Data breaches reported by businesses and government agencies climbed to a record number last year, driven by criminal attacks.

The Office of the Australian Information Commissioner figures reveal a 15% rise in the second half of 2024 compared with the first, and privacy commissioner Carly Kind has warned the “risks to Australians are only likely to increase”.

“Businesses and government agencies need to step up privacy and security measures to keep pace," she said.

“Time is of the essence with data breaches, as the risk of serious harm often increases as days pass. Timely notification ensures people are informed and can take steps to protect themselves.”

Businesses and government agencies reported 1113 data breaches last year, up by a quarter on 2023 to the highest number since notification became mandatory. 

There were 595 reported breaches in July-December.

Malicious and criminal attacks have been the main problem area since the notifiable data breaches scheme started in 2018. They accounted for 69% of reports – 404 cases – in the second half of last year. Of those, 61% were cybersecurity incidents.

Human error accounted for 29% of reports, with the leading issue being personal information sent to the wrong recipient via email.

OAIC GM of regulatory intelligence and strategy Annan Boag says there was a significant rise in data breaches caused by social engineering and impersonation, manipulating people into carrying out specific actions or divulging information.

The government made 60 such notifications in the second half – a 46% increase compared with the previous six months.  

Health service providers again reported the most data breaches, with 121 in the second half. The government reported 100, finance 54, legal accounting and management services 36, and retail 34. Almost two-thirds of breaches affected 100 people or fewer.

Among all data breaches, 42% resulted from cybersecurity incidents.

Phishing and compromised credentials made up 34% of these, ransomware 24%, compromised or stolen credentials 21%, hacking 9%, “brute-force attack” via compromised credentials 7%, and malware 5%.  

Mr Boag says the obligation to consider whether a breach is reportable begins “as soon as anyone in the organisation becomes aware of it”, and all staff should know what to do if they identify an actual or suspected data breach.