that victims’ exposure, or visibility and accessibility to the target, has the greatest relationship to risk (Gan et al., 2024; Pratt et al., 2010; van Wilsem, 2011). Time generally spent online and in certain environments, like shopping sites, increased individuals’ risk of being victimised (Gan et al., 2024; Leukfeldt & Yar, 2016; Pratt et al., 2010; van Wilsem, 2011). The evidence is mixed, with some finding no relationship to online exposure or activity variables (Hutchings & Hayes, 2009; Leukfeldt, 2014; Ngo & Paternoster, 2011; van’t Hoff-de Goede et al., 2024).

Applying these findings to phishing after a data breach may have less value, as offenders have ways to access potential victims in their possession by virtue of the data stolen. There should be an association between the loss of specific pieces of data in a breach and an increased risk of receiving phishing emails. The loss of contact points, such as email addresses, phone numbers, and names, would enable phishers to more easily engage in targeted messaging against a range of potential victims (Cross & Holt, 2025; Thomas et al., 2017). The same is true for information more sensitive information that may enable more tailored messaging, like individuals’ date of birth. Thus, the loss of information in a data breach may serve as a target suitability factor by making a subset of potentially attractive victims more visible and accessible to motivated offenders (Newman & Clarke, 2003; Yar, 2005).

In addition, it is likely that individuals who experienced both the Optus and Medibank breaches have a greater risk of exposure to offenders. The quantity and quality of data available about individuals in each breach was substantial (e.g. iDcare, 2022; Mason et al., 2022). Appearing in both incidents may increase individuals’ general visibility to offenders and engender a greater risk of receiving phishing emails.

The relationship between individual demographics and the risk of victimisation through phishing is quite mixed (Martins et al., 2023). Research suggests that gender, age, and race are generally unrelated to fraud and phishing risks (Leukfeldt & Yar, 2016; Martins et al., 2023; Ngo & Paternoster, 2011). Income, education, and age have some association with fraud and victimisation, though it is unclear if these factors are an indirect result of online activities that increase exposure to offenders (e.g. Leukfeldt & Yar, 2016; Ngo & Paternoster, 2011; Reyns, 2015). Additionally, some studies have found no association between socioeconomic factors and phishing victimisation (Leukfeldt, 2014; Martins et al., 2023).

Regarding phishing as a result of data breaches, it may be that there are inconsistent significant relationships to demographic factors. Some offenders may take a ‘spray and pray’ approach, whereby as many individuals are targeted as possible to increase the likelihood of responses (Leukfeldt, 2014; Ngo & Paternoster, 2011). As a result, there may be little correlation between demographic factors and victimisation risk as everyone has equal risk of targeting.

At the same time, marginalised groups and populations with differential knowledge of cybersecurity threats may be more likely to respond to certain pressures. For instance, individuals living in lower income brackets may be less aware of cybersecurity issues, and thereby more likely to respond to phishing emails (Leukfeldt & Yar, 2016). The same may be true for the elderly, non-native English speakers, and Indigenous or non-native Australians may be more attractive targets for phishing threats.

This study attempted to explore these relationships by examining the extent to which those involved in Optus and/or Medibank/AHM data breaches were targeted by offenders by phishing attempts in the aftermath of these incidents. Using a quantitative sample of respondents in Australia, this study utilised binary logistic regression modelling to determine what (if any) correlates are relevant to those in these two breaches who were targeted.

The Present Study

Given the empirical data associated with traditional phishing victimisation risks, it is plausible that some of the dynamics also predict the likelihood of phishing contacts following data breaches. This study attempted to test the following routine activities-based hypotheses to assess the relationship between phishing contacts in the wake of the Optus and Medibank/AHM breaches:

Loss of specific contact data points should increase the risk of phishing targeting.

Appearing in both the Optus and Medibank/AHM breaches increases the risk of phishing targeting.

Marginalised groups will experience an increased risk of phishing targeting.

Univariate and multivariate statistics were used to test these hypotheses using a population of Australian respondents who experienced these two breaches.

Methodology

In 2021, a survey was conducted with Australians on the topic of data breaches (Cross & Holt, 2025). In the aftermath of the Optus and Medibank/AHM data breaches, this survey was revised, redistributed, and forms the basis for the current analysis. In particular, the survey was reworked to specifically capture the experiences of individuals who were directly involved in the Optus and/or Medibank/AHM data breaches. Given the scale of the two data breaches (9.8 million and 9.7 million victims, respectively), the ability to recruit a sample was not foreseen to be problematic.

Qualtrics (online survey panel provider) was used to recruit respondents to the online survey. Responses were collected from 2019 participants during May 2023. Eligibility to this survey comprised of those who were aged 18 years and older, currently lived in Australia, and were able to give consent to participate in the survey. Further, eligibility to the survey required that the respondent knew they were involved in the Optus and/or Medibank/AHM data breaches (which occurred in September and October 2022). A variation to the original ethics approval was received to conduct this second survey (Queensland University of Technology Human Research Ethics Committee approval #4011).

The survey consisted predominantly of close ended questions which were mandatory. There were a small number of open-ended questions throughout, which were optional, to elicit further details where relevant. To ensure participants had a consistent definition for what constitutes a data breach, the following language was presented to participants at the beginning of the survey:

A data breach ‘occurs when an organisation experiences an unauthorised leak or loss of a customer’s personal information’. This can also be referred to as a third-party data breach (meaning the data is compromised by someone other than yourself).

For the purposes of the current survey, respondents were directed to this only being applicable to the Optus and/or Medibank/AHM data breaches and not to capture any other data breaches that they may have been involved in.

A total of 2019 respondents completed the survey, with the sample generally representing the population demographics of Australia. A simple majority of respondents were female (52.5%) and closely resembled the age distribution (37.9 years average; 38.3 years national average as per AIHW, 2024) and educational composition of the nation (30.2%; 32% per Statista, 2024). The sample also over-represented Aboriginal and/or Torres Strait Islanders (8.8% compared to 3.8% national average as per ABS, 2023).

Only those respondents who reported their data appeared in either the Optus or Medibank/AHM data breaches were included in this analysis. A total of 1,666 (82.5%) respondents noted their data was lost in the Optus breach, while 857 (42.4%) reported experiencing the Medibank/AHM data breach. A small proportion of respondents were excluded from each sample due to missing data leaving a final population of 1549 respondents who experienced the Optus breach and 778 affected by the Medibank/AHM breach. It should be noted that while the extent of both data breaches were similar in numbers, the current data set comprises roughly twice the number of Optus victims compared to those involved in the Medibank/AHM data breach. There is no immediate reason for this sampling pattern, as eligibility targeted those across both data breaches.

At the same time, these sub-populations still generally resemble the broader Australian population (AIHW, 2024). The overall population that reported being in the Optus breach was slightly younger (37 years average), but consistent with the gender composition (52.6% female) of the country (see Table 1). The Medibank/AHM population was consistent with the average age (38.9 years) and gender (50% female) composition of Australia as well. Both samples were slightly over-representative of the Aboriginal and Torres Strait Islander population (Optus = 10.3%; Medibank = 10.8%) (ABS, 2023), though such sampling is critical to better understand their potential risk of victimisation.

