We use cookies to analyse traffic and to improve your browsing experience on our website. To find out more, read our privacy policy.

News Join our team Contact us

Carly Kind

Carly Kind
Privacy Commissioner

Published:  

Today we have launched our new Notifiable Data Breach (NDB) statistics dashboard.

The dashboard is one of the ways the OAIC is strengthening our ability to harness and publish data, both to inform and educate, but also to ensure our regulatory decisions are targeted and evidence-based.

This new interactive tool allows the Australian community to access, analyse and benchmark data received under the Notifiable Data Breaches (NDB) scheme since its commencement in 2018. The dashboard has been created to help reporting entities, the media and the public understand the volume of data breaches reported to the OAIC, the number of people affected, causes and sectoral trends.

Now – at the touch of a button – organisations can learn from the experiences of others to improve their own responses, notifications and reports when a data breach involving personal data is likely to result in serious harm.

Data breach notifications January – June 2025

Our NDB statistics dashboard gives an insight into the volume of NDB notifications the OAIC receives. In the January–June 2025 reporting period, we received 532 data breach notifications, a 10% decrease compared with the previous 6 months, when the number of notifications reached a record level. Despite this decrease, breaches still remain at a high level.

Since the start of the NDB scheme, the OAIC has observed a trend where more notifications are received in the second half of the calendar year.

Malicious or criminal attacks remained the largest source of data breaches (59%, at 308 notifications). Cyber security incidents continue to be the predominant source of breaches of this kind. In the January–June 2025 reporting period the average number of individuals affected by cyber incidents is just over 10,000. This serves as a reminder that cyber risk is increasingly prevalent and sophisticated.

Even entities with the strongest defences may experience a data breach. Preventing data breaches is in the interests of organisations - IBM calculates that in 2024 the average cost to business of a data breach was $4.26 million.

The health sector had the most reported data breaches (18% of reported data breaches) with the finance sector reporting the second greatest number (14%), followed by Australian Government agencies (13%).

This reporting period saw a significant increase in data breaches caused by human error, accounting for 37% of all data breaches (193 notifications), an increase from 29% in the previous reporting period. This shows that the human factor continues to pose a notable threat to the strength of an organisation’s personal information security, regardless of how secure its systems are.

Case study: outsourcing to third-party service providers

Data breaches involving third-party service providers continue to present challenges, as demonstrated by the following case study.

During this reporting period a government agency engaged a software developer to work on its website. The software developer ran a script on the website, without authorisation from the agency, which caused documents designated as ‘private’ to become publicly available online and on search engines.

This resulted in two separate occasions of unauthorised disclosure, where documents submitted via the agency’s website became publicly available online.

As soon as the agency became aware of the unauthorised disclosure, it immediately deleted all documents submitted via its website, removed the documents from public view on search engines, re-set the file types on its website back to private, and notified affected individuals.

The agency advised it had measures in place when engaging the services of third-party providers that outlined no actions were to be undertaken by providers without written permission from the agency. To prevent a similar incident occurring again, the agency advised that it intends to review its processes for the handling of personal information when engaging third-party service providers.

This case serves as a reminder that organisations are responsible for the actions of third-party providers when outsourcing their personal information handling. Organisations that implement strong supplier risk management frameworks, together with more robust security measures, can substantially minimise the impact of a data breach in the supply chain.

It is important for organisations to consider the risks of outsourcing personal information handling at the earliest stage of procurement.

Our Guide to securing personal information and Data breach preparation and response guide outline a range of steps organisations can take, such as:

  • engaging suppliers that have demonstrated robust security controls and appropriate personal information handling measures
  • having contractual clauses on the retention or destruction of data
  • ensuring contractual arrangements specify accountabilities in the event of data breaches that involve multiple parties, such as the responsible party for assessing harm, providing information, and notifying affected individuals about the data breach (the OAIC considers that, generally, the entity with the most direct relationship with individuals affected by the data breach should notify them of the breach)
  • ensuring effective oversight of third-party providers, including regularly conducting cyber security assessments and audits of existing vendors to evaluate the effectiveness of controls and practices, and confirming compliance with relevant security standards, contractual requirements and legal obligations.

Our strategic approach to compliance

We take a risk-based approach to regulation and direct our resources to address high-risk matters with the greatest potential for harm to individuals and the community.

The NDB scheme is now a mature model, and we expect entities to comply with their obligations and have strong practices in place to protect personal information.

Promoting safer practices by consumers, business and government agencies

The OAIC will continue promoting safer digital practices that protect Australian’s privacy, including by promoting effective use of Australia’s Digital ID system and consumers sharing their data through the consumer data portability scheme, the Consumer Data Right.

In addition to the Guide to securing personal information and Data breach preparation and response referred to above, other guidance available to assist entities in relation to notifiable data breaches includes our Guidance for entities handling CDR data on preparing for and responding to cyber incidents involving CDR data.

For more information on the Digital ID system, including how businesses can become a relying party, refer to the guide on Using Digital ID for your business or organisation and the OAIC’s guidance on making ID verification more secure and privacy protective.

OAIC logo
Contact us 1300 363 992

Monday to Thursday 10 am to 4 pm (AEST/AEDT)

Acknowledgement of Country

The OAIC acknowledges Traditional Custodians of Country across Australia and their continuing connection to land, waters and communities. We pay our respect to First Nations people, cultures and Elders past and present.

© Commonwealth of Australia