Australian organisations are facing a hidden crisis of cloud vulnerabilities, according to the 2025 Cloud Security Risk Report released today by Tenable®, the Exposure Management company. The report uncovers alarming security gaps in cloud environments, from misconfigured storage exposing sensitive data to embedded secrets in workloads,  that could lead to data breaches, financial losses, and serious regulatory repercussions under Australia’s Privacy Act and Notifiable Data Breaches (NDB) scheme.

The research reveals a significant and widespread risk, finding that 9% of all analysed cloud storage resources contain restricted or confidential information. In environments housing vast volumes of data, this seemingly small percentage translates to millions of sensitive records potentially exposed. Even more alarming, nearly one in ten publicly accessible storage locations holds sensitive data, driven by common misconfigurations, weak access controls, and limited visibility, exposing organisations across industries to serious security and compliance threats.

The risks do not end there. Tenable’s findings show that 54% of organisations with AWS ECS task definitions have a secret embedded within them, exposing businesses to the threat of full cloud environment takeovers or exploitation activities like unauthorised crypto mining. Even within AWS EC2 instances, 3.5% contain credentials embedded in user data, giving attackers a clear pathway to escalate privileges and compromise environments.

“Secrets are the keys to the kingdom, yet many organisations are unknowingly leaving them unguarded across their cloud infrastructures,” said Ari Eitan, Director of Cloud Security Research at Tenable. “In today’s threat landscape, complacency is costly. Organisations must treat secrets with the highest level of security hygiene to prevent attackers from gaining footholds that can spiral into full-blown breaches.”

The risks are further compounded by tightening regulatory expectations in Australia, particularly for organisations managing sensitive or critical data in the cloud. The Security of Critical Infrastructure (SOCI) Act now requires essential service providers to implement rigorous risk management programs and report serious cyber incidents. At the same time, the Australian Signals Directorate’s updated Essential Eight maturity model urges businesses to adopt stronger baseline security controls, while the Office of the Australian Information Commissioner (OAIC) continues to enforce the Privacy Act and Notifiable Data Breaches (NDB) scheme. Non-compliance can result in significant financial penalties and lasting reputational harm.

“As Australian organisations adopt more cloud, a proactive, risk-driven security strategy aligned with Australian Cyber Security Centre’s Essential Eight and zero trust principles is urgently needed. The cloud offers agility, but without strong controls and continuous monitoring, it creates significant exposures. Understanding sensitive data, credentials, and access must be a board-level priority,” Eitan added.

The report reflects findings by the Tenable Cloud Research team based on telemetry from workloads across diverse public cloud and enterprise environments, analysed from October 2024 through March 2025. To download the report today, please visit here.