Businesses and government agencies have reported a staggering 1,113 data breaches to the Australian Information Commissioner (OAIC) throughout 2024, marking the highest annual total since the introduction of mandatory data breach notification requirements in 2018.
According to the latest statistics for the second half of 2024, the OAIC was notified of 595 data breaches, contributing to a 25% increase from the 893 notifications recorded in 2023. Australian privacy Commissioner Carly Kind stated that this record number of breaches highlights the increasing threats to Australians’ privacy that organisations and agencies must learn to manage effectively.
“The trends we are observing suggest the threat of data breaches, especially through the efforts of malicious actors, is unlikely to diminish, and the risks to Australians are only likely to increase,” Kind noted. She stressed the need for businesses and government agencies to enhance their privacy and security measures in order to keep pace with these threats. “Australians trust businesses and government agencies with their personal information and expect it to be treated with care and kept secure,” she added.
The report indicates that malicious and criminal attacks have constituted the primary source of data breaches, with such incidents accounting for 69% of notifications in the second half of the year. Of these, 61% were classified as cyber security incidents. The OAIC has also pointed to phishing and social engineering/impersonation as prevalent attack methods, urging organisations and agencies to remain vigilant against these tactics.
In terms of sector vulnerability, health service providers and the Australian Government were the most notable offenders, reporting 20% and 17% of all breaches, respectively. Despite some improvements, the public sector has been found to lag behind the private sector in terms of the time taken to identify and notify data breaches.
“Individuals often don’t have a CHOICE but to provide their personal information to access government services. This makes it even more important that agencies keep personal information secure and have an action plan in place should a breach occur,” Kind remarked. She emphasised that “time is of the essence with data breaches as the risk of serious harm often increases as days pass. Timely notification ensures people are informed and can take steps to protect themselves.”
In the latter part of the year, the OAIC accepted an enforceable undertaking from Oxfam Australia following a data breach that occurred in January 2021. This action underscores the authority’s range of powers to address privacy risks and reinforces the necessity for all sectors to adhere to responsible privacy practices.
For more detailed statistics, the OAIC has published its Notifiable Data Breaches Report for July to December 2024.