Table 1.

Descriptive Statistics

Variable	Optus Breach Victims (n = 1,549)				Medibank Breach Victims (n = 778)
Variable	Mean	SD	Min	Max	Mean	SD	Min	Max
Optus phishing	.381	.486	0	1	---	---	---	---
Medibank phishing	---	---	---	---	.366	.482	0	1
Name	.760	.428	0	1	.740	.437	0	1
DOB	.650	.476	0	1	.710	.455	0	1
Email	.610	.488	0	1	.610	.487	0	1
Home add	.380	.487	0	1	.440	.497	0	1
Ph no	.510	.500	0	1	.480	.500	0	1
Password	.130	.338	0	1	.130	.339	0	1
CC number	.110	.314	0	1	.100	.302	0	1
Bank acct	.130	.336	0	1	.140	.347	0	1
Medicare no	.160	.370	0	1	.340	.473	0	1
DL	.430	.495	0	1	.200	.404	0	1
Passport	.080	.271	0	1	.060	.236	0	1
Customer no	.130	.334	0	1	.160	.370	0	1
Pers. images	.040	.198	0	1	.040	.207	0	1
Medical info	.060	.235	0	1	.180	.382	0	1
Other	.020	.155	0	1	.050	.226	0	1
Breaches	.300	.458	0	1	.599	.490	0	1
Australian	.863	.343	0	1	.857	.349	0	1
English	.118	.322	0	1	.136	.349	0	1
Education	3.200	1.021	1	5	3.330	1.012	0	1
Employment	.025	.158	0	1	.041	.198	0	1
Rurality	1.380	.620	1	3	1.380	.601	0	1
QLD	.202	.402	0	1	.201	.401	0	1
NSW	.300	.458	0	1	.286	.452	0	1
VIC	.286	.452	0	1	.290	.454	0	1
Indigenous	.103	.305	0	1	.108	.310	0	1
Income	4.812	1.004	1	7	4.892	1.026	1	7
Age	37.062	13.690	18	84	38.915	15.866	18	84
Female	.474	.499	0	1	.500	.500	0	1

Dependent Variables

Respondents were asked in the context of having experienced the Optus and/or Medibank breaches: ‘Have you received any calls, texts, emails, or other communications since having your details exposed, which have asked you for money or for further personal information?’ Responses included (1) yes, (2) no, and (3) unsure, though this was collapsed into a binary measure, with all no and unsure responses subsumed into 0, while yes was coded as 1 (see Table 1). Disseminating the survey approximately 7 months following both breaches allowed for a sufficient length of time for victims to have experienced some degree of contact from potential phishers and scammers. There was relative parity across both breach incidents, as 38.1% of Optus victims and 36.6% of Medibank/AHS victims reported receiving contacts asking for additional data or funds.

It should be noted that the self-report nature of this data relies upon individuals’ recollection of being targeted in the aftermath of the two data breaches. Receiving such a request may not be a direct result of appearing in the breach, though individuals may have been made more cognisant of the risk of being targeted for phishing attacks post-breach. Furthermore, it is possible that there may be some under-representation of requests as some phishing emails may have been diverted to a junk folder or deleted as part of an inbox filter, or calls and texts blocked by telecommunications providers. Capturing individuals’ awareness of potential fraud targeting is, however, essential to better understand how data breaches may impact both perceived and real risk of further victimisation.

Independent Variables

To assess any relationship between the kind of data lost in the breach and the risk of secondary victimisation attempts, a series of 16 items were included. Respondents were asked for each breach, ‘What information do you know was breached (please select all that apply)’ with the following items: (1) name; (2) date of birth; (3) email address; (4) home address; (5) phone number; (6) password/s; (7) credit card number; (8) bank account details; (9) Medicare number; (10) drivers licence number; (11) passport number; (12) passport number; (13) customer number; (14) personal/private images; (15) medical information; (16) other. Each item was included as a binary (0 = no; 1 = yes) to explore any significant risk to the likelihood of secondary fraud contacts.

An additional measure was created to capture repeat victimisation. Specifically, responses to the question did you lose data in the Optus and Medibank/AHS breaches were combined to create a binary measure of whether respondents experienced one or both breaches (0 = one breach; 1 = two breaches).

A series of 11 independent variables were included to identify any specific demographic correlates associated with being a victim of these breaches. First, respondents were asked ‘In what country were you born?’ to capture Australian birth heritage (0 = yes; 1 = no). To capture English language use, respondents were asked ‘Do you speak a language other than English at home?’ A three-item response was provided (1 = yes, 2 = no, and 3 = prefer not to say), with the small proportion of non-respondents being excluded in order to create a binary measure (0 = no; 1 = yes).

An additional measure was included to assess formal education based on responses to the question: ‘What is the highest level of formal education you have completed?’ Responses included (1) primary or elementary school; (2) secondary or high school; (3) tertiary diploma/trade certificate; (4) University undergraduate degree; and (5) University postgraduate degree.

To assess employment, the following question was presented to respondents: ‘Which one of these BEST describes your main activity at the moment’. A ten-item response was provided: (1) university postgraduate degree; (2) employed (full time, part-time, self-employed, casual); (3) unemployed; (4) student; (5) retired or on a pension; (6) stay-at-home parent/carer; (7) unpaid household duties; (8) other; (9) unsure; and 10) prefer not to say. A binary measure was created, collapsing those who indicated employed into one category (0) compared to all other activities (1). Those who were unsure or preferred not to say were excluded from this sample (n = 14).

To measure risk based on urbanity, respondents were also asked ‘Which of the following best describes your current location?’ with a three-item response provided: (1) urban or metropolitan; (2) regional; and (3) rural. Respondents were also asked ‘What Australian jurisdiction do you currently live in’ with eight response options: (1) Queensland; (2) New South Wales; (3) Victoria; (4) Tasmania; (5) South Australia; (6) Western Australia; (7) Northern Territory; and (8) Australian Capital Territory. The majority of respondents (77.9%) reported living in Victoria (28.9%), New South Wales (28.5%), and Queensland (20.5%). Thus, three binary control variables were included to control for individuals living in these three territories (QLD = 0 no; 1 = yes; NSW = 0 = no; 1 = yes; VIC = 0 = no; 1 = yes).

An additional measure was included asking respondents if they were Aboriginal or Torres Strait Islander. Responses included (1) no; (2) yes – Aboriginal; (3) yes – Torres Strait Islander; (4) yes-both; (5) unsure; and (6) prefer not to say. To provide the most accurate response, those who were unsure (n-15) or preferred not to respond (n = 16) were excluded from the sample. The measure was then recoded into a binary measure reflecting all those who indicated no (0) and those with Aboriginal and/or Torres Strait Islander identity (1).

