A new report from the Office of the Australian Information Commissioner (OAIC) reveals the government agency received over 1,100 data breach notifications from businesses and government agencies in 2024, marking the highest annual total since the introduction of mandatory data breach notification requirements in 2018.

The OAIC was notified of 595 data breaches from July to December 2024, bringing the total for the year to 1,113 notifications. This represents a 25% increase from the 893 notifications recorded in 2023.

Australian Privacy Commissioner Carly Kind said the record number of data breaches in 2024 highlights the significant threats facing Australians’ privacy that organisations and agencies need to effectively manage.

“The trends we are observing suggest the threat of data breaches, especially through the efforts of malicious actors, is unlikely to diminish, and the risks to Australians are only likely to increase,” she said. “Businesses and government agencies need to step up privacy and security measures to keep pace… Australians trust businesses and government agencies with their personal information and expect it to be treated with care and kept secure.”

Malicious and criminal attacks were identified as the primary source of these breaches, accounting for 69% of notifications in the latter half of 2024. Of these, 61% were attributed to cyber security incidents. Health service providers and the Australian Government were the most affected sectors, reporting 20% and 17% of all breaches, respectively.

Despite some improvements, the public sector continues to lag behind the private sector in terms of the time taken to identify and notify data breaches.

“Individuals often don’t have a choice but to provide their personal information to access government services. This makes it even more important that agencies keep personal information secure and have an action plan in place should a breach occur,” said Kind.

“Time is of the essence with data breaches as the risk of serious harm often increases as days pass. Timely notification ensures people are informed and can take steps to protect themselves.”

The OAIC has published a blog post identifying phishing and social engineering/impersonation as common attack methods. The agency continues to provide guidance on securing personal information and data breach preparation and response, alongside advice for individuals on responding to a data breach notification.

The OAIC has taken action in response to breaches, including accepting an enforceable undertaking from Oxfam Australia following a data breach in January 2021.