The Australian National Audit Office (ANAO) released the results of an audit into the Australian Bureau of Statistics (ABS) cyber security readiness posture ahead of the 2026 census, and it has made several recommendations to secure the process itself and the data it collects.
The audit found that cyber security planning was given “insufficient consideration” and that the ABS would need to address “key remaining cyber security vulnerabilities by ensuring critical activities will be completed in time”.
The audit also found that while the ABS had been monitoring risks to the 2026 census, there were shortcomings regarding the “completeness and timeliness of risk reviews”.
The ANAO made four recommendations:
- That the ABS strengthen its risk management arrangements.
- That it makes provisions for the early establishment of cyber security advisory arrangements.
- That it prepares, approves, and reviews security architecture documentation in line with the Information Security Manual.
- And that it addresses risks stemming from the broader ABS ICT environment.
The ABS has agreed to all four recommendations.
“The ABS acknowledges the findings of the report and agrees to the four recommendations, noting that all will be implemented before the 2026 census,” the ABS said in its response.
“This audit has complemented an extensive assurance and testing program that has supported the 2026 census. The recommendations are consistent with the ABS’s commitment to best practice governance, risk management, and continuous improvement.”
Why is the 2026 census so sensitive?
On 11 August 2026, the 2026 census will ask Australians to share some of the most sensitive details it has ever collected.
“The 2026 census will collect more sensitive personal information than any previous census. For the first time, Australians aged 16 and over will be asked about their sexual orientation and gender identity, alongside expanded questions on health, ethnicity and cultural background,” Dean White, cyber security expert and CTO at Australian firm OneGUARD.
“That data profile transforms the census from a privacy consideration into a national security one – a complete, cross-referenced picture of the entire population that foreign intelligence services, hostile state actors and sophisticated cyber criminals would find extraordinarily valuable.”
To make matters worse, the ABS’s last census wasn’t exactly secure.
“Back then, a relatively unsophisticated denial-of-service attack took the census website down for 40 hours, causing significant reputational damage to the ABS,” White said.
“Today, the threat environment is considerably more serious: nation-states and criminals with advanced cyber capabilities know the date, know the platform, and have every incentive to disrupt, surveil, or exfiltrate. The digital service is being delivered by a third-party contractor and integrated with myGov for the first time – creating a supply chain and credential attack surface that extends well beyond the census website itself.”
And that’s not even taking into account the lead-up to the big night. According to White, Australians should expect a surge of phishing attempts impersonating the ABS and myGov in the weeks leading up to the 2026 census.
Want to see more stories from trusted news sources?Make Cyber Daily a preferred news source on Google.
David Hollingworth
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.