Age was measured as a continuous variable (mean = 37.93 years). Income was a categorical variable, measured using the question ‘Before tax or other deductions, what is your total annual income? Please include wages and salaries, government pensions, benefits and allowances, and income from interest, dividends or other sources’. Responses included: (1) negative income; (2) 0–$18,200 (0–$350 per week); (3) $18,201–$45,000 (351–865 per week); (4) $45,001–$120,000 ($866–$,2307 per week); (5) $120,001–$180,000 ($2,308–$3,461 per week); (6) $180,001 and over ($3,462 and over per week); and (7) Unsure or prefer not to say. The small number of non-respondents was excluded to create a six-item measure for income.

Gender was measured using a four-item response: female; male; non-binary/gender diverse; and prefer not to say. Due to the very limited representation of non-binary (n = 13) and those who preferred not to respond (n = 3), those individuals were excluded from the analysis. A single binary measure was used reflecting female (0) and male (1).

Results

To explore the hypothesised relationships between the dependent and independent variables, two correlation matrices were estimated for each model using SPSS version 26 software. The results for the Optus breach indicated that all data loss variables were correlated with the likelihood of receiving phishing messages, with the exception of losing passport details (see Table 2). In addition, multiple demographic variables were associated with phishing targeting, including individuals whose data appeared in both breaches, lived in New South Wales, spoke another language other than English, were Indigenous, had higher income levels, higher education levels, and were younger.

Table 2.

Correlation Matrix for Phishing Attempts Stemming From Optus Breach (n = 1,549)

	1	2	3	4	5	6	7	8	9	10	11	12	13	14	15	16	17	18	19	20	21	22	23	24	25	26	27	28	29
1	--
2	0.033	--
3	.063*	.475**	--
4	.115**	.314**	.342**	--
5	0.045	.238**	.386**	.319**	--
6	.166**	.234**	.304**	.416**	.414**	--
7	.119**	.077**	.120**	.183**	.194**	.189**	--
8	.095**	−0.002	.099**	.115**	.185**	.152**	.373**	--
9	.112**	0.016	.149**	.160**	.240**	.204**	.338**	.432**	--
10	.083**	.054*	.159**	.105**	.173**	.132**	.168**	.215**	.254**	--
11	−.071**	0.034	.124**	−.065*	.103**	−0.03	0.001	.095**	.118**	.218**	--
12	0.033	0.033	.126**	.076**	.109**	.107**	.188**	.282**	.268**	.255**	.141**	--
13	.141**	.080**	.121**	.133**	.174**	.200**	.205**	.154**	.238**	.196**	.101**	.165**	--
14	.080**	−0.029	0.041	0.038	.113**	.090**	.219**	.219**	.261**	.227**	.061*	.264**	.225**	--
15	.081**	0.019	.073**	.065*	.130**	.107**	.219**	.183**	.255**	.245**	0.029	.270**	.233**	.407**	--
16	−0.03	−.232**	−.173**	−.172**	−.083**	−.129**	−0.049	−0.043	−0.036	−0.048	−.120**	−0.031	−0.048	0.01	−0.022	--
17	.180**	0.028	.092**	.053*	.109**	.077**	.078**	.086**	.061*	.173**	−.086**	.087**	.057*	.072**	.171**	0.014	--
18	0.025	−0.009	0.026	−0.021	0.005	−0.038	0.01	0.015	0.008	−0.017	−0.02	−.098**	0.011	−0.033	.059*	−0.01	0.027	--
19	.067**	−0.004	−0.006	0.039	0.031	.077**	.064*	0.049	0.031	0.022	−0.036	.098**	.058*	.087**	0.036	−0.032	0.043	−.344**	--
20	.069**	0.007	−0.031	0.026	0.013	0.044	−0.005	0.026	0	−0.024	−0.029	.067**	0.005	−0.019	0.012	−0.036	.068**	−.158**	.146**	--
21	0.031	0.016	−0.018	0.03	−0.045	−0.004	0.033	0.033	0.034	0.005	−.058*	0.042	0.011	−0.013	0.029	−0.026	.053*	0.005	.079**	.123**	--
22	−0.014	0.001	−0.011	−0.025	−0.029	−0.008	0.003	0.003	−0.013	0.008	−.064*	−.065*	−0.009	−0.004	−0.006	0.031	0.008	.082**	−.098**	−.196**	0.006	--
23	0.034	0.011	0.011	−0.001	−0.042	−0.009	−0.011	0.006	0.016	−0.015	0.021	−0.013	0.004	0.002	−0.044	0.003	−0.037	0.032	−.070**	−.059*	−.052*	.078**	--
24	.056*	−0.025	−0.029	0.001	0.014	0.021	0.007	0.019	0.002	−0.013	−.123**	0.014	0.031	.057*	0.016	0.014	0.039	−0.019	.056*	−0.006	0	0.047	−.331**	--
25	−0.035	0.033	0.003	−0.002	0.04	0.006	0.011	−0.01	−0.002	0.025	.074**	0.013	−0.007	−0.029	0.036	0.001	0.008	−0.032	.056*	0.042	0.014	−.066**	−.319**	−.415**	--
26	.094**	−.075**	0.009	−0.035	−0.03	0.024	.055*	.088**	0.038	0.009	−.053*	0.016	−0.029	0.037	.050*	−0.013	.109**	.098**	−.053*	−.072**	−0.002	.062*	0.039	0.049	−.070**	--
27	0.045	0.024	0.009	−0.009	0.014	−0.021	0.025	0.05	0.001	−0.004	0.021	0.046	−0.019	0.006	−0.019	−0.037	.054*	−0.031	0.019	.333**	−0.022	−.158**	−.072**	0.047	.053*	−0.014	--
28	−.111**	0.033	−0.017	0.019	.074**	−0.02	−.123**	−0.03	−.057*	−0.017	.108**	−0.001	−0.027	−0.04	−.058*	.109**	−0.02	−.134**	−.069**	−0.047	−.090**	0.001	0.015	−0.025	0.039	−.132**	0.006	--
29	0.002	−0.029	−0.022	−0.004	0.038	0.004	.058*	0.047	0.01	−0.037	−.075**	0.029	−0.031	0.04	0.005	0.033	.050*	−0.022	0.029	0.022	0.033	−.056*	−.051*	.050*	−0.012	0.036	.121**	.054*	--

The Medibank/AHM breach model indicated slightly different relationships compared to the Optus breach model (see Table 3). There was some difference in the data loss measures that were correlated, as individuals were more likely to experience phishing requests if they lost their date of birth, email address, phone number, password, credit card number, and bank account details. Those who did not lose other data were more likely to experience phishing. The demographic variables were identical, though income was also associated with an increased risk of targeting, which suggests general parity in terms of victimisation risk across the two models.

Table 3.

