Privacy Commissioner releases report on data breach notifications in 2025. No surprises. An all time high. And those are just the data breaches reported

July 13, 2026 |

The data breach notification scheme provides some insight into the breadth and depth of data breaches affecting Australian organisations and governmental bodies.  The reports under the scheme are a fraction of the data breaches suffered.  The legislation is complicated and allows sufficient self assessment. This reduces reporting.  There remains a culture of reluctance to publicise, even to a government agency and no one else, any data breach for as long as possible. Poor regulation and weak enforcement over many years has encouraged this approach.

In any event the figures released by the Privacy Commissioner reveal that there were 1,205 data breaches in 2025.  That is an 8% increase over 2024.  Cyber hacking is the main cause of data breaches.  No surprises that health providers are the most breached.  The opportunities to breach a health network are legion and the culture is at best uneven.

The media release provides:

Newly published statistics reveal that 2025 saw the highest number of data breach notification being reported to the Office of the Australian Information Commissioner (OAIC) since the mandatory data breach reporting scheme commenced in 2018. The OAIC received 1,205 data breach notifications in the 2025 calendar year, representing an 8% increase over 2024 (1,112 notifications).

Businesses and Commonwealth government agencies covered by the Privacy Act are required to report any data breach that is likely to result in serious harm to affected individuals under the notifiable data breach scheme.

Cyber hacking remains the primary cause of data breaches reported to the OAIC. Of the 1,205 data breaches notified in 2025, the majority were attributable to malicious or criminal activity (716 notifications), with health service providers the most commonly affected, and accounting for 19% of the total or 225 notifications.

Financial services (157 notifications), the Australian Government (118 notifications), business and professional associations (103 notifications), education (81 notifications) and legal, accounting and management services (81 notifications) followed, ranking as the top 5 sectors by volume for data breach notifications.

Acknowledging the growing number of entities reporting under the scheme, OAIC has published a new quick reference guide for entities with obligations under the Notifiable Data Breaches (NDB) scheme. This practical guide outlines the scheme’s requirements, helping to determine whether an assessment is required, whether to notify the OAIC and affected individuals, and how to do so. This tool is available both as an interactive webpage, and as a downloadable interactive checklist. “The threat posed to Australian businesses and organisations by data breaches is substantial and rising year on year, with 2025 recording the highest number of notifications received in a year since the commencement of the NDB scheme,” said Australian Privacy Commissioner Carly Kind.

“And now with this new guide, entities subject to the Privacy Act will have quick access to essential information needed to act effectively when faced with a potential data breach, when they may be under significant pressure. This will benefit both the entity, and the impacted community.”

The OAIC’s own public research demonstrates that data breaches remain a major privacy concern for the Australian public. The 2026 Australian Community Attitudes to Privacy Survey (ACAPS) identified data breaches as the top perceived privacy risk for Australians, with 82% of Australians concerned about the issue, up from 74% in 2023.

For the period July – December 2025

Regarding the the number of individuals affected:

Range Count
1 161
2 – 10 98
11 – 100 152
101 – 1,000 135
1,001 – 5,000 55
5,001 – 10,000 18
10,001 – 25,000 11
25,001 – 50,000 7
50,001 – 100,000 7
100,001 – 250,000 2
250,000 – 500,000 0
500,001 – 1,000,000 2
1,000,001 – 10,000,000 3
10,000,001 or more 1
Unknown 18
Grand Total 670

The Sources of the data breaches:

Source Count
Human error 194
Failure to use BCC when sending email 10
Insecure disposal 2
Loss of paperwork / data storage device 12
PI sent to wrong recipient (email) 66
PI sent to wrong recipient (mail) 12
PI sent to wrong recipient (other) 8
Unauthorised disclosure (failure to redact) 12
Unauthorised disclosure (unintended release or publication) 59
Unauthorised disclosure (verbal) 13
Malicious or criminal attack 405
Cyber incident 253
Rogue employee / insider threat 34
Social engineering / impersonation 88
Theft of paperwork or data storage device 30
System fault 35
Unintended access 8
Unintended release or publication 27
Unintended release or publication 27

Main sectors affected

Top sectors by source of breaches Count
Health service providers 128
Currently unknown 2
Human error 51
Malicious or criminal attack 64
Other 6
System fault 5
Finance (incl. superannuation) 83
Currently unknown 2
Human error 24
Malicious or criminal attack 52
Other 1
System fault 4
Business/Professional Associations 72
Human error 3
Malicious or criminal attack 64
Other 2
System fault 3
Australian Government 51
Currently unknown 1
Human error 16
Malicious or criminal attack 25
Other 1
System fault 8
Personal services (incl employment, child care, vets) 47
Currently unknown 2
Human error 22
Malicious or criminal attack 19
Other 3
System fault 1

 

 

Leave a Reply