Businesses and government agencies reported 1113 data breaches last year, up by a quarter on 2023 to the highest number since notification became mandatory. 

There were 595 reported breaches in July-December, up 15% on the first half of the year, according to the Office of the Australian Information Commissioner.

“The risks to Australians are only likely to increase,” privacy commissioner Carly Kind said today. “Businesses and government agencies need to step up privacy and security measures to keep pace.

“Time is of the essence with data breaches, as the risk of serious harm often increases as days pass.

“Timely notification ensures people are informed and can take steps to protect themselves.”

Ms Kind says people “often don’t have a choice” about providing personal information to access services. Such data must be kept secure, with an action plan in place should a breach occur.

Malicious and criminal attacks have been the main problem area since the notifiable data breaches scheme started in 2018. They accounted for 69% of reports – 404 cases – in the second half of the year. Of those, 61% were cybersecurity incidents.

Human error accounted for 29% of reports, with the leading issue being personal information sent to the wrong recipient via email.

OAIC GM of regulatory intelligence and strategy Annan Boag says there was a significant rise in data breaches caused by social engineering and impersonation, manipulating people into carrying out specific actions or divulging information.

The government made 60 such notifications in the second half – a 46% increase compared with the previous six months.  

Health service providers again reported the most data breaches, with 121 in the second half. The government reported 100, finance 54, legal accounting and management services 36, and retail 34. Almost two-thirds of breaches affected 100 people or fewer.

Among all data breaches, 42% resulted from cybersecurity incidents.

Phishing and compromised credentials made up 34% of these, ransomware 24%, compromised or stolen credentials 21%, hacking 9%, “brute-force attack” via compromised credentials 7%, and malware 5%.  

Mr Boag says the obligation to consider whether a breach is reportable begins “as soon as anyone in the organisation becomes aware of it”, and all staff should know what to do if they identify an actual or suspected data breach.

The OAIC says it has plans to develop a data breach statistics dashboard.