Australia recorded 47 million data breaches in 2024, making it the 11th most affected country globally, according to cybersecurity firm Surfshark.
The report found that, on average, one Australian account was compromised every second last year.
Worldwide, 5.6 billion accounts were exposed in 2024, with China leading in breach volume, accounting for 17% of all incidents. Russia and the US followed, ranking second and third, while France and Germany completed the top five.
Surfshark’s analysis indicated a significant rise in cyber incidents, with breaches increasing nearly eightfold from 731.1 million in 2023 to a whopping 5.6 billion in 2024. The frequency of breaches accelerated, with 176 accounts compromised per second in 2024, compared to 23 per second the previous year.
Emilija Kucinskaite, senior researcher at Surfshark, said the data breach landscape significantly shifted last year, with the number of compromised accounts increasing nearly eightfold compared to the previous year.
“This surge underscores the critical importance of effective cybersecurity practices. In an era where cyber threats are constantly evolving, taking proactive steps to protect your personal information is crucial. Individuals should use complex passwords, enable two-factor authentication, and stay informed about potential threats,” she said.
Australia's ranking dropped from seventh in 2023 despite a significant increase in breaches from 4.1 million to 47 million in 2024. The rate of data breaches rose twelvefold, with nearly one Australian account compromised every second.
By comparison, New Zealand saw 4.1 million breaches in 2024 – 12 times fewer than Australia. Australia also recorded a higher breach density, with 1,785 compromised accounts per 1,000 residents, compared to 779 per 1,000 in New Zealand.
Historical data from Surfshark showed that since 2004, Australia has had 192.5 million breached accounts, the highest in Oceania. Over 49 million unique Australian email addresses were exposed, with 106.9 million passwords leaked alongside other sensitive details. According to Surfshark, 56% of breached users faced a risk of identity theft, account takeovers, or financial fraud.
“On a global scale, 285 accounts are breached per 100 people on average,” Kucinskaite said. “However, in Australia, this number goes up to 732 per 100 people. Statistically speaking, an average Australian has been affected by data breaches around 7 times.”
Since 2004, a total of 554.5 million personal records from Australia have been exposed. On average, each compromised email was linked to three additional data points, such as passwords, phone numbers, or addresses.
Several large-scale data leaks contributed to the rise in breaches.
In February 2024, a data exposure at DemandScience, a business-to-business (B2B) demand generation company, affected over 120 million individuals. The breach included full names, contact details, job titles, and social media links. About 1.2 million Australian accounts were among those compromised.
In another incident in September 2024, a dataset containing over 3 billion unique email addresses appeared on a cybercrime forum. The data set compiled previously breached emails while removing duplicates. Analysts identified 790 million Russian accounts in the leak, followed by 310 million from the US, 160 million from China, and 110 million from Germany. The individual behind the leak claimed the data was already publicly available.
The increase in data breaches has drawn attention to cybersecurity regulations and data privacy challenges in Australia and New Zealand.
According to a recent survey, 70% of Australians feel they have little control over how companies handle their personal data. Additionally, two-thirds of organisations reported that their boards have a limited understanding of data governance issues.
High-profile cyber incidents have raised concerns about vulnerabilities in corporate data security, with experts recommending stronger security frameworks to reduce reputational risks for businesses. Some cybersecurity professionals advocate for “secure-by-design” principles, where privacy protections are embedded during system development rather than added later.
