Australian data breaches hit record high in 2024

Australian businesses and government agencies reported more than 1,100 data breaches to the Office of the Australian Information Commissioner (OAIC) in 2024 – the highest annual total since mandatory data breach notification requirements began in 2018.

From July to December 2024, the OAIC was notified of 595 data breaches, ending the year with a total of 1,113 notifications. This is a 25% increase from 893 notifications in 2023.

Australian privacy commissioner Carly Kind noted that the record number of data breaches in 2024 underscores the significant threats to Australians’ privacy that organisations need to effectively manage: “The trends we are observing suggest the threat of data breaches, especially through the efforts of malicious actors, is unlikely to diminish, and the risks to Australians are only likely to increase.

“Businesses and government agencies need to step up privacy and security measures to keep pace. Australians trust businesses and government agencies with their personal information and expect it to be treated with care and kept secure,” she said.

Malicious and criminal attacks have been the main source of breaches, accounting for 69% of notifications in the second half of the year, with 61% of those being cyber security incidents. Health service providers and the Australian government again notified the most data breaches of all sectors (20% and 17% of all breaches, respectively), indicating that both private and public sectors are vulnerable.

However, the public sector still lags behind the private sector in the time taken to identify and notify data breaches, despite some improvements in timeliness.

“Individuals often don’t have a choice but to provide their personal information to access government services,” Kind said. “This makes it even more important that agencies keep personal information secure and have an action plan in place should a breach occur.

“Time is of the essence with data breaches as the risk of serious harm often increases as days pass. Timely notification ensures people are informed and can take steps to protect themselves,” she added.

In May 2024, electronic prescription provider MediSecure suffered a large-scale ransomware attack, compromising sensitive medical and personal information of about 12.9 million Australians.

Earlier this year, taxi service 13cabs reported a potential cyber attack after discovering unauthorised network activity. Additionally, the Australian Human Rights Commission became aware in April 2025 of a data breach involving the unauthorised disclosure of attachments uploaded via its website’s complaint webform.

Other entities reporting breaches in 2024 and early 2025 include Western Sydney University, where around 10,000 student records were impacted. These incidents follow major breaches in previous years at companies such as Optus and Medibank, which affected millions of customers.

During the reporting period, Kind accepted an enforceable undertaking from Oxfam Australia following a data breach experienced by the not-for-profit organisation in January 2021.

The enforceable undertaking is an example of the range of powers available to the OAIC’s commissioners to address privacy risks and reaffirms the need for all sectors to remain vigilant and follow responsible privacy practices.

The OAIC has published a blog post that draws attention to phishing and social engineering or impersonation as common attack methods that organisations and agencies need to be aware of and exercise vigilance against.