)
Data breaches across Australian businesses and government agencies hit a new high of more than 1,100 in 2024, the most of any year since mandatory data breach notification requirements were introduced in 2018.
The latest statistics from the Office of the Australian Information Commissioner (OAIC) have revealed that the agency was notified of 595 data breaches in the six months to the end of December, boosting the full-year total to 1,113 notifications – up 25 per cent from a year earlier.
Australian Privacy Commissioner Carly Kind says the record number of data breaches in 2024 highlights the imperative for organisations to effectively manage the “significant threats” to privacy that Australians face.
“The trends we are observing suggest the threat of data breaches, especially through the efforts of malicious actors, is unlikely to diminish, and the risks to Australians are only likely to increase,” says Kind.
“Businesses and government agencies need to step up privacy and security measures to keep pace. Australians trust businesses and government agencies with their personal information and expect it to be treated with care and kept secure.”
The main source of privacy breaches came from malicious and criminal attacks, which accounted for 69 per cent of notifications received by OAIC in the second half of the year, with 61 per cent of those being cyber security incidents.
The health sector reported the most data breaches, at 20 per cent of the total, followed by Australian Government agencies at 17 per cent.
“This reporting period saw a significant increase in data breaches caused by social engineering and impersonation, the manipulation of people into carrying out specific actions or divulging information,” says Annan Boag, the general manager of regulatory intelligence and strategy at OAIC.
“This was particularly significant within the Australian Government, which reported 60 notifications of this nature – a 46 per cent increase compared to the previous six months.”
The latest OAIC report shows the public sector continues to lag behind the private sector in the time taken to identify and notify data breaches, despite some improvements in timeliness.
“Individuals often don’t have a choice but to provide their personal information to access government services,” says Kind.
“This makes it even more important that agencies keep personal information secure and have an action plan in place should a breach occur.
“Time is of the essence with data breaches as the risk of serious harm often increases as days pass. Timely notification ensures people are informed and can take steps to protect themselves.”
In the latest report period, Commissioner Kind says the OAIC accepted an enforceable undertaking from Oxfam Australia following a data breach experienced by the not-for-profit in January 2021.
She says the enforceable undertaking is an example of the range of powers available to the OAIC’s commissioners to address privacy risks, and “reaffirms the need for all sectors to remain vigilant and follow responsible privacy practices”.
)