Correlation Matrix for Phishing Attempts Stemming From Medibank/AHM Breach (n = 778)

	1	2	3	4	5	6	7	8	9	10	11	12	13	14	15	16	17	18	19	20	21	22	23	24	25	26	27	28	29
1	--
2	−0.011	--
3	.085*	.429**	--
4	.115**	.283**	.302**	--
5	0.046	.205**	.325**	.335**	--
6	.073*	.202**	.305**	.368**	.418**	--
7	.167**	−0.013	0.068	.169**	.125**	.170**	--
8	.142**	−0.007	0.048	.100**	.094**	.187**	.471**	--
9	.147**	−0.034	0.065	.114**	.154**	.204**	.389**	.428**	--
10	0.021	.190**	.150**	.097**	.193**	.159**	.146**	.120**	.166**	--
11	0.058	.130**	.144**	.133**	.208**	.175**	.188**	.210**	.291**	.366**	--
12	0.07	0.035	0.03	.098**	.116**	.151**	.272**	.277**	.260**	.155**	.211**	--
13	0.047	.093**	.116**	.136**	.166**	.152**	.146**	.128**	.253**	.236**	.259**	.228**	--
14	0.054	0.028	.072*	0.057	.106**	.138**	.226**	.214**	.288**	.094**	.198**	.235**	.206**	--
15	0.066	.096**	.114**	.147**	.188**	.192**	.156**	.089*	.142**	.315**	.182**	.155**	.323**	.240**	--
16	−.075*	−.328**	−.334**	−.255**	−.179**	−.196**	−.077*	−0.061	−.080*	−.123**	−.107**	−0.06	−.090*	−0.052	−.111**	--
17	.198**	−0.043	0.038	0.025	0.044	0.023	.157**	.145**	.141**	−0.042	0.057	.105**	0.014	.089*	0.05	−.106**	--
18	0.013	−0.03	0.004	−0.051	−0.006	−0.048	−0.003	0.028	0.038	−0.066	−0.003	−0.069	0.001	0	−0.003	−0.033	.071*	--
19	.102**	0.002	0.009	.076*	0.03	0.029	0.033	−0.009	0.034	0.009	0.003	.091*	0.058	.076*	0.022	−0.012	0.012	−.374**	--
20	.092*	0.018	−0.013	0.047	0.003	0.066	0.022	0.058	−0.07	−0.045	−0.033	0.02	0.014	−0.04	−0.029	−0.044	−0.023	−.078*	.107**	--
21	0.044	0.003	−0.023	−0.062	−0.029	−0.044	0.015	−0.005	−0.028	−0.052	−0.057	−0.024	−.074*	0.017	−.096**	−0.049	−0.015	0.066	0.012	.073*	--
22	−0.021	−.110**	−0.004	−0.056	−0.053	−.097**	−0.006	−0.006	0.023	−0.056	−0.006	−0.013	−0.017	0.039	0.022	−0.018	0.017	0.042	−0.056	−.159**	0.021	--
23	−0.037	0.039	−0.056	0.023	−0.017	−0.011	0.011	0.011	−0.009	−0.041	−0.001	0.023	−0.005	−0.016	0.026	0.007	−0.066	−0.033	−0.004	−0.06	−0.056	.089*	--
24	.079*	−0.011	0.008	0.012	0.012	0.014	0.029	0.069	0.064	−0.026	−0.004	0.058	0.035	.096**	−0.012	−0.026	.113**	0.031	0.038	−0.047	−0.002	0.027	−.319**	--
25	0.048	−0.025	0.033	−0.028	.079*	0.023	0.026	−0.009	−0.03	0.045	−0.001	0.008	−0.014	−0.002	0.029	−0.003	0.004	0.01	0.018	.088*	0.024	−0.049	−.322**	−.406**	--
26	.157**	−0.061	−0.022	0.02	−0.019	0.021	0.047	0.02	0.05	−.100**	−0.063	0.018	−0.03	0.004	−.075*	−0.046	.183**	.118**	−0.03	−0.024	0.053	0.057	0.001	0.045	−0.049	--
27	.083*	0.058	−0.029	.071*	0.003	.081*	0	0.031	0.003	−0.031	−0.024	0.021	−0.031	0.005	−0.023	−0.03	0.003	0.032	0.005	.344**	−0.06	−.134**	−0.019	0	0.07	−0.048	--
28	−.121**	.126**	−0.037	−0.047	0.055	0.013	−.140**	−.081*	−.088*	.073*	0.03	−0.058	0.054	−0.048	0.037	.156**	−.175**	−.207**	−0.06	−.095**	−.127**	0.031	.074*	−0.07	0.025	−.163**	−0.034	--
29	0.035	−0.006	−0.04	−0.021	−0.018	−0.003	−0.027	0.013	0.026	−0.014	−.073*	0	−0.045	0.031	−.087*	−0.011	0.031	−0.018	0.03	−0.022	0.039	−0.017	−0.022	0.026	−0.011	0.066	.145**	0.059	--

The relationships identified in the correlation matrix provided sufficient evidence to justify multivariate analyses. Two binary logistic regression models were estimated in SPSS version 26 software to examine the relationships between phishing messages and the various independent variables included. There was no evidence of multicollinearity as the lowest tolerance was .585 and the highest VIF was 1.718.

The model for Optus breach victimisation identified several significant correlates for phishing targeting (see Table 4). First, those who lost their phone number (OR = 1.666***), and customer number (OR = 1.799***) were more likely to receive phishing messages. Those who did not lose their home address (OR = .752*) were more likely to receive messages as well. Those who experienced both breaches were also more likely to receive phishing messages (OR = 1.967***), as were those living in Queensland (OR = 1.506*) and New South Wales (OR = 1.388*). Additionally, Indigenous (OR = 1.533*) and younger people (OR = .988**) were more likely to be targeted.

Table 4.

Binary Logistic Regression Estimating Phishing Attempts Stemming From Optus Breach (n = 1549)

Variable	B	S.E.	Exp(B)
Name	−.006	.154	.994
DOB	.032	.144	1.032
Email	.246	.134	1.279
Home add	−.285	.136	.752*
Phone no	.511	.130	1.667***
Password	.203	.181	1.225
CC number	.136	.203	1.146
Bank acct	.265	.191	1.303
Medicare no	.167	.164	1.181
DL	−.224	.124	.800
Passport	−.335	.231	.715
Customer no	.588	.173	1.800***
Pers. images	.246	.314	1.278
Medical info	−.064	.265	.938
Other	.040	.395	1.041
Breaches	.676	.123	1.967***
Australian	.202	.182	1.224
English	.293	.185	1.341
Education	.103	.060	1.109
Employment	.052	.343	1.053
Rurality	−.058	.093	.943
QLD	.409	.175	1.506*
NSW	.328	.160	1.388*
VIC	.106	.163	1.111
Indigenous	.427	.181	1.533*
Income	.066	.060	1.069
Age	−.012	.004	.988**
Female	−.051	.114	.950
Constant	−1.678	.455	.187***

Note. -2ll = 1893.447; R2 = .138; Chi sq. = 166.139***; *P < .05, **P < 0.1, ***P < .001.

The model for Medibank/AHM breach victimisation identified several different significant relationships relative to the Optus model (see Table 5). No data loss variables were significant, which is quite different from the Optus model. Those who experienced both breaches were more likely to receive phishing emails (OR = 1.866***), as were those who spoke another language (OR = 1.741*), and were Indigenous (OR = 2.390***). Those living in both New South Wales (OR = 1.790**) and in Victoria (OR = 1.744*) were also more likely to have been contacted.

