Skip to main content
Published:  

New statistics from the Office of the Australian Information Commissioner (OAIC) show the number of data breaches notified to the regulator in the first half of 2024 was at its highest in three and a half years.

The OAIC was notified of 527 data breaches from January to June 2024, according to the latest Notifiable data breaches report released today. This is the highest number of notifications since July to December 2020 and an increase of nine per cent from the second half of 2023.

Australian Privacy Commissioner Carly Kind said the high number of data breaches is evidence of the significant threats to Australians’ privacy.

“Almost every day, my office is notified of data breaches where Australians are at likely risk of serious harm. This harm can range from an increase in scams and the risk of identity theft to emotional distress and even physical harm,” Commissioner Kind said.

“Privacy and security measures are not keeping up with the threats facing Australians’ personal information and addressing this must be a priority.”

The MediSecure data breach notified in the period affected approximately 12.9 million Australians – the largest number of Australians affected by a breach since the Notifiable Data Breaches scheme came into effect.

Similar to previous reports, malicious and criminal attacks were the main source of breaches (67%), with 57% of those cyber security incidents.

Health and the Australian Government notified the most data breaches of all sectors (19% and 12% of all breaches respectively), highlighting both the private and public sectors are vulnerable.

Commissioner Kind said six years on from the launch of the scheme, the OAIC has high expectations of organisations.

“The Notifiable Data Breaches scheme is now mature, and we are moving into a new era in which our expectations of entities are higher,” Commissioner Kind said.

“Our recent enforcement action, including against Medibank and Australian Clinical Labs, should send a strong message that keeping personal information secure and meeting the requirements of the scheme when a data breach occurs must be priorities for organisations.”

The OAIC will continue to take a proportionate approach to enforcement and is also focused on providing guidance to help organisations comply with their obligations, reflected in changes to the latest report.

“Our priority is ensuring compliance with the law, and we will help organisations achieve this through education and articulating what ‘good’ looks like.”

The report’s release comes in the wake of the Australian Government introducing the Privacy and Other Legislation Amendment Bill 2024.

The Bill would strengthen the OAIC’s enforcement toolkit, including through an enhanced civil penalty regime and infringement notice powers. It would also provide important clarification to the scope of existing security obligations by amending Australian Privacy Principle 11 to expressly require organisations to implement technical and organisational measures (such as encrypting data, securing access to systems and premises, and undertaking staff training) to address information security risks.

The OAIC has welcomed these and other measures contained in the Bill as an important step in strengthening Australia’s privacy framework. However, further reform consistent with the Australian Government’s response to the Privacy Act Review is still required to improve security across the economy and enhance the Notifiable Data Breaches scheme.

“We would like to see all Australian organisations be required to build the highest levels of security into their operations to protect Australians’ personal information to the maximum extent possible,” Commissioner Kind said.

Read the Notifiable data breaches report January to June 2024.

Notes

  • The OAIC publishes regular statistics to help organisations and the public understand privacy risks identified through the Notifiable Data Breaches scheme.
  • An eligible (notifiable) data breach occurs when:
    • Personal information has been lost or accessed or disclosed without authorisation.
    • This is likely to result in serious harm to one or more individuals.
    • The organisation has not been able to prevent the likely risk of serious harm with remedial action.
  • The Privacy Act requires organisations to take reasonable steps to conduct a data breach assessment within 30 days of becoming aware there are grounds to suspect they may have experienced an eligible data breach. Once the organisation forms a reasonable belief that there has been an eligible data breach, they must notify affected individuals and the OAIC as soon as practicable.
  • Australian Privacy Principle  11 currently requires organisations to take reasonable steps to protect personal information held from misuse, interference and loss, as well as unauthorised access, modification or disclosure, and to destroy or de-identify the information when it is no longer required.
  • The OAIC has published guidance on securing personal information and data breach preparation and response, as well as advice for individuals on responding to a data breach notification.