Australia witnessed a hoard of data breach in 2024, with over 1,100 incidents reported to the Office of the Australian Information Commissioner (OAIC). The figures, released in the OAIC Reports—specifically the Notifiable Data Breaches Report: July to December 2024—highlight a 25% increase in data breach notifications compared to 2023.
According to the OAIC, a total of 1,113 data breaches were reported in 2024 — the highest since the Notifiable Data Breaches (NDB) scheme came into effect in 2018. Of these, 595 breaches occurred in the second half of the year alone, up from 518 in the first half.
The findings stress the growing concerns over privacy and data security, particularly in sectors handling sensitive information. Health service providers topped the list, accounting for 22% of all breach notifications. The finance sector followed at 10%. The Australian Government was responsible for 17% of all reported incidents, reinforcing that both public and private entities face high-pressure cybersecurity challenges every new year.
OAIC Reports a Rising Tide of Malicious Attacks
The OAIC’s report identifies malicious or criminal attacks as the dominant cause of data breaches, making up 69% of all notifications in the latter half of 2024. Of these, cybersecurity incidents such as phishing, stolen credentials, and ransomware accounted for a major portion while other cyberattack methods remained progressive.
Phishing remains the most common method used by cybercriminals to compromise systems, followed by the use of compromised or stolen credentials. These tactics are often the entry point for more damaging attacks like ransomware, which can lead to widespread exposure of personal data.
In an accompanying blog post, the OAIC warned organizations and government bodies to remain especially vigilant about social engineering and impersonation techniques.
Timeliness in Breach Detection and Notification
One encouraging trend from the OAIC’s analysis is that 66% of breaches were detected within 30 days of occurrence, suggesting improving responsiveness among affected organizations. However, the public sector continues to lag behind the private sector in terms of timely detection and notification, despite some noted improvements.
“Time is of the essence with data breaches,” said Australian Privacy Commissioner Carly Kind. “The risk of serious harm often increases as days pass. Timely notification ensures people are informed and can take steps to protect themselves.”
Commissioner Kind highlighted the importance of secure data handling across all sectors, especially for government agencies, stating, “Individuals often don’t have a choice but to provide their personal information to access government services. This makes it even more important that agencies keep personal information secure and have an action plan in place should a breach occur.”
Major Data Points from OAIC’s Notifiable Data Breaches Report
OAIC’s Notifiable Data Breaches Report: July to December 2024 shares some interesting data points for data breaches in 2024. These include:
- A total of 1,113 data breaches were reported in 2024, the highest annual number since the NDB scheme began.
- 595 data breaches were reported in the second half of 2024, up from 518 in the first half.
- 69% of breaches in the second half of 2024 were caused by malicious or criminal attacks.
- 66% of malicious breaches were classified as cyber security incidents.
- The most common causes of cyber incidents were phishing (30%), compromised or stolen credentials (27%), and ransomware (24%).
- Human error accounted for 30% of all data breaches.
- Health service providers reported the most breaches by sector (22%), followed by the finance sector (10%) and the Australian Government (17%).
- 62% of breaches affected fewer than 100 individuals.
- 40 breaches affected more than 5,000 individuals, with 5 incidents impacting over 1 million people.
- 66% of breaches were identified within 30 days of occurring.
- 78% of Australian Government breaches were notified more than 30 days after being identified, showing delays in public sector reporting.
- The OAIC accepted an enforceable undertaking from Oxfam Australia over a data breach dating back to January 2021.
Calls for Stronger Privacy Across
Commissioner Kind further stress upon the implications of the 2024 statistics, saying the record number of data breaches “highlights the significant threats facing Australians’ privacy that organizations and agencies need to effectively manage.”
“The trends we are observing suggest the threat of data breaches, especially through the efforts of malicious actors, is unlikely to diminish, and the risks to Australians are only likely to increase,” she said. “Businesses and government agencies need to step up privacy and security measures to keep pace.”
Australians place a high level of trust in entities that collect and store their personal information, and the expectation is that this data is treated with the utmost care. As data breaches become more frequent and complex, the Australian Information Commissioner urges all organizations to remain alert and adhere to strict data protection standards.
Conclusion
The OAIC’s acceptance of an enforceable undertaking from Oxfam Australia highlights its ongoing role in enforcing privacy laws and ensuring accountability following serious data breaches. Under the Privacy Act and the Notifiable Data Breaches (NDB) scheme, organizations are required to assess potential breaches within 30 days and notify affected individuals and the OAIC if the breach is likely to result in serious harm.
A breach becomes notifiable when personal information is accessed, disclosed, or lost without authorization and cannot be mitigated through remedial action. The OAIC continues to stress the importance of timely notifications, strong data protection practices, and compliance with Australian Privacy Principle 11, which requires organizations to protect and properly dispose of personal information.