Table 5.

Binary Logistic Regression Estimating Phishing Attempts Stemming From Medibank Breach (n = 778)

variable		B		S.E.		Exp(B)
Name		−.238		.216		.789
DOB		.410		.213		1.507
Email		.351		.191		1.421
Home add		−.150		.186		.860
Phone no		−.064		.187		.948
Password		.421		.269		1.524
CC number		.295		.305		1.343
Bank acct		.424		.270		1.528
Medicare no		.014		.196		1.014
DL		.127		.226		1.135
Passport		−.179		.361		.836
Cust no		−.030		.244		.970
Pers images		−.362		.411		.696
Medical info		.295		.234		1.343
Other		−.077		.442		.926
Breaches		.624		.175		1.866***
Australian		.074		.263		1.077
English		.554		.251		1.741*
Education		.147		.087		1.158
Employment		.531		.402		1.701
Rurality		−.060		.140		.942
QLD		.335		.262		1.398
NSW		.582		.237		1.790*
VIC		.556		.236		1.744*
Indigenous		.871		.260		2.390***
Income	.131		.087		1.140
Age		−.005		.006		.995
Female	.107		.164		1.113
Constant		−2.978		.684		.051***

Note. -2ll = 921.113; R2 = .167; Chi sq. = 101.132***; *P < .05, **P < 0.1, ***P < .001.

Discussion and Conclusion

The current analysis attempted to explore the incidence of additional victimisation in the aftermath of the Optus and Medibank/AHM data breaches. These incidents led to a substantial loss of personal information for victims who appeared in one or both breaches, with enough information to readily enable them to be victimised further (FTC, 2025; Thomas et al., 2017). The focus of this study was on exploring the risk factors for phishing attempts, defined as unsolicited requests for additional funds or personal information, following appearing in a data breach through an application of routine activities theory (Cohen & Felson, 1979).

The results indicate mixed findings. Notably, the type of data lost was only associated with the Optus data breach, particularly losing phone number and customer number. This is sensible as offenders could utilise this data to more readily access victim populations for vishing, or phone based phishing attacks. Access to customer numbers also allows for more tailored approach that can personalise the message to each recipient to make a more convincing scam message. The lack of significance for Medibank/AHM was somewhat unexpected, particularly given the amount of sensitive information available to offenders as a result of the breach.

The significant relationship between appearing in both breaches suggests that offenders may not be specifically seeking to obtain specified credentials but engaging in a more generalised blanket approach to their efforts (Leukfeldt, 2014; Ngo & Paternoster, 2011; Thomas et al., 2017). Victims of multiple breaches may have more information about themselves available to offenders through underground markets and online data dumps, thereby creating generally greater opportunities for offenders to target individuals (Holt & Lampke, 2010; Thomas et al., 2017). This highlights the opportunistic nature that data breaches afford for offenders, and their willingness to capitalise on the uncertainty and anxiety created.

In terms of demographics, Indigenous status was positively correlated in both breaches. This finding is worth exploring in greater detail, to determine what (if any) reason appears to make Indigenous Australians a higher target of phishing in the aftermath of a data breach. It is unclear if Indigenous status is also associated with some other risk factors, such as differential technological skill or cybersecurity awareness. Further research is needed to examine these issues in detail to understand what factors drive differential phishing risk among Indigenous groups. The findings, however, justify the need for tailored education and awareness to Indigenous individuals and communities to highlight the elevated risk this study suggests they may experience. This is also relevant for other CALD communities, given the correlation between those who spoke another language and being targeted in the Medibank/AHM data breach.

While the current analysis focused heavily on the potential for phishing attempts received by data breach victims, there is a need to explore the relationship between appearing in a breach and being extorted in different ways. Offenders are known to blackmail and extort victims involved in data breaches, particularly when the breach is sensitive. A prominent example of this was the 2015 Ashley Madison data breach, which exposed the details of those allegedly subscribed to the extra-marital affairs website (Cross et al., 2019).

Blackmail attempts were made in relation to the Optus data breach (AFP, 2022) and it is likely that with the sensitive nature of the Medibank/AHM data, that extortion attempts may also have occurred. At a larger scale, it is estimated that Operation Guardian (AFP) linked 11,000 cybercrime incidents to the Medibank/AHM data breach (Victoria Police, 2023). Future research is needed to differentiate between risk factors for both phishing attempts and extortion related to a data breach to better understand these offences further.

The lack of statistical findings across many categories of data as well as demographic factors are important in and of themselves. It suggests that offenders who perpetrate phishing attacks in the aftermath of a data breach, are somewhat opportunistic and seeking to target all individuals through a blanket approach, rather than focussing on a select cohort or individual victims. The findings reinforce the need for public education and awareness of the need for vigilance in the aftermath of a data breach. In the case of Optus and Medibank/AHM, several agencies did put out media releases warning the public of increased phishing activity and the potential for attacks (ACMA, 2023; Scamwatch, 2022b; Scamwatch, 2022a).

The current findings support this as a means of creating public awareness, not only to data breaches, but also to other significant events whereby offenders are likely to leverage events for their own benefit. Financial service providers, charitable organisations, and companies alike could engage in targeted education campaigns regarding the risk of phishing increasing in the wake of data breaches or other incidents that may influence the odds of targeted phishing campaigns. Such information could help to improve general awareness and potentially reduce the odds of responding to phishing messages. A good example of this is the Australian Competition and Consumer Commission (ACCC) who release regular scam alerts, and who released a specific warning to the public in the aftermath of the Optus breach (ACCC, 2022). While these are arguably valuable for the general public, these findings also suggest a need to explore potential partnerships between government, banks, and other relevant organisations to better develop targeted support for those who are vulnerable to potential victimisation.

From a criminological perspective, this analysis found limited utility in the application of routine activities theory to account for phishing victimisation attempts following appearing in a data breach. This is somewhat in line with the broader literature on the application of this theory to phishing victimisation (e.g. Leukfeldt & Yar, 2016; Ngo & Paternoster, 2011; Van’t Hoff-de Goede et al., 2024). As a result, there is a need to further explore the utility of this theory in more specific contexts with phishing and vishing victimisation, whether in general incidents or targeted after data breaches to better understand is limitations and value.

Overall, this analysis highlights the limited ability of demographics and types of information to predict those targeted for further phishing attacks in the aftermath of these two large-scale breaches. This suggests offenders are more opportunistic than targeted in their efforts to gain further credentials from potential victims (Leukfeldt, 2014; Thomas et al., 2017). This finding largely supports the need for public awareness and education campaigns which advocate for a generalised vigilance against phishing attacks, as well as targeted campaigns in the aftermath of notable data breaches, to remind individuals of their vulnerability and need to be on alert (FTC, 2025; iDcare, 2022). Further, this analysis only examined those who recognised receiving a phishing attempt after these two data breaches. It would be beneficial to extend this analysis to determine who responded to these requests, with either personal details or money, to ascertain if any of the factors explored (across both demographics and type of information lost) better predict actual victimisation rather than just attempts.

