22 February 2024

The risk of outsourcing personal information handling to third parties is highlighted in the latest data breach statistics, released today by the Office of the Australian Information Commissioner (OAIC).

Australian Information Commissioner Angelene Falk said the OAIC continues to be notified of a high number of multi-party breaches, with most resulting from a breach of a cloud or software provider.

“The increased occurrence of incidents that affect multiple parties is a reason we are seeing data breaches grow in complexity, scale and impact,” said Commissioner Falk.

“Organisations need to proactively address privacy risks in contractual agreements with third-party service providers.

“This includes having clear processes and policies in place for handling personal information and a data breach response plan that assigns roles and responsibilities for managing an incident and meeting regulatory reporting obligations,” said Commissioner Falk.

The July to December 2023 period saw 483 data breaches reported to the OAIC, up 19% from the first half of the year. There were an additional 121 secondary notifications, a significant increase from 29 notifications in January to June 2023.

Malicious or criminal attacks remained the leading source of data breaches, accounting for 322 notifications, and the majority of those (211 notifications) were cyber security incidents.

The health and finance sectors remained the top reporters of data breaches, with 104 and 49 notifications respectively.

Commissioner Falk said the Notifiable Data Breaches scheme is now well established and the OAIC expects organisations to comply with their obligations.

“The OAIC is escalating its regulatory actions into data breaches, and we have commenced civil penalty proceedings in the Federal Court,” said Commissioner Falk.

“We are prioritising regulatory action where there appear to be serious failures to comply with the scheme’s reporting requirements and to take reasonable steps to protect personal information, and where organisations are holding onto data much longer than is necessary.

“As the guardians of Australians’ personal information, organisations must have security measures in place to minimise the risk of a data breach.

“If a data breach does occur, organisations should put the individual at the front and centre of their response, ensuring they are promptly told so their risk of harm can be minimised.”

The Australian Government responded to the Attorney-General’s Department’s review of the Privacy Act 1988 (Cth) in the second half of 2023, agreeing in principle to proposals that would strengthen the Notifiable Data Breaches scheme, including changes to the reporting timeframes.

The release of the Notifiable data breaches report comes shortly before the commencement of Ms Carly Kind as Privacy Commissioner on 26 February.

“I look forward to welcoming Commissioner Kind to the OAIC at a time when privacy and the protection of personal information have never been more crucial for the Australian community,” Commissioner Falk said.

Read the Notifiable data breaches report July to December 2023.


  • The OAIC publishes regular statistics to help organisations and the public understand privacy risks identified through the Notifiable Data Breaches scheme.
  • An eligible (notifiable) data breach occurs when:
    • Personal information has been lost, or accessed or disclosed without authorisation.
    • This is likely to result in serious harm to one or more individuals.
    • The organisation has not been able to prevent the likely risk of serious harm with remedial action
  • The Privacy Act requires organisations to take reasonable steps to conduct a data breach assessment within 30 days of becoming aware there are grounds to suspect they may have experienced an eligible data breach. Once the organisation forms a reasonable belief that there has been an eligible data breach, they must notify affected individuals and the OAIC as soon as practicable.
  • Where data breaches affect multiple entities, the OAIC may receive multiple notifications relating to the same incident. Notifications relating to the same incident are counted as a single notification (referred to as the ‘primary notification’) in the OAIC’s reports to avoid information being duplicated, unless otherwise specified. The volume of secondary notifications may be indicative of the level of multi-party breach reporting. Secondary notifications may relate to a primary notification received in a prior reporting period.
  • The OAIC has published guidance on securing personal information and data breach preparation and response, as well as advice for individuals on responding to a data breach notification.