Australian businesses and government agencies reported more than 1,100 data breaches to the regulator and the public in 2024 – the highest annual total since mandatory data breach notification requirements started in 2018.

New statistics for July to December 2024 show the Office of the Australian Information Commissioner (OAIC) was notified of 595 data breaches, ending the year with a total 1,113 notifications. This is a 25% increase from 893 notifications in 2023.

Australian Privacy Commissioner Carly Kind said the record number of data breaches in 2024 highlights the significant threats facing Australians’ privacy that organisations and agencies need to effectively manage.

“The trends we are observing suggest the threat of data breaches, especially through the efforts of malicious actors, is unlikely to diminish, and the risks to Australians are only likely to increase.

“Businesses and government agencies need to step up privacy and security measures to keep pace.

“Australians trust businesses and government agencies with their personal information and expect it to be treated with care and kept secure.”

Malicious and criminal attacks have been the main source of breaches since the Notifiable Data Breaches scheme commenced, accounting for 69% of notifications in the second half of the year, with 61% of those being cyber security incidents.

In addition to the statistics report, the OAIC has published a blog post that draws attention to phishing and social engineering/impersonation as common attack methods that organisations and agencies need to be aware of and exercise vigilance around.

Health service providers and the Australian Government again notified the most data breaches of all sectors (20% and 17% of all breaches respectively), highlighting that both the private and public sectors are vulnerable.

The report shows the public sector continues to lag behind the private sector in the time taken to identify and notify data breaches, despite some improvements in timeliness.

“Individuals often don’t have a choice but to provide their personal information to access government services. This makes it even more important that agencies keep personal information secure and have an action plan in place should a breach occur.

“Time is of the essence with data breaches as the risk of serious harm often increases as days pass. Timely notification ensures people are informed and can take steps to protect themselves,” Commissioner Kind said.

In the report period, Commissioner Kind accepted an enforceable undertaking from Oxfam Australia following a data breach experienced by the not-for-profit in January 2021.

The enforceable undertaking is an example of the range of powers available to the OAIC’s commissioners to address privacy risks, and reaffirms the need for all sectors to remain vigilant and follow responsible privacy practices.

Read the Notifiable data breaches report July to December 2024.