Australia’s latest data breach tally topped more than 1,100 incidents reported to the national privacy watchdog last year, marking the highest total since mandatory breach notifications were introduced in 2018.
In statistics released Tuesday, the Office of the Australian Information Commissioner (OAIC) said it received 595 data breach notifications in the second half of 2024, bringing the year to a total of 1,113 notifications and marking a 25 per cent increase from 2023.
After observing the hike in reported breaches, privacy commissioner Carly Kind said the threat of data breaches is “unlikely to diminish” and the risks to Australians are “only likely to increase”.
“Businesses and government agencies need to step up privacy and security measures to keep pace,” said Kind.
“Australians trust businesses and government agencies with their personal information and expect it to be treated with care and kept secure.”
The OAIC observed malicious and criminal attacks comprised 69 per cent of breaches from July to December 2024.
Nearly 15 per cent of these attacks involved ransomware, 20 per cent saw credentials compromised or stolen in phishing attacks, and over 28 per cent were conducted through social engineering and impersonation.
Outside of deliberate criminal attacks, nearly a third of data breaches were the result of human error such as email ‘bcc:’ blunders, unintended publication of data and failure to redact sensitive information.
The watchdog emphasised 2024 had the highest number of reported data breaches since 2018, when the Notifiable Data Breaches (NDB) scheme was first launched to enforce notification requirements around data breaches.
Health and government report most breaches
The health sector had the most reported data breaches at 20 per cent, while Australian government agencies followed closely at 17 per cent.
James Patto, partner at privacy, data, cyber and AI advisors Helios Salinger, told Information Age the sectors likely reported the most breaches on account of being “high-value targets with complex systems and broad attack surfaces”, while also being likely to be “more attuned” to reporting compliance.
He added health providers hold “extremely sensitive, high-value” data such as Medicare numbers and health conditions – while the sector’s IT systems are often “fragmented and outdated with poor integration and patchy security”.
“Healthcare can’t afford downtime, which makes it a potentially lucrative and vulnerable ransomware target,” he said.
Patto noted many of the same factors that make the health sector vulnerable also apply to government, and public cybersecurity maturity “varies significantly” between agencies at federal, state and local levels.
“Government workforces are vast and dispersed, often spanning multiple departments, regions, and external contractor networks,” said Patto.
“Systems are typically large, complex, and built over decades, with legacy technology deeply embedded in critical operations.
“Geopolitical motivations add another layer of risk, with government networks frequently targeted by state-sponsored and ideologically motivated threat actors.”
The OAIC meanwhile found the top five types of personal information compromised were contact information, identity information, financial details, health information, and tax file numbers.
Government entities manipulated
While the OAIC found most health service provider attacks stemmed from cyber incidents such as ransomware, phishing, hacking or otherwise compromised credentials, government attacks were overwhelmingly driven by social engineering.
“This reporting period saw a significant increase in data breaches caused by social engineering and impersonation, the manipulation of people into carrying out specific actions or divulging information,” said Annan Boag, general manager, regulatory intelligence and strategy for the OAIC.
“This was particularly significant within the Australian Government, which reported 60 notifications of this nature – a 46 per cent increase compared to the previous six months.”
Patto acknowledged the disproportionate number of social engineering reports indicated a need for increased awareness training in government.
“The nature of cyber risk is constantly evolving, and the rise of AI has shifted the landscape yet again, particularly in the phishing and social engineering space,” said Patto.
“For government, and all organisations, training should be engaging, meaningful, and tailored to real-world risks and the individual’s role, not just an annual e-learning module.”
The OAIC found public sector organisations also continued to “lag behind” the private sector in how long it took to identify and notify data breaches.
The Australian Government took more than 30 days to identify 74 per cent of its reported breaches, and in 66 per cent of cases, over 30 days to notify the OAIC after identification.
“Time is of the essence with data breaches as the risk of serious harm often increases as days pass,” said Kind.
Patto meanwhile said he was “surprised” by the lack of regulatory insight or commentary accompanying the OAIC’s latest report.
While Patto acknowledged the privacy watchdog is “tasked with an extraordinarily complex job” and was “underfunded” given its massive remit, he emphasised the need for a “more assertive shift toward an enforcement culture”.
