Data breaches in January – June 2025 . Five hundred and thirty two notifications

November 24, 2025 |

The Privacy Commissioner has published notifications of data breaches in the first half of 2025 under the National Data Breach Notification Scheme. The health sector continues to have the most reported data breaches (18% of reported data breaches), followed by the finance sector (14%) and Australian Government agencies (13%).

The details are:

  • Number of notifications: 532
  • 33% of data breaches were caused by cyber security incidents of which:
    • 28% were due to phishing
    • 21% due to compromised or stolen credentials
    • 21% due to ransomware
    • 17% hacking
    • 6% brute force attacks
    • 4% malware
  • 3 data breaches affected between 100,000 – 250,000.  The same number as the July December 2024 period.  3 data breaches affected 250,000 – 500,000 people. The same number as the July December 2024 period
  • Contact information was the most common information affected by data breaches (456),  Identify information was affected in 303 data breaches.  Financial details were involved in 194 and health information in 161 data breaches.
  • 56% data breaches were reported in 10 or less days from discovery.  27% of data breaches were reported more than 30 days after the data breachess.
  • 308 of the data breaches were caused by malicious/criminal attacks and 193 caued by human error.

For practitioners it is important to note that an eligible (notifiable) data breach occurs when:

    • Personal information has been lost or accessed or disclosed without authorisation.
    • This is likely to result in serious harm to one or more individuals.
    • The organisation has not been able to prevent the likely risk of serious harm with remedial action.

Under the Privacy Act an organisation must take reasonable steps to conduct a data breach assessment within 30 days of becoming aware there are grounds to suspect it may have experienced an eligible data breach. Once the organisation forms a reasonable belief that there has been an eligible data breach, it must notify affected individuals and the OAIC as soon as practicable.

The most relevant principle is the Australian Privacy Principle 11 which requires organisations to take reasonable steps to protect personal information held from misuse, interference and loss, as well as unauthorised access, modification or disclosure, and to destroy or de-identify the information when it is no longer required.

Leave a Reply