OAIC data confirms cybersecurity threats in Australia are escalating

Figures from OAIC’s most recent notifiable data breaches report, based on mandatory or eligible data breach notifications to the OAIC between 1 July and 31 December 2024, represent the highest number of notifications since the reporting scheme began in February 2018. Malicious cyber-attacks are still the primary cause of data breaches, representing 61% of breaches, with phishing and ransomware as primary methods.

Veronica Scott, an expert in cyber law at Pinsent Masons, said: “Unlike previous reports, although the OAIC has not offered new detailed guidance in this report, valuable insights can still be drawn from its findings and also reinforces guidance from past OAIC reports.”

“Breach identification and response delays can lead to increased harm and the OAIC stresses that notification must happen as soon as any staff member becomes aware of a suspected data breach that is likely to result in serious harm, not when privacy or security teams take action,” she said.
“The report has indicated time taken to identify breaches and notify OAIC in less than 10 days has decreased in the latter half of 2024 compared with first half of the year.”

Notably, the figures show, social engineering and impersonation scams have surged, particularly in government agencies which saw a 46% increase – which is consistent with the Australian Competition and Consumer Commission’s Scamwatch reporting. Human error continues to be a persistent cause of breaches with 170 incidents, representing 29% of breaches, an 10% increase from the earlier half of the year.
“While cyber threats are escalating, it is also possible more reporting is happening with better awareness,” Scott said.

“The notifiable breach scheme only applies to businesses with a turnover of more than A$3 million (approx. US$1,941,600) annually, meaning government and health are always highly represented sectors as they are all subject to the obligations, and not all breaches are reported in the data.”
Other causes of breaches included rogue employees, social impersonation and theft of paperwork or devices.

Susan Kantor, an expert in cyber law at Pinsent Masons, said: “Having a clear escalation process, supported by continued employee training, is essential. Organisations must ensure that all employees understand how to identify and respond to a suspected or actual breach, not just IT or legal teams.”

“Following a clear tried and tested response plan is critical: the OAIC recommends a four-step approach for efficient breach handling. These are to contain the breach immediately, assess the situation and potential impact, notify affected individuals and, if required, the OAIC, before finally reviewing and refining security measures to prevent future breaches,” she said.

“Beyond meeting regulatory obligations, businesses should focus on consumer protection and trust. Strengthening security protocols, requiring strong passwords, minimising the collection of personal information, investing in robust technologies, and clear communication with affected individuals will minimise harm and reinforce confidence in data management practices.”

The top five sectors to notify data breaches to the OAIC were health service providers, Australian government, finance, legal, accounting and management services and retail. In each sector, the leading cause was malicious or criminal attack.

Scott said: “As previously stated by Australian Privacy Commissioner Carly Kind, the OAIC expects organisations to comply with their obligations and take a privacy-centric approach, as it is no longer acceptable for privacy to be an afterthought. By taking proactive steps, organisations can reduce risks, improve breach response times, and safeguard both reputation and compliance in an evolving cybersecurity landscape.”