Despite the overall utility of the models presented, there are several limitations that need to be addressed. The first is the non-representative nature of the data. The survey targeted a specific group of known data breach victims, those within Optus and/or Medibank/AHM. It may not be indicative of the broader group of victims across both data breaches. This is especially so, given the strong representation of Optus victims compared to Medibank/AHM. Future research is needed in the wake of large-scale data breaches in different nations to better understand this dynamic across place.

Second, this survey relies upon individuals acknowledging that they were in fact victims of the Optus and/or Medibank/AHM data breaches. While these were two significant data breaches which garnered a lot of public attention compared to many other breaches, there still may be those who were unaware of their exposure. While Australia does have mandatory reporting legislation (Gibson & Harfield, 2021) and both organisations were required to notify those affected, this may not have captured everyone.

Third, the self-report nature of this data relies upon individuals’ recollection of being targeted in the aftermath of the two data breaches. The data collection occurred approximately 7 months after the breach, capturing a relatively long period during which victims may have been targeted for phishing attempts. Future study is needed to capture a longer period of time, such as a full 12-month window after a given breach incident to assess phishing incidents longitudinally.

It also assumes that any phishing attempts were received by the respondents and directly associated with their appearance in these breaches. It is possible that respondents may have conflated a phishing message received as a result of appearing a prior breach, or independent of any breach incident, as being associated with either or both the Optus and Medibank/AHM breaches. Thus further study is needed with different data sources, such as tracking spam filtering and telecommunications data to assess any overall trends in messaging rates to triangulate phishing attempts post-breach incidents.

Fourth, there was an over sampling of Optus victims compared to Medibank/AHM. There is no discernible explanation for this, as both breaches affected a similar number of individuals across Australia overall. Given the ordering of the Optus data breach as first, there may have been an increased recognition of involvement in this breach compared to Medibank/AHM, but this cannot be accounted for. It aligns with the previous limitation of the self-reporting nature of this data and the reliance on individuals to self-identify as a victim of the Optus data breach, the Medibank/AHM data breach, or both.

Finally, this study did not capture a population of non-victims to compare against those who experienced the Optus and Medibank/AHM breaches. The lack of a comparative population makes it difficult to extrapolate differences among the overall population relative to those who experienced these breaches and were contacted about phishing attempts. Future research is needed that explores the issue of phishing attempt experiences among both victim and non-victim populations to better understand the prevalence and incidence of contacts, as well as significant differences in risk across demographic groups.

Footnotes

Acknowledgements

The authors acknowledge the Queensland University of Technology Centre for Justice who provided funding for the survey used in this article.

Cassandra Cross

Thomas J. Holt

Ethical Approval

This project received ethics approval from Queensland University of Technology Human Research Ethics Committee approval #4011.

Funding

The author(s) disclosed receipt of the following financial support for the research, authorship, and/or publication of this article: this work was supported by the QUT Centre for Justice.

Declaration of Conflicting Interests

The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.

Data Availability Statement

The data used in this analysis is not available for sharing as per the project’s ethics approval.*

Author Biographies

Cassandra Cross is the Associate Dean (Learning and Teaching) in the Faculty of Creative Industries, Education and Social Justice, Queensland University of Technology (QUT). She also holds a position as Professor, School of Justice, QUT. Her research focuses on all aspects of fraud, across policing, prevention, disruption, and support of victims. She has been published in various journals including the British Journal of Criminology, Criminology and Public Policy, and Crime and Delinquency.

Thomas J Holt is a Professor in the School of Criminal Justice at Michigan State University, whose work focuses on cybercrime, cyberterrorism, and the justice response to these problems. He is also an Adjunct Professor with the School of Justice, Queensland University of Technology. His work has been published in a range of outlets including British Journal of Criminology, Criminal Justice and Behavior, and Terrorism & Political Violence.

References

Acquisti

Friedman

Telang

(2006). Is there a cost to privacy breaches? An event study. In: ICIS 2006 proceedings, December 2006, Milwaukee, 94.

Africk

Levy

(2021). An examination of historic data breach incidents: What cybersecurity big data visualization and analytics can tell us? Online Journal of Applied Knowledge Management, 9(1), 31–45. https://doi.org/10.36965/ojakm.2021.9(1)31-45

Ahmad

Thurasamy

(2022). A systematic literature review of routine activity theory’s applicability in cybercrimes. Journal of Cyber Security and Mobility, 11(3), 405–432. https://doi.org/10.13052/jcsm2245-1439.1133

Aivazpour

Valecha

Chakraborty

(2022). Data breaches: An empirical study of the effect of monitoring services. ACM SIGMIS Database: The DATABASE for Advances in Information Systems, 53(4), 65–82. https://doi.org/10.1145/3571823.3571829

Algarni

A. M.

Malaiya

Y. K.

(2016). A consolidated approach for estimation of data security breach costs. 2016 2nd International Conference on Information Management (ICIM), London, UK, (pp. 26–39). https://doi.org/10.1109/INFOMAN.2016.7477530

Andrew

Baker

Huang

(2023). Data breaches in the age of surveillance capitalism: Do disclosures have a new role to play? Critical Perspectives on Accounting, 90(January), 2–16. https://doi.org/10.1016/j.cpa.2021.102396

Australian Communications and Media Authority (ACMA) . (2023). Optus data breach. https://www.acma.gov.au/optus-data-breach

Australian Bureau of Statistics (ABS) . (2023). Aboriginal and Tores Strait Islander peoples. https://www.abs.gov.au/statistics/people/aboriginal-and-torres-strait-islander-peoples

Australian Competition and Consumer Commission (ACCC) . (2022). Customers warned to watch out for scams following optus data breach. https://www.scamwatch.gov.au/about-us/news-and-alerts/customers-warned-to-watch-out-for-scams-following-optus-data-breach

10.

Australian Federal Police (AFP) . (2022). Operation guardian delivers specialised protection for optus customers. https://www.afp.gov.au/news-centre/media-release/operation-guardian-delivers-specialised-protection-optus-customers

11.

Australian Institute of Health and Welfare (AIHW) . (2024). Profile of Australia’s population. https://www.aihw.gov.au/reports/australias-health/profile-of-australias-population

12.

Ayaburi

(2023). Understanding online information disclosure: Examination of data breach victimization experience effect. Information Technology & People, 36(1), 95–114. https://doi.org/10.1108/itp-04-2021-0262

13.

Bitaab

Cho

Oest

Zhang

Sun

Pourmohamad

Kim

Bao

Wang

Shoshitaishvili

Doupe

Ahn

G. J.

(2020). Scam pandemic: How attackers exploit public fear through phishing. In Proceedings of the 2020 APWG symposium on electronic crime research, eCrime 2020. article 9493260 (eCrime researchers summit, eCrime; vol. 2021-November), Boston, Massachusetts, USA. 16 – 19 November 2020. IEEE Computer Society. https://doi.org/10.1109/eCrime51433.2020.9493260

14.

