Australia’s 2026 Census is expected to face cybersecurity threats as more people complete the form online. Image: Shutterstock
The Australian Bureau of Statistics (ABS) must strengthen its cybersecurity preparedness ahead of the 2026 Census in August, an audit of the government agency’s ICT environment has found.
The review of ABS cybersecurity, published on Wednesday by the Australian National Audit Office (ANAO), found vulnerabilities remained ahead of the Census – which is expected to see around 85 per cent of Australian residents share their household and demographic details online on Tuesday, 11 August.
Delays in identifying cybersecurity vulnerabilities had been caused by “insufficient consideration to holistic planning” by ABS, the audit found.
“While the ABS responded quickly and continued to address these vulnerabilities during the audit, this response has required deployment of significant cybersecurity experts for an extended period beyond that originally anticipated,” the ANAO said.
“To be ready for the 2026 Census, the ABS must address key remaining cybersecurity vulnerabilities by ensuring critical activities will be completed in time.”
While the audit found ABS is monitoring cybersecurity risks and testing its systems using threat modelling, it suggested the agency had left “shortcomings” in the completeness and timeliness of its risk reviews.
ABS agrees to audit recommendations
ANAO shared four recommendations with ABS, including improving its risk management, reviewing its security documentation, and “addressing risks stemming from the broader ABS ICT environment”.
ABS said it agreed to all four recommendations and told ANAO “all will be implemented before the 2026 Census”.
In a statement, ABS said two of the recommendations had already been implemented in full.
“We have a range of processes and protections that make sure information in Census forms stays confidential,” the agency said.
“We continuously reassess cyber threats and risks, prioritise controls for critical systems, actively adjust as vulnerabilities emerge, and integrate planning across our IT systems.
“… Our digital infrastructure is accredited, securely hosted in Australia, and aligned with recognised cybersecurity and information assurance standards.”
The budget for the 2026 Census is $726 million, up from around $565 million spent on the 2021 Census.
A conversational AI chatbot named Claire will be used for the first time in 2026, after 2021’s chatbot only answered predefined questions.
As AI chatbots can hallucinate and sometimes share false information, Claire can “be turned off quickly if adverse outcomes are detected”, according to the ANAO audit.
While the 2026 Census can be filled out on paper, around 85 per cent of forms are expected to be completed online. Image: ABS / Supplied
Digital Census faces digital threats
The Census takes place every five years and has been digital-first since 2016.
As the nation’s largest data collection exercise, it is consistently targeted by cyber threat actors and scammers, and its cybersecurity was seen as “a key risk” by ANAO.
The online Census form was closed for around 40 hours in 2016, after several distributed denial of service (DDoS) attacks targeted the site.
The incident led to a Senate inquiry and the government reached a confidential settlement with tech giant IBM, which had been contracted to deliver the online Census platform.
After around 1 billion cyberattacks were allegedly repelled during the 2021 Census, Australia’s Auditor-General urged ABS to strengthen its cybersecurity posture.
An ABS spokesperson told Information Age that Australians should complete the Census “through official ABS channels to avoid scams or false information”.
“The ABS will never ask you to provide or confirm your bank details or tax file number for the Census,” they said.
“We’ll never offer or provide prizes or incentives for people to complete their Census form.
“If you get any suspicious communication, don’t click on any links or provide information over the phone.”
ABS said the 2026 Census will be supported by experts from Australia’s cyber intelligence agency the Australian Signals Directorate (ASD), as well as the Australian Cyber Security Centre (ACSC).
“We’ll keep engaging with our trusted partners in government and the private sector to maintain data quality, privacy, security and availability of the IT systems underpinning the Census,” ABS said.
