Australia has recorded its highest number of data breaches in over three years, according to the latest Notifiable Data Breaches report from the Office of the Australian Information Commissioner (OAIC).
The report covers the first half of 2024 and reveals a significant increase in reported breaches.
Between January and June 2024, 527 data breaches were reported to the OAIC. This is a 9% rise from the previous six months, making it the largest figure since the latter half of 2020.
Australian Privacy Commissioner Carly Kind highlighted the persistent risks to Australians’ personal data, stressing the implications for both private citizens and organisations.
“Almost every day, my office is notified of data breaches where Australians are at likely risk of serious harm. This harm can range from an increase in scams and the risk of identity theft to emotional distress and even physical harm,” she said.
One of the largest breaches occurred during this period, involving medical data provider MediSecure. The incident affected approximately 12.9 million Australians, the most extensive breach since the Notifiable Data Breaches scheme came into force.
As in previous reports, malicious and criminal attacks were the primary cause of breaches, accounting for 67% of incidents, with 57% of those related to cyberattacks.
Health and government sectors led in the number of notifications, representing 19% and 12%, respectively.
Six years into the Notifiable Data Breaches scheme, the OAIC expects a higher level of accountability from businesses and government entities in securing personal information.
“The Notifiable Data Breaches scheme is now mature, and we are moving into a new era in which our expectations of entities are higher,” Kind said, adding that the OAIC’s enforcement actions make clear that organisations must treat personal data security as a priority.
The OAIC indicated that while it will continue to take a measured approach to enforcement, it will also provide guidance to help organisations understand their obligations under the scheme.
The release of the report comes as the Australian government pushes forward with the Privacy and Other Legislation Amendment Bill 2024, which seeks to enhance the OAIC’s enforcement powers.
If passed, the bill would introduce stiffer penalties for non-compliance and clarify security obligations under Australian Privacy Principle 11. Organisations would be required to implement more robust security measures, including data encryption and staff training, to mitigate risks.
The OAIC has endorsed these reforms but also called for further action in line with the government’s Privacy Act Review to bolster the Notifiable Data Breaches scheme and improve protections across the economy.
The OAIC’s report mirrors a broader rise in cyberattacks across the country.
Surfshark, a cybersecurity firm, reported that 1.8 million Australian user accounts were compromised in the first quarter of 2024, marking a 388% increase compared to the previous quarter. The findings showed Australia among the top 15 countries for data breaches globally, with approximately 140 million accounts compromised since 2004.
Additionally, the 2024 Phishing Report by security firm Zscaler ranked Australia as a leading source of phishing attacks, further highlighting the region’s vulnerability to cybercrime.
The rise in breaches reflects broader cybersecurity challenges faced across the Asia-Pacific region.
A separate survey by IT security firm LogRhythm found a gap between the confidence of cybersecurity leaders in their systems and the level of trust customers had in their organisations’ cybersecurity practices.
While 85% of cybersecurity executives in the Asia Pacific rated their defences as strong, 46% of companies had faced customer concerns over potential cybersecurity failures.
To address these concerns, 84% of companies in the region reported increasing their cybersecurity budgets, a figure that exceeds the global average of 76%.
However, many organisations are still struggling to quantify the effectiveness of their security programs, with a focus on breach numbers rather than operational metrics like response times or threat detection capabilities.
