Annan Boag
General Manager, Regulatory Intelligence and Strategy
Today we have released statistics about data breaches reported to the OAIC to the end of 2024.
2024 marked the highest number of notifications in a year since the Notifiable Data Breaches scheme commenced in 2018. This reflects the continuing information security challenges faced by Australian organisations, but also the growing maturity of their data breach detection and reporting practices.
Our latest data breach statistics show we received 595 data breach notifications between July and December 2024, an increase of 15% compared to the previous 6 months.
Malicious or criminal attacks remained the largest source of data breaches (69%, 404 notifications), with cyber security incidents accounting for the majority of breaches of this kind. This reporting period, phishing was the leading cause of notified cyber incidents.
As in the last reporting period, the health sector had the most reported data breaches (20% of reported data breaches) with Australian Government agencies reporting the second most (17% of reported data breaches).
This reporting period saw a significant increase in data breaches caused by social engineering and impersonation, the manipulation of people into carrying out specific actions or divulging information. This was particularly significant within the Australian Government, which reported 60 notifications of this nature – a 46% increase compared to the previous 6 months. The Australian Government also reported the largest proportion of notifications that took more than 30 days to identify (74% of reported notifications) or more than 30 days to report to the OAIC (66% of notifications). While this reflects an improvement compared to the last 6 months, there is still an opportunity for agencies to report more quickly to match the response times of private sector organisations.
Entities should be mindful that the clock starts ticking on their duty to notify as soon as they become aware of the incident underlying a notifiable data breach. The obligation to consider whether a breach is reportable does not commence when the breach is referred to the organisation’s privacy or security team, it begins as soon as anyone in the organisation becomes aware of it. It is therefore important for all staff to know what steps they should take if they become aware of an actual or suspected data breach. We outline the 4 key steps to respond to data breaches in our data breach preparation and response guidance.
How the OAIC responds to reported breaches
Cyber risk is increasingly sophisticated and even entities with the strongest defences may experience a data breach.
The OAIC does not take regulatory action in response to every data breach. Instead, we direct our efforts to where we can have the greatest impact and to where there is the largest risk of harm to the community. There is more detail in our statement of regulatory approach.
One example of regulatory action in response to a data breach report is our recent acceptance of an enforceable undertaking offered by Oxfam Australia. This reaffirms the OAIC’s expectation that entities prioritise keeping personal information secure, and that they report data breaches to the OAIC and affected individuals.
How we will report data breach statistics in the future
The OAIC recently developed the freedom of information (FOI) statistics dashboard to present information about the operation of the FOI system. We are exploring ways that we can make other data, including data breach statistics, more accessible. We intend to develop a data breach statistics dashboard to allow better access to data and insights from the Notifiable Data Breaches scheme.
