Australia’s mining and manufacturing sectors are taking extraordinary lengths of time to discover cyber intrusions, with new figures revealing delays that in some cases stretch well past a year — and in one instance beyond 500 days — before a breach is even noticed.
Freedom of Information data compiled by industrial cybersecurity firm Secolve shows 187 data breaches recorded across the two sectors since 2018, affecting the personal information of as many as 3.6 million people. Although the dataset is de-identified, the scale and duration of undetected activity highlight a growing concern for insurers about silent exposures within industries that underpin the national economy.
The figures show one operator failed to identify an intrusion for 520 days, then waited another 84 days before reporting it to the Office of the Australian Information Commissioner. Even when breaches were detected promptly, many companies held back for months before notifying regulators. Several incidents took between 30 and 300 days to be disclosed, despite being discovered on the day they occurred.
Across all breaches, mining and manufacturing businesses took an average of 39 extra days to notify authorities after detection.
Professor Dali Kaafar of Macquarie University’s Cyber Security Hub told the ABC that the findings pointed to a fundamental gap in Australia’s breach-reporting framework. He said the data revealed a “critical weakness” in the regime and warned that delays compounded the fallout for victims and organisations alike. “The real takeaway here is how long it's taking some operators to detect and report breaches. That delay is not just procedural, but it increases the harm,” he said.
“The longer a breach goes undetected, the more time attackers have to harvest credentials, exfiltrate data or deploy ransomware,” Professor Kaafar said. “It also drives up recovery costs once the incident is discovered.”
He said the current obligation to report breaches “as soon as practicable” left too much room for interpretation. “Reporting 'as soon as practicable' is open to interpretation,” he said, adding that the data suggested some organisations may be weighing up whether incidents are serious enough to disclose at all. “Under-reporting is always possible,” he said.
Professor Kaafar said the volume of exposed financial information — which appeared in more than half of reported breaches — and tax file numbers, which comprised about 40 per cent, demonstrated the need for organisations to rethink data-retention practices. “Organisations should be reducing their sensitive data footprint,” he said. “They shouldn't be storing financial information or other personal data they don't actually need.”
Secolve’s analysis found that more than nine in ten breaches in the two sectors stemmed from malicious or criminal attacks, far above the national average. Ransomware accounted for more than a quarter of cases. Malware-related attacks took an average of 146 days to detect, compared with just 2.5 days for brute-force credential attacks.
Secolve said it was “quite confronting” to see how long intruders were able to operate inside networks undetected. Attackers came from “all over — we see geopolitical groups, we see opportunistic hackers,” and described the mining sector as particularly attractive due to the revenue involved. There was a spike in attacks during the early stages of the Russia-Ukraine war - hackers were targeting miners as Australia became a more significant supplier of sanctioned resources.
The Minerals Council of Australia said its members responded “in a timely manner to all legal and regulatory requirements, including in relation to critical data breaches”.
Regulators have sought to increase transparency, with the OAIC launching a new dashboard tracking the five sectors most affected by data breaches. Mining and manufacturing are not included in that dashboard, though 23 per cent of all reportable breaches took more than 30 days to be disclosed.
The federal government is reviewing breach-reporting requirements as part of the 2023–2030 Australian Cyber Security Strategy, with industry groups calling for clearer thresholds and fixed timeframes.
The long detection times revealed in the FOI data come amid a marked escalation in cyber threats across Australia. In a separate development, an AI-enabled cyber espionage campaign disclosed by Anthropic last week underscored the speed at which attackers can now automate reconnaissance, credential harvesting and network intrusion.
The campaign, linked to a group identified as GTG-1002, demonstrated how AI systems could perform the vast majority of tactical actions with minimal human oversight. While China’s embassy rejected the characterisation of the incident, the case signalled a shift that insurers have been warning of: compressed attack timelines, increased volume and a broader threat footprint for clients across all industries.
Ransomware remains a primary concern for local businesses. Research from multiple cybersecurity firms has shown that Australian organisations continue to face high attack frequencies, heavier ransom demands and increasingly complex recovery processes. Across Australia and New Zealand, the vast majority of companies experienced at least one cyber incident in the past year, with many opting to pay ransoms despite limited guarantees of data restoration.
Further pressure has emerged following a series of cyberattacks targeting companies connected to major defence programs. Cybercriminal groups have claimed access to project information, employee files and operational documentation. One ransomware gang said it maintained access to a contractor’s systems for five months, describing the intrusion as a “staycation in the defence supply chain.”
Cybersecurity specialists have warned that even non-classified files — such as correspondence, tenders and HR documents — can offer adversaries valuable insight into defence workflows and relationships. Such attacks highlight the growing importance of supply-chain security for insurers, with exposures increasingly extending beyond primary insured entities.
For insurance intermediaries, the FOI revelations and the broader surge in cyber-related incidents send a clear message: the risk environment is becoming more opaque, harder to quantify and more interconnected.
Brokers may need to help clients reassess cyber posture, data-storage practices and incident-response plans, particularly in industries with ageing operational technology or long-running detection gaps. The need for rigorous vendor oversight, better governance around AI use and targeted cyber-resilience investment is also becoming more pressing, as attackers shift to faster, more automated methods.
The emerging picture is one of prolonged undetected access in critical sectors, concurrent with increasingly sophisticated national-security-linked campaigns. For insurers and brokers, the challenge will be staying ahead of both — and ensuring their clients do the same.