Brown

H. S.

(2016). After the data breach: Managing the crisis and mitigating the impact. Journal of Business Continuity & Emergency Planning, 9(4), 317–328.

15.

Burdon

Lane

von Nessen

(2012). Data breach notification law in the EU and Australia - Where to now? Computer Law & Security Review, 28(3), 296–307. https://doi.org/10.1016/j.clsr.2012.03.007

16.

Chang

Chong

(2021). Cognitive heuristics and risk evaluation in crisis fraud. Journal of Financial Crime, 29(2), 447–459. https://doi.org/10.1108/jfc-02-2021-0030

17.

Coffey

(2019). Difficulties in determining data breach impacts. Systemics, Cybernetics and Informatics, 17(5), 9–13.

18.

Cohen

Felson

(1979). Social change and crime rate trends: a routine activity approach. American sociological review, 44(4), 588–608. https://doi.org/10.2307/2094589

19.

Cross

Holt

T. J.

(2025). Beyond fraud and identity theft: Assessing the impact of data breaches on individual victims. Journal of Crime and Justice, 1–24. https://doi.org/10.1080/0735648X.2025.2535007

20.

Cross

Parker

Sansom

(2019). Media discourses surrounding ‘non-ideal’ victims: The case of the Ashley Madison data breach. International Review of Victimology, 25(1), 53–69. https://doi.org/10.1177/0269758017752410

21.

Dupont

Côté

A.-M.

Boutin

J.-I.

Fernandez

(2017). Darkode: Recruitment patterns and transactional features of “the most dangerous cybercrime forum in the world”. American Behavioral Scientist, 61(11), 1219–1243. https://doi.org/10.1177/0002764217734263

22.

Engström

(2021). Conceptualizing lifestyle and routine activities in the early 21st century: A systematic review of self-report measures in studies on direct-contact offenses in young populations. Crime & Delinquency, 67(5), 737–782. https://doi.org/10.1177/0011128720937640

23.

Federal Trade Commission (FTC) . (2025). Data breach response: A guide for businesses. https://www.ftc.gov/business-guidance/resources/data-breach-response-guide-business

24.

Gaglione

(2019). The Equifax data breach: An opportunity to improve customer protection and cybersecurity efforts in America. Buffalo Law Review, 67(4), 1133–1212. https://digitalcommons.law.buffalo.edu/buffalolawreview/vol67/iss4/4.

25.

Gan

C. L.

Lee

Y. Y.

Liew

T. W.

(2024). Fishing for phishy messages: Predicting phishing susceptibility through the lens of cyber-routine activities theory and heuristic-systematic model. Humanities and Social Sciences Communications, 11(1), 1552. https://doi.org/10.1057/s41599-024-04083-1

26.

Garrison

Ncube

(2011). A longitudinal analysis of data breaches. Information Management & Computer Security, 19(4), 216–230. https://doi.org/10.1108/09685221111173049

27.

Gibson

Harfield

(2021). Contradictions and inconsistencies in Australia’s mandatory data breach notification laws. Computer Law & Security, 42(September), 1–11. https://doi.org/10.1016/j.clsr.2021.105600

28.

Harrell

Thompson

(2023). Victims of identity theft, 2021. Bureau of Justice Statistics. https://bjs.ojp.gov/library/publications/victims-identity-theft-2021

29.

Hayes

B. E.

Maher

C. A.

(2024). A systematic review of lifestyle-routine activity theory in the context of direct-contact sexual victimization. Trauma, Violence, & Abuse, 25(1), 369–392. https://doi.org/10.1177/15248380231153864

30.

Holt

T. J.

(2013). Exploring the social organization and structure of stolen data markets. Global Crime, 14(2-3), 155–174. https://doi.org/10.1080/17440572.2013.787925

31.

Holt

T. J.

Lampke

(2010). Exploring stolen data markets online: Products and market forces. Criminal Justice Studies, 23(1), 33–50. https://doi.org/10.1080/14786011003634415

32.

Holtfreter

Harrington

(2015). Data breach trends in the United States. Journal of Financial Crime, 22(2), 242–260. https://doi.org/10.1108/jfc-09-2013-0055

33.

Hutchings

Hayes

(2009). Routine activity theory and phishing victimisation: Who gets caught in the ‘net’? Current Issues in Criminal Justice, 20(3), 433–452. https://doi.org/10.1080/10345329.2009.12035821

34.

iDcare . (2022). Optus data breach response. https://www.idcare.org/support/optus-data-breach-support

35.

Khan

Kim

J. H.

Mathiassen

Moore

(2021). Data breach management: An integrated risk model. Information & Management, 58(1), 1–12. https://doi.org/10.1016/j.im.2020.103392

36.

Lastdrager

E. E.

(2014). Achieving a consensual definition of phishing based on a systematic review of the literature. Crime Science, 3(9), 1–10. https://doi.org/10.1186/s40163-014-0009-y

37.

Lee

Y. Y.

Gan

C. L.

Liew

T. W.

(2022). Phishing victimization among Malaysian young adults: Cyber routine activities theory and attitude in information sharing online. The Journal of Adult Protection, 24(3/4), 179–194. https://doi.org/10.1108/jap-06-2022-0011

38.

Leukfeldt

E. R.

(2014). Phishing for suitable targets in the Netherlands: Routine activity theory and phishing victimization. Cyberpsychology, Behavior and Social Networking, 17(8), 551–555. https://doi.org/10.1089/cyber.2014.0008

39.

Leukfeldt

E. R.

Yar

(2016). Applying routine activity theory to cybercrime: A theoretical and empirical analysis. Deviant Behavior, 37(3), 263–280. https://doi.org/10.1080/01639625.2015.1012409

40.

Maher

C. A.

Hayes

B. E.

(2024). Nonfinancial consequences of identity theft revisited: Examining the association of out-of-pocket losses with physical or emotional distress and behavioral health. Criminal Justice and Behavior, 51(3), 459–481. https://doi.org/10.1177/00938548231223166

41.

Maimon

Howell

C. J.

Perkins

R. C.

Muniz

C. N.

Berenblum

(2023). A routine activities approach to evidence-based risk assessment: Findings from two simulated phishing attacks. Social Science Computer Review, 41(1), 286–304. https://doi.org/10.1177/08944393211046339

42.

Martins

B. O.

Hemat

L. E.

Cochrane

Brumter

(2023). Landscape of security research: CSO mapping, strategies and best practices for citizen and societal engagement. Deliverable 2.1. TRANSCEND Project. (EU HEU, GA 101073913).

43.

Mason

Davidson

de Kretser

(2022). Inside Australia’s most invasive data hack. Australian Financial Review. https://www.afr.com/technology/inside-australia-s-most-invasive-data-hack-20221109-p5bwsk

44.

McAlister

Faulconbridge

Voce

Bricknell

(2023). Identity crime and misuse in Australia 2023. Statistical Bulletin, 42. https://www.aic.gov.au/sites/default/files/2023-07/sb42_identity_crime_and_misuse_in_australia_2023_v2.pdf

45.

