New dashboard offers insight into Australian data breaches

The Office of the Australian Information Commissioner (OAIC) launched the interactive Notifiable Data Breach (NDB) statistics dashboard, with a mobile version in development, as a new way to publish its bi-annual NDB reports. The dashboard, which currently covers the latest reporting period from January to June 2025, aims to inform and educate the public, while providing organisations with an accessible tool to explore, analyse and benchmark data reported under the NDB scheme since it began in 2018.

Privacy Commissioner Carly Kind said: “Our goal for the new NDB dashboard is to help reporting entities learn from the experiences of others (and) improve their own responses and reporting if a data breach occurs.”

“The threat of data breaches, especially through the efforts of malicious actors, is unlikely to diminish,” she said.

“We want to arm entities with data to help them keep personal information secure and to ensure they have an appropriate action plan should a breach occur.”

Malicious or criminal attacks continue to be the leading cause of data breaches, accounting for 59% of all reports, or 308 notifications. Cyber security incidents remain the predominant source of these attacks, with an average of over 10,000 individuals affected per incident, which underscores the growing sophistication and prevalence of cyber threats.

Over 75% of breaches were notified within the 30-day period, which, while slightly lower than the last reporting period, represents 120 breaches.

Veronica Scott, an expert in data and privacy law at Pinsent Masons, said: “The dashboard shows that 532 data breaches were notified to the OAIC in the January to June 2025 reporting period: this is a 10% decrease from the previous six months, which saw a record number of notifications.”

“Despite the decline, the volume of breaches remains high. Historically, the OAIC has observed a trend of increased notifications in the second half of the calendar year,” she said.

“Even organisations with robust security frameworks are not immune to data breaches. The average cost of a data breach in 2024 was A$$4.26 million, according to IBM, reinforcing the importance of proactive risk mitigation.”

Alongside the new dashboard, the OAIC published more information for organisations who have experienced a data breach in a blog post, as well as a case study to illustrate the risks of outsourcing to third-party service providers.

Susan Kantor, an expert in data and privacy law at Pinsent Masons, said: “The blog post makes clear the view of the OAIC that organisations remain accountable for the actions of their providers and are expected to implement strong supplier risk management frameworks and robust security controls to mitigate supply chain risks.”

“The blog outlines a range of practices organisations should undertaking which includes considerating privacy and data security risks at the earliest stages of procurement; selecting suppliers with proven security credentials and sound personal information handling practices; having provisions on data retention, destruction, and breach notification responsibilities in contracts, as well as clearly defining which party is responsible for breach assessments and notifications as well as conducting regular cyber security assessments and audits of third-party providers against their legal and contractual obligations,” she said.

The OIAC has published further guidance to assist organisations prepare for and respond to data breaches, including its guide to securing personal information, data breach preparation and response guide and guidance for entities handling CDR data on managing cyber incidents to comply with the CDR Privacy Safeguard. The guide to securing personal information is currently being updated to reflect new requirements the Australian privacy principles.

Scott said: “The OAIC continues to adopt a risk-based regulatory approach, focusing on high-risk matters with the greatest potential for harm.” 

“In addition to the findings and takeaways from the latest NDB report, there have been other recent findings that set the expectations in Australia for organisations about their approach to data security governance and risk management, as well as responding to security incidents when they happen," she said.

“These include the federal court’s recent findings in the first civil penalty of A$5.8 million imposed in proceedings brought by the OAIC against ACL and the OAIC’s determination following its investigation into Australian online wine wholesaler Vinomofo’s practices,” Kantor said.

“The OAIC directed Vinomofo to take a number of further steps which included meeting the minimum ‘Industry Standard’ which were the cybersecurity and information security standards and frameworks that existed at the time of the incident and applied to Vinomofo including the NIST Cybersecurity Framework, the ISO27000 series, the Essential Eight and the Australian Information Security Manual (ISM).”

Reflecting on these latest developments, Scott observed that: “The momentum of regulatory enforcement, guidance, and jurisprudence, alongside the hardening of industry and community standards, means that organisations cannot rely on checklists, cookie-cutter or reactive approaches to information security and privacy protection.” 

“They need the right investment and expertise to develop frameworks with real controls that they can stand by and demonstrate are reasonable and fit for purpose in their relevant circumstances,” she said.

“While this is not an easy task, it is an essential part of business and meeting customer expectations as well as avoiding adverse action and reputational damage.”