Privacy Commissioner releases report on data breach notifications in 2025. No surprises. An all time high. And those are just the data breaches reported
July 13, 2026 |
The data breach notification scheme provides some insight into the breadth and depth of data breaches affecting Australian organisations and governmental bodies. The reports under the scheme are a fraction of the data breaches suffered. The legislation is complicated and allows sufficient self assessment. This reduces reporting. There remains a culture of reluctance to publicise, even to a government agency and no one else, any data breach for as long as possible. Poor regulation and weak enforcement over many years has encouraged this approach.
In any event the figures released by the Privacy Commissioner reveal that there were 1,205 data breaches in 2025. That is an 8% increase over 2024. Cyber hacking is the main cause of data breaches. No surprises that health providers are the most breached. The opportunities to breach a health network are legion and the culture is at best uneven.
The media release provides:
Newly published statistics reveal that 2025 saw the highest number of data breach notification being reported to the Office of the Australian Information Commissioner (OAIC) since the mandatory data breach reporting scheme commenced in 2018. The OAIC received 1,205 data breach notifications in the 2025 calendar year, representing an 8% increase over 2024 (1,112 notifications).
Businesses and Commonwealth government agencies covered by the Privacy Act are required to report any data breach that is likely to result in serious harm to affected individuals under the notifiable data breach scheme.
Cyber hacking remains the primary cause of data breaches reported to the OAIC. Of the 1,205 data breaches notified in 2025, the majority were attributable to malicious or criminal activity (716 notifications), with health service providers the most commonly affected, and accounting for 19% of the total or 225 notifications.
Financial services (157 notifications), the Australian Government (118 notifications), business and professional associations (103 notifications), education (81 notifications) and legal, accounting and management services (81 notifications) followed, ranking as the top 5 sectors by volume for data breach notifications.
Acknowledging the growing number of entities reporting under the scheme, OAIC has published a new quick reference guide for entities with obligations under the Notifiable Data Breaches (NDB) scheme. This practical guide outlines the scheme’s requirements, helping to determine whether an assessment is required, whether to notify the OAIC and affected individuals, and how to do so. This tool is available both as an interactive webpage, and as a downloadable interactive checklist. “The threat posed to Australian businesses and organisations by data breaches is substantial and rising year on year, with 2025 recording the highest number of notifications received in a year since the commencement of the NDB scheme,” said Australian Privacy Commissioner Carly Kind.
“And now with this new guide, entities subject to the Privacy Act will have quick access to essential information needed to act effectively when faced with a potential data breach, when they may be under significant pressure. This will benefit both the entity, and the impacted community.”
The OAIC’s own public research demonstrates that data breaches remain a major privacy concern for the Australian public. The 2026 Australian Community Attitudes to Privacy Survey (ACAPS) identified data breaches as the top perceived privacy risk for Australians, with 82% of Australians concerned about the issue, up from 74% in 2023.
For the period July – December 2025
Regarding the the number of individuals affected:
| Range | Count |
| 1 | 161 |
| 2 – 10 | 98 |
| 11 – 100 | 152 |
| 101 – 1,000 | 135 |
| 1,001 – 5,000 | 55 |
| 5,001 – 10,000 | 18 |
| 10,001 – 25,000 | 11 |
| 25,001 – 50,000 | 7 |
| 50,001 – 100,000 | 7 |
| 100,001 – 250,000 | 2 |
| 250,000 – 500,000 | 0 |
| 500,001 – 1,000,000 | 2 |
| 1,000,001 – 10,000,000 | 3 |
| 10,000,001 or more | 1 |
| Unknown | 18 |
| Grand Total | 670 |
The Sources of the data breaches:
| Source | Count |
| Human error | 194 |
| Failure to use BCC when sending email | 10 |
| Insecure disposal | 2 |
| Loss of paperwork / data storage device | 12 |
| PI sent to wrong recipient (email) | 66 |
| PI sent to wrong recipient (mail) | 12 |
| PI sent to wrong recipient (other) | 8 |
| Unauthorised disclosure (failure to redact) | 12 |
| Unauthorised disclosure (unintended release or publication) | 59 |
| Unauthorised disclosure (verbal) | 13 |
| Malicious or criminal attack | 405 |
| Cyber incident | 253 |
| Rogue employee / insider threat | 34 |
| Social engineering / impersonation | 88 |
| Theft of paperwork or data storage device | 30 |
| System fault | 35 |
| Unintended access | 8 |
| Unintended release or publication | 27 |
| Unintended release or publication | 27 |
Main sectors affected
| Top sectors by source of breaches | Count |
| Health service providers | 128 |
| Currently unknown | 2 |
| Human error | 51 |
| Malicious or criminal attack | 64 |
| Other | 6 |
| System fault | 5 |
| Finance (incl. superannuation) | 83 |
| Currently unknown | 2 |
| Human error | 24 |
| Malicious or criminal attack | 52 |
| Other | 1 |
| System fault | 4 |
| Business/Professional Associations | 72 |
| Human error | 3 |
| Malicious or criminal attack | 64 |
| Other | 2 |
| System fault | 3 |
| Australian Government | 51 |
| Currently unknown | 1 |
| Human error | 16 |
| Malicious or criminal attack | 25 |
| Other | 1 |
| System fault | 8 |
| Personal services (incl employment, child care, vets) | 47 |
| Currently unknown | 2 |
| Human error | 22 |
| Malicious or criminal attack | 19 |
| Other | 3 |
| System fault | 1 |