Newman

Clarke

R. V.

(2003). Superhighway robbery: Preventing e-commerce crime. Willan Publishing.

46.

Ngo

F. T.

Paternoster

(2011). Cybercrime victimization: An examination of individual and situational level factors. International Journal of Cyber Criminology, 5(1), 773–793. https://digitalcommons.usf.edu/cjp_facpub_sm/17.

47.

Office of the Australian Information Commissioner (OAIC) . (2025). Notifiable data breaches report: July to December 2024. https://www.oaic.gov.au/privacy/notifiable-data-breaches/notifiable-data-breaches-publications/notifiable-data-breaches-report-july-to-december-2024

48.

Office of the Australian Information Commissioner (OAIC) . (2017). DonateBlood.com.au data breach (Australian red cross blood service). https://www.oaic.gov.au/privacy/privacy-assessments-and-decisions/privacy-decisions/investigation-reports/donateblood.com.au-data-breach-australian-red-cross-blood-service

49.

Office of the Australian Information Commissioner (OAIC) . (2024). Notifiable data breaches report: July to December 2023. https://www.oaic.gov.au/__data/assets/pdf_file/0021/156531/Notifiable-data-breaches-report-July-to-December-2023.pdf

50.

Ong

(2023). Mandatory data breach notification: Its role in protecting personal data. Journal of International and Comparative Law, 10(1), 87–112. https://ssrn.com/abstract=4480675.

51.

Optus . (2022). Optus notifies customers of cyberattack compromising customer information. https://www.optus.com.au/about/media-centre/media-releases/2022/09/optus-notifies-customers-of-cyberattack

52.

Pratt

T. C.

Cullen

F. T.

Sellers

C. S.

Thomas Winfree

Madensen

T. D.

Daigle

L. E.

Gau

J. M.

(2010). The empirical status of social learning theory: A meta‐analysis. Justice Quarterly, 27(6), 765–802. https://doi.org/10.1080/07418820903379610

53.

Reyns

B. W.

(2015). A routine activity perspective on online victimization: Results from the Canadian general social survey. Journal of Financial Crime, 22(4), 396–411. https://doi.org/10.1108/jfc-06-2014-0030

54.

Riches

(2022). Optus faces a customer exodus, calls for compensation amid anger over leaked data. SBS News. https://www.sbs.com.au/news/article/optus-faces-a-customer-exodus-calls-for-compensation-amid-anger-over-leaked-data/mw79n7avs

55.

Roberds

Schreft

(2009). Data breaches and identity theft. Journal of Monetary Economics, 56(7), 918–929. https://doi.org/10.1016/j.jmoneco.2009.09.003

56.

Romanosky

Telang

Acquisti

(2011). Do data breach disclosure laws reduce identity theft? Journal of Policy Analysis and Management, 30(2), 256–286. https://doi.org/10.1002/pam.20567

57.

Scamwatch . (2022a). Medibank private data breach. https://www.scamwatch.gov.au/about-us/news-and-alerts/browse-news-and-alerts/medibank-private-data-breach

58.

Scamwatch . (2022b). Optus data breach. https://www.scamwatch.gov.au/about-us/news-and-alerts/browse-news-and-alerts/optus-data-breach-scams

59.

Smith

(2022). Inside the optus hack that woke up Australia. Australian Financial Review. https://www.afr.com/technology/inside-the-optus-hack-that-woke-up-australia-20221123-p5c0lm

60.

Smyth

(2013). Does Australia really need mandatory data breach notification laws – And if so, what kind? Journal of Law, Information and Science, 22(2), 159–182. https://ssrn.com/abstract=2476679.

61.

Spanca

Salihu

(2024). Unveiling the consequences of data breaches: Risks, impacts, and mitigation in the digital Age. In: 2024 international conference on electrical, communication and computer engineering (ICECCE) (pp. 1–8), 30-31 October, Kuala Lumpur, Malaysia. https://doi.org/10.1109/ICECCE63537.2024.10823432

62.

Statista . (2024). Education in Australia: Statistics and facts. https://www.statista.com/topics/5697/education-in-australia/#topicOverview

63.

Steinmetz

Cross

(2023). Social engineering. Oxford Research Encyclopedia of Criminology. https://oxfordre.com/criminology/view/10.1093/acrefore/9780190264079.001.0001/acrefore-9780190264079-e-803

64.

Strzelecki

Rizun

(2022). Consumers’ change in trust and security after a personal data breach in online shopping. Sustainability, 14(10), 5866. https://doi.org/10.3390/su14105866

65.

Taodang

Gundur

(2023). How frauds in times of crisis target people. Victims & Offenders, 18(5), 889–914. https://doi.org/10.1080/15564886.2022.2043968

66.

Thomas

Zand

Barrett

Ranieri

Invernizzi

Bursztein

(2017). Data breaches, phishing, or malware? Understanding the risks of stolen credentials. In Proceedings of the 2017 ACM SIGSAC conference on computer and communications security (pp. 1421–1434), Dallas, USA, 30 Oct – 03 Nov, 2017.

67.

UpGuard . (2022). The medibank data breach (complete timeline of events). https://www.upguard.com/breaches/medibank-data-leak

68.

Van ‘t Hoff-de Goede

M. S.

van de Weijer

Leukfeldt

(2024). Explaining cybercrime victimization using a longitudinal population-based survey experiment. Are personal characteristics, online routine activities, and actual self-protective online behavior related to future cybercrime victimization? Journal of Crime and Justice, 47(4), 472–491. https://doi.org/10.1080/0735648X.2023.2222719

69.

van Wilsem

(2011). Worlds tied together? Online and non-domestic routine activities and their impact on digital and traditional threat victimization. European Journal of Criminology, 8(2), 115–127. https://doi.org/10.1177/1477370810393156

70.

Verma

Crane

Gnawali

(2018). Phishing during and after disaster: Hurricane harvey. In: 2018 resilience week (RWS) (pp. 88–94), 20-23 August, Denver, CO, USA. https://doi.org/10.1109/RWEEK.2018.8473509

71.

Victoria Police . (2023). Victoria police submission commonwealth parliamentary joint committee on law enforcement inquiry into the capability of law enforcement to respond to cybercrime. https://www.aph.gov.au/Parliamentary_Business/Committees/Joint/Law_Enforcement/LECybercrime47/Submissions

72.

Yar

(2005). The novelty of “cybercrime”: An assessment in light of routine activity theory. European Journal of Criminology, 2(4), 407–427. https://doi.org/10.1177/147737080556056

Examining Phishing Attempts on Data Breach Victims

Abstract

Keywords

Introduction

Understanding Data Breaches

Optus and Medibank/AHM Data Breaches

Data Breaches and Phishing

Understanding Correlates of Phishing Stemming from Data Breaches

The Present Study

Methodology

Dependent Variables

Independent Variables

Results

Discussion and Conclusion

Footnotes

Acknowledgements

Ethical Approval

Funding

Declaration of Conflicting Interests

Data Availability Statement

Author Biographies

References