Sony took seven days to inform its 77 million customers that its PlayStation Network had been hacked last year, exposing customer names, addresses, email address, birthdates, user names, passwords and more.
If you thought that was bad, then think again. Hacking performed in the 70s, 80s and early 90s on numerous US firms by one of the world's most infamous computer hackers, Kevin Mitnick, wasn't disclosed publicly by them - even though many knew of the breaches - until Mitnick wrote about the incidents in his tell-all book, Ghost in the Wires, published last year.
"The only reason that [companies in the US] come forward [now] is because the [US] laws now require it," Mitnick said in a telephone interview.
When Mr Mitnick was told that Australia had no such mandatory data breach notification laws, he was stunned.
"I'm surprised [...] but obviously there are lots of data breaches there.
"Anything that's connected to the internet [is vulnerable]. It's a globalised network."
The former hacker and fugitive turned security professional - who served five years in prison - charges between $US350 to $US400 an hour for breaking into companies' computer systems to find holes that need patching. He first gained access to the computer network of Digital Equipment Corporation when he was 16 in 1979 and got into most companies' networks using social engineering (tricking them to hand over the information he needed).
"Think about it: if you were running a multi-million dollar company and your database of customer information was stolen would you want to tell your clients? No. Most companies did not until the laws required them to. It's in the best interest of organisations - when they're attacked and information is stolen - to tell nobody."
His comments come as the federal government appears to have backed down from earlier comments made in May last year by the then Privacy Minister, Brendan O'Connor, who told Fairfax Media that legislation forcing companies to disclose data breaches ''appears necessary''. He expressed disappointment that Sony took "several days" to inform customers about its breach.
A spokesman for Nicola Roxon, the current Privacy Minister, said in a statement to Fairfax Media that Roxon was ''aware of community concerns around mandatory data breach notification and is currently considering the options available''.
"Roxon’s comments do seem to suggest that the government is now less committed to legislating on this issue, which if true would of course be of great concern to us," Jon Lawrence, spokesman for online users' lobby group Electronic Frontiers Australia, said.
Mitnick said many Australian companies would continue to tell no one about being hacked or exposing client information unless laws were introduced that made it compulsory to disclose breaches.
If such laws were not introduced it would continue to be up to individual companies as to how they handle losing customers' personal information, something he didn't believe was in the Australian public's best interest.
"I think most companies will handle [breaches] with whatever is more beneficial to them over the long run, which is usually ... their bottom line," he said.
Mitnick's views are supported by two security experts and Electronic Frontier Australia, who all believe that without laws forcing companies to disclose breaches in Australia most will continue to go unreported.
Computer security research analyst James Turner, of IBRS, said "everyone else wants everyone else to be reporting" data breaches but not themselves. Australia's security industry needed data breach notification laws if only for the fact that it would set an expectation of what type of response would be required of a company that suffers a breach in Australia, Turner said.
Another expert, Paul Ducklin, of security firm Sophos, agreed that Australia needed mandatory data breach notification laws, saying that if there was one thing that would get cross-bench support in Parliament it would be such laws.
Ducklin suspected that if Australia had mandatory data breach disclosure laws "many more companies" would have to come forward to reveal breaches of customer information.
Jon Lawrence of EFA said that where personal data was breached it was imperative that the affected individuals be notified, to allow them to update passwords and take other measures to minimise the risk of credit card fraud, identity theft and other consequences of having their personal data in the wild.
He added that it had been some four years since the Australian Law Reform Commission proposed mandatory data breach notification laws, and said he was concerned at the government's "apparent lack of urgency on this issue, particularly as the occurrence of data breaches is becoming an almost daily phenomenon".
The comments come after a year in which dozens of large corporations leaked Australian's personal information, including, in some cases, credit card information.
In 2011 it is know that the University of Sydney, ANZ, Westfield, tech giants Sony and Dell, South Australian government-owned medical company Medvet, gaming behemoth Valve, now defunct web host and domain company Distribute.IT, First State Super, Computershare, Vodafone and Telstra had customers' personal information exposed.
Although there are reforms before Parliament in Canberra which would give the federal Privacy Commissioner new powers to seek civil penalties of up to $1.1min the case of serious or repeated interferences with privacy, the NSW and federal privacy commissioner have argued that the laws could unintentionally weaken existing arrangements.
In a submission to a senate committee on the proposed reforms, which don't address data breach notification laws - the NSW Privacy Commissioner said the proposed changes could "potentially weaken existing privacy protections afforded to the Australian public". The federal Privacy Commissioner said some areas of the proposed reform were "unclear".
In a statement, a spokesman for the Attorney-General, Nicola Roxon, said the legislation currently before parliament would "do exactly what it is described to do, enhance privacy protections".
This reporter is on Facebook: /bengrubb