Action Items From The OAIC Data Breach Report: July – December 2024 Edition

Well, the Office of the Australian Privacy Commissioner (OAIC) finally dropped its biannual data breach report covering the July – December 2024 period – and it’s a doozy. The report lists 595 data breach notifications that the OAIC received in the second half of last year, making 2024 a record year for notifications. No wonder it took months longer to get this report out than usual, with this edition being published on 13 May 2025 compared to 22 February 2024 for the previous year’s results. 

We’ve dug into the data to tease out key lessons for Australian organisations from the OAIC’s reporting. Read on to find the key information and insights from this recent report. 

The OAIC’s Key Findings From The Recent Data Breach Report

We’ve included our thoughts about the OAIC’s key findings in italics. 

• Notifications increased by 19% between July and December 2024, up to 483 (plus 121 secondary data breach notifications). October 2024 saw the most breaches in that six month period. 
• Malicious or criminal attacks caused most (67%) of the data breaches, with human error behind 30% of all breaches. Many of the criminal attacks could have been prevented if multi factor authentication was enabled, since the criminals relied on compromised credentials. Also, human error data breaches increased by 36% and system errors by 21% over the six months prior. 
• Most breaches (65%) affected 100 or fewer people. In other words, most breaches are not the mammoth breaches we hear about in the news cycle. 
• There was a “significant increase in data breaches caused by social engineering and impersonation, the manipulation of people into carrying out specific actions or divulging information”. 
• Personal information being emailed to the wrong recipient(s) was the largest driver behind human error data breaches between July-December 2024. 

Our Takeaways From The OAIC’s July-December 2024 Data Breach

One thing we noticed in this data breach report is that it is not as engaging and actionable as part reports, especially when we consider the amount of time it took to come out (three months longer than last year!). 

There was a noticeable absence of scenarios, explainers, and action items for organisations throughout the report, features which had become common in the reports published in 2023 and 2024. We query whether this is the result of the OAIC’s funding being slashed by 23% in 2025. With a smaller budget, it’s not so surprising that the reporting is less detailed and less timely. 

With that said, we’ve teased out some key takeaways and action items. Here’s our snapshot: 

• There was a higher than usual number of breaches attributed to social engineering, but these types of attacks have been on the rise in past years. We previously provided some tips on how to avoid social engineering attempts.
• Breaches resulting from ransomware had the highest average number of affected individuals.
• Phishing was the most common driver of data breaches from criminal/malicious actors. In fact, it’s been a growing cause behind data breaches over the past 18 months. We covered what organisations can do to reduce the risk of falling victim to phishing attempts in a previous post. 

3 Key Action Items Based on the July-December 2024 Data Breach Report

Allocate Resources to the Relevant Threats

We find the OAIC’s data breach reporting can be a good starting point for organisations when it comes to allocating resources. It’s valuable information for a risk matrix when it comes to determining the likelihood of certain threats, especially when you look at the specific data for your sector – assuming you operate in health services, Australian government, finance, legal/accounting/management services, or retail. 

We encourage you to look at the types of threats and the size of breaches within your sector and work out if you’re well-equipped to tackle those threats. If not, you should work with your privacy team to start building out your resilience. 

Focus on the Human Impact of Data Breaches

We’re finding that focusing on the human impact of data breaches is a powerful training tool. We suggest encouraging your team to ask themselves how they would feel if an organisation treated their data with a lack of care to help build and maintain a culture of increased privacy. This can be particularly compelling for organisations that handle sensitive data. 

If you apply this to the data from the data breach report, you might encourage your team to consider how they would feel if a doctor’s office sent a notification about a medical test result or an upcoming appointment for a medical test to the wrong person by email, and point out the equivalent result within your organisation. This can help to encourage your team to double check the information contained in the email and the ‘to’ fields before your team members hit send. (This example was inspired by health services providers having the highest instance of data breaches caused by personal information being emailed to the wrong recipient in the July-December 2024 period.)

That said, you should also consider technical measures to complement your team’s processes, since tools exist that are designed to minimise the risk of emailing personal information to the wrong person. 

Conduct Privacy Impact Assessments Before Collecting Personal Information

The report shows that contact information, identity information, and financial details were the three most common types of personal information involved in breaches. A mature privacy program could use this information to prioritise the protection of these data types through stricter access controls, encryption, and (ideally) minimised collection where possible. 

In any event, regular data mapping should specifically focus on where sensitive or high risks data points are stored and processed and highlight any potential areas of overcollection. With this information in mind, you’re better placed to allocate resources to protecting the data you choose to collect and store. 

A final note on access controls, rogue employees/insider threats remain a threat to Australian organisations. So, your data maps should also identify caches of personal information that could be valuable for employees who do not have your organisation’s best interests at heart. Those caches should also be subject to access controls, even if the information isn’t particularly sensitive (ie. dates of birth, or email addresses).

Keen to receive information like this in your inbox? Sign up to our newsletter. It’s always informative, and you can unsubscribe anytime.