An external software developer engaged by an Australian government agency accidentally made a collection of private documents available on the public internet earlier this year, according to the nation’s Privacy Commissioner, Carly Kind.
The commissioner revealed the data breach on Tuesday and confirmed the incident was reported to the Office of the Australian Information Commissioner (OAIC) in the period between January and June 2025.
The breach was classified as a Notifiable Data Breach due to its potential to cause serious harm to Australians.
A third-party software developer had been engaged to work on the federal government agency’s website, said Kind, who did not state which agency or which external provider were involved.
“The software developer ran a script on the website, without authorisation from the agency, which caused documents designated as ‘private’ to become publicly available online and on search engines,” Kind wrote in a blog post.
“This resulted in two separate occasions of unauthorised disclosure, where documents submitted via the agency’s website became publicly available online.”
The agency in question “immediately deleted all documents submitted via its website, removed the documents from public view on search engines, re-set the file types on its website back to private, and notified affected individuals” after becoming aware of the breach, Kind added.
The agency allegedly advised OAIC that it already had systems in place which informed third-party providers that no actions were to be taken without written permission from the agency.
It also allegedly told the regulator it would review its personal information processes for third-party providers in light of the data breach incident.
Outsourcing seen in ‘increasing number’ of data breaches
The outsourcing of work to third parties “has been a factor in an increasing number of Notifiable Data Breaches”, Kind said.
“It is important for organisations to consider the risks of outsourcing personal information handling at the earliest stage of procurement."
The case involving a third-party software developer and a government agency served as “a reminder” that organisations were responsible for the actions of external providers when personal information handling was outsourced, Kind added.
“Organisations that implement strong supplier risk management frameworks, together with more robust security measures, can substantially minimise the impact of a data breach in the supply chain,” she said.
Privacy Commissioner Carly Kind says an increasing number of data breaches are linked to third-party outsourcing. Image: OAIC / Supplied
Australian organisations should work with suppliers who displayed “robust security controls and appropriate personal information handling measures”, Kind said.
The commissioner also recommended having oversight of third-party providers by carrying out cybersecurity assessments and audits, as well as checking their “compliance with relevant security standards, contractual requirements and legal obligations”.
Previous data breaches partly attributed to the outsourcing of work have included Qantas, whose third-party call centre allowed cybercriminals access to customer information; and Brisbane telemarketer Pareto Phone, which was used by Australian charities and suffered a data breach in 2023.
Data breaches drop from record high
OAIC had been notified of 532 data breaches in the January to June 2025 reporting period, it announced on Tuesday.
This was a 10 per cent decrease on the previous six months, when the agency saw Notifiable Data Breaches hit a record high in the second half of 2024.
Kind suggested the slight drop could be due to an observed trend of fewer data breaches being reported in the second half of each calendar year.
Australian government agencies reported 13 per cent of breaches in the latest period, behind the finance sector (14 per cent) and the health sector (18 per cent).
The main source of data breaches reported between January and June was malicious or criminal attacks, which accounted for 59 per cent of reports.
Human error was attributed to 37 per cent of reported breaches in the period (a rise from 29 per cent in the previous period), while system faults accounted for only three per cent of incidents.
The average number of people affected by breaches caused by cybersecurity incidents was just over 10,000 in the latest reporting period, which Kind said served as “a reminder that cyber risk is increasingly prevalent and sophisticated”.
OAIC’s latest statistics arrived as it also launched a public Notifiable Data Breach statistics dashboard, which it said would be updated with its newest data every six months.
“Our goal for the new Notifiable Data Breaches dashboard is to help reporting entities learn from the experiences of others – those organisations and agencies who have had to notify us of a data breach,” Kind said.
“We hope the tool is used to improve their own responses and reporting if a data breach occurs.”
Know more about this data breach? Contact Senior Journalist Tom Williams via secure email at [email protected]
