Report identifies malicious and criminal attacks as primary source of breaches
Private organisations and government agencies notified the Office of the Australian Information Commissioner (OAIC) and the public about 1,113 data breaches last year, representing a record annual total since the mandatory data breach notification scheme commenced in 2018.
The OAIC’s latest notifiable data breaches report covers the second half of last year. In a media release, the OAIC emphasised that the 2024 total also marks a 25 percent increase from 893 notifications in 2023.
According to the OAIC’s statistics from July to December 2024:
“Australians trust businesses and government agencies with their personal information and expect it to be treated with care and kept secure,” said Carly Kind, Australian privacy commissioner, in the media release.
In its media release, the OAIC said the statistics show that the private and public sectors alike are at risk. The OAIC noted that the public sector has sped up in identifying and reporting data breaches, but continues to fall behind the private sector in this area.
“Individuals often don’t have a choice but to provide their personal information to access government services,” Kind said in the media release. “This makes it even more important that agencies keep personal information secure and have an action plan in place should a breach occur.”
Kind added that the data demonstrates how important it is for businesses and government entities to deal with privacy threats properly, including by improving and updating their privacy security measures.
“The trends we are observing suggest the threat of data breaches, especially through the efforts of malicious actors, is unlikely to diminish, and the risks to Australians are only likely to increase,” Kind said in the media release.
Kind stressed that speedily notifying the OAIC and the public about data breaches is critical, as the risk of serious harm often increases with time. Kind added that this timeliness will apprise Australians about what is happening and give them an opportunity to try to safeguard themselves.
The OAIC’s media release noted that the Privacy Act 1988 requires organisations to make reasonable efforts to assess potential data breaches within 30 days of learning there is a reason to suspect an eligible data breach. The legislation compels organisations to notify the regulator and any impacted people as soon as practicable once there is a reasonable belief of an eligible data breach.
