Australians’ data and critical infrastructure is under threat from careless e-waste disposal, which could have “catastrophic” consequences for national security, an expert says.

Thousands of tonnes of old phones and other devices from Australian workplaces are disposed of every year, with some ending up shipped overseas, recycled or re-sold, consulting firm PwC said.

However, much of the e-waste is not properly “sanitised”, leaving behind plenty of information criminals could make a fortune from selling on the dark web.

Two devices – a tablet and mobile phone – were bought for less than $50 from a popular second-hand retailer in the ACT for the purpose of a PwC Australia report.

The tablet still had corporate stickers attached and contained a note with credentials to access a database holding up to 20 million sensitive personal records, the firm found.

More than 60 pieces of personally identifying information were also recovered from the phone using basic analysis.

The information included personal documents and photographs, with both devices potentially worth a significant sum on the black market, the firm said.

PwC pushed for the Security of Critical Infrastructure Act 2018 or its guidance to be amended to explicitly require organisations to securely dispose of e-waste.

Organisations also faced fines of at least $50 million for serious or repeated privacy breaches under new penalties introduced last year.

“The data stored on these devices and their components may contain sensitive information related to an organisation’s operations and intellectual property, as well as personally identifying information,” PwC cybersecurity and digital trust leader Rob Di Pietro said.

“If they end up in the hands of a malicious actor, the results could be catastrophic.”

There was an urgent need to ensure Australia’s critical infrastructure entities – including those in health care, transport, energy and defence – were required to securely dispose of e-waste, Mr Di Pietro said.

Global e-waste is expected to exceed 70 million tonnes by 2030.

Australia continues to be ransomware groups’ number one target in the Asia Pacific region, a report by the global cybersecurity firm Palo Alto Networks found.

Attacks on school systems by groups such as Vice Society showed cyber criminals were willing to stoop low for a pay day, the Palo Alto Networks report found.

Data theft was the most common extortion tactic deployed by ransomware groups and the median ransom payment was $US350,000 ($A521,000) in 2022 – lower than the median demand of $US650,000.

Cassandra Morgan
(Australian Associated Press)