Fewer data breaches in Australia, but human error now a bigger threat

The number of data breaches in Australia fell in the first half of 2025, but a significant rise in the number of incidents caused by human error is a growing concern for the nation’s privacy watchdog.

The Office of the Australian Information Commissioner (OAIC) released statistics showing 532 notifiable breaches were reported between January and June under the Notifiable Data Breaches (NDB) scheme, down 10% from a record high in the previous six-month period.

Malicious or criminal attacks were still the primary cause of data breaches, accounting for 59% of all incidents. The health sector continued to be the most affected industry, making up 18% of notifications, followed by finance (14%) and government agencies (13%).

However, the OAIC highlighted a worrying trend in breaches caused by staff mistakes, which increased to 37% of all incidents, up from 29% in the previous reporting period. Australian privacy commissioner Carly Kind said this shows that the human factor continues to pose a notable threat to the strength of an organisation’s personal information security, regardless of how secure its systems are.

The latest NDB data was unveiled together with a new public dashboard, an interactive tool designed to help businesses and the public track the sources and frequency of data compromises. It provides a more dynamic view of the information previously contained in the OAIC’s NDB reports and will be updated every six months.

“Our goal for the new NDB dashboard is to help reporting entities learn from the experiences of others – those organisations and agencies who have had to notify us of a data breach,” Kind said. “We hope the tool is used to improve their own responses and reporting if a data breach occurs. As a regulatory body, we want to be proactive in guiding organisations, using education and data-informed decision-making to protect Australians’ personal information.”

Separately, the OAIC detailed a case study that serves as a caution for businesses that outsource data handling. In the incident, a government agency engaged a software developer who ran an unauthorised script, causing private documents to become publicly accessible online and in search engines.

The agency had to take immediate action to remove the exposed data and notify affected individuals. Kind said the case was a reminder that organisations are ultimately responsible for the actions of their third-party providers and must implement strong supplier risk management.

Australia’s Privacy Act requires organisations to conduct a data breach assessment within 30 days if there are grounds to suspect that they have experienced a data breach. Once the organisation believes there’s been a data breach, they must notify affected individuals and the OAIC as soon as practicable.

Organisations in the financial services industry are subjected to stricter regulations under the Australian Prudential Regulation Authority’s CPS 230 standard that require them to report risk incidents, which may include data breaches, within 72 hours.

Shannon Murphy, global security and risk strategist at Trend Micro, told Computer Weekly recently that the race to meet notification deadlines for security incidents is leading to staff burnout and other risks arising from attempts to restore services as quickly as possible.