Australia Records Highest-Ever Data Breach Notifications as Cyber Threats Continue to Mount

Australia Records Highest-Ever Data Breach Notifications as Cyber Threats Continue to Mount

By
Key Takeaways
  • Record Number of Notifications: Australia received 1,205 data breach notifications in 2025, the highest annual total since the Notifiable Data Breaches scheme commenced in 2018 and an 8% increase over 2024.
  • Cyber Hacking Remains the Leading Cause: Malicious or criminal activity accounted for 716 reported breaches, reinforcing cyber attacks as the primary driver of reportable data breaches.
  • Healthcare Reports the Most Incidents: Health service providers accounted for 225 notifications (19% of the total), with financial services, the Australian Government, business and professional associations, education, and legal services also among the most affected sectors.
  • Regulator Issues New Practical Guidance: The OAIC released a new quick reference guide and interactive checklist to help organizations determine when a breach must be assessed and reported under the Notifiable Data Breaches scheme.
  • Privacy Concerns Continue to Rise: The OAIC's 2026 Australian Community Attitudes to Privacy Survey found that 82% of Australians are concerned about data breaches, up from 74% in 2023.
Deep Dive

There were 1,205 data breaches reported to the Australian privacy regulator in 2025. The new figures, released by the Office of the Australian Information Commissioner, show an 8% increase over the 1,112 notifications received in 2024. They do not necessarily mean organizations have become less secure; they do show that serious breaches remain a persistent feature of Australian business and government, and that reporting obligations under the Notifiable Data Breaches (NDB) scheme continue to generate a steady stream of disclosures whenever individuals are likely to face serious harm.

The pattern behind those disclosures has become almost familiar, though no less troubling for its familiarity. Cyber hacking remained the leading cause of reportable breaches in 2025. Of the 1,205 notifications submitted to the regulator, 716 were attributed to malicious or criminal activity, reinforcing that the greatest pressure on Australia's privacy regime continues to come from deliberate attacks rather than administrative mistakes or technical mishaps.

Where those attacks land is equally revealing. Health service providers once again accounted for the largest share of reported breaches, lodging 225 notifications, or 19% of the annual total. The sector has long occupied an uncomfortable position at the intersection of highly sensitive personal information and operational environments that are difficult to modernize, making it a recurring target for attackers and a recurring presence in the regulator's statistics.

Financial services followed with 157 notifications, ahead of the Australian Government with 118. Business and professional associations recorded 103 notifications, while the education sector and legal, accounting and management services each reported 81. Together they sketch a picture that extends well beyond any single industry. The obligation to report serious breaches may sit inside privacy legislation, but the exposure reaches across the economy.

Responding Under Pressure

The release of the annual statistics coincided with another acknowledgment from the regulator: more organizations are now finding themselves having to work through the mechanics of the reporting scheme, often while responding to an unfolding security incident.

To help meet that challenge, the OAIC has published a new quick reference guide for entities covered by the Privacy Act. Available as both an interactive webpage and a downloadable checklist, the guide is intended to simplify decisions that rarely feel simple in practice. It walks organizations through when a suspected incident requires assessment, when notification obligations are triggered, and how to notify both the regulator and affected individuals.

Australian Privacy Commissioner Carly Kind said the figures illustrate a threat that continues to intensify.

"The threat posed to Australian businesses and organisations by data breaches is substantial and rising year on year, with 2025 recording the highest number of notifications received in a year since the commencement of the NDB scheme," Kind said.

She said the new guide is designed to give organizations rapid access to the information they need when confronting a potential breach under significant operational pressure, helping both regulated entities and the communities affected by security incidents.

The regulator's own research suggests those communities are paying closer attention than ever. The 2026 Australian Community Attitudes to Privacy Survey found that data breaches are now the leading perceived privacy risk among Australians. Eighty-two percent of respondents said they were concerned about data breaches, up from 74% in the 2023 survey.

That increase in public concern matters because notification schemes ultimately exist for people, not statistics. Every annual report arrives with another record to note or another percentage to compare, but behind each notification is a moment when an organization concluded that the risk to individuals had become serious enough that silence was no longer an option. The latest figures suggest those moments are becoming more common, and that the burden of responding to them now extends well beyond cybersecurity teams to encompass governance, legal, compliance and executive leadership alike.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.

Oops! Something went wrong