Well, the Office of the Australian Privacy Commissioner (OAIC) finally dropped its biannual data breach report covering the July – December 2024 period – and it’s a doozy. The report lists 595 data breach notifications that the OAIC received in the second half of last year, making 2024 a record year for notifications. No wonder it took months longer to get this report out than usual, with this edition being published on 13 May 2025 compared to 22 February 2024 for the previous year’s results.
We’ve dug into the data to tease out key lessons for Australian organisations from the OAIC’s reporting. Read on to find the key information and insights from this recent report.
We’ve included our thoughts about the OAIC’s key findings in italics.
One thing we noticed in this data breach report is that it is not as engaging and actionable as part reports, especially when we consider the amount of time it took to come out (three months longer than last year!).
There was a noticeable absence of scenarios, explainers, and action items for organisations throughout the report, features which had become common in the reports published in 2023 and 2024. We query whether this is the result of the OAIC’s funding being slashed by 23% in 2025. With a smaller budget, it’s not so surprising that the reporting is less detailed and less timely.
With that said, we’ve teased out some key takeaways and action items. Here’s our snapshot:
We find the OAIC’s data breach reporting can be a good starting point for organisations when it comes to allocating resources. It’s valuable information for a risk matrix when it comes to determining the likelihood of certain threats, especially when you look at the specific data for your sector – assuming you operate in health services, Australian government, finance, legal/accounting/management services, or retail.
We encourage you to look at the types of threats and the size of breaches within your sector and work out if you’re well-equipped to tackle those threats. If not, you should work with your privacy team to start building out your resilience.
We’re finding that focusing on the human impact of data breaches is a powerful training tool. We suggest encouraging your team to ask themselves how they would feel if an organisation treated their data with a lack of care to help build and maintain a culture of increased privacy. This can be particularly compelling for organisations that handle sensitive data.
If you apply this to the data from the data breach report, you might encourage your team to consider how they would feel if a doctor’s office sent a notification about a medical test result or an upcoming appointment for a medical test to the wrong person by email, and point out the equivalent result within your organisation. This can help to encourage your team to double check the information contained in the email and the ‘to’ fields before your team members hit send. (This example was inspired by health services providers having the highest instance of data breaches caused by personal information being emailed to the wrong recipient in the July-December 2024 period.)
That said, you should also consider technical measures to complement your team’s processes, since tools exist that are designed to minimise the risk of emailing personal information to the wrong person.
The report shows that contact information, identity information, and financial details were the three most common types of personal information involved in breaches. A mature privacy program could use this information to prioritise the protection of these data types through stricter access controls, encryption, and (ideally) minimised collection where possible.
In any event, regular data mapping should specifically focus on where sensitive or high risks data points are stored and processed and highlight any potential areas of overcollection. With this information in mind, you’re better placed to allocate resources to protecting the data you choose to collect and store.
A final note on access controls, rogue employees/insider threats remain a threat to Australian organisations. So, your data maps should also identify caches of personal information that could be valuable for employees who do not have your organisation’s best interests at heart. Those caches should also be subject to access controls, even if the information isn’t particularly sensitive (ie. dates of birth, or email addresses).
Keen to receive information like this in your inbox? Sign up to our newsletter. It’s always informative, and you can unsubscribe anytime.
Oops! We could not locate your form.
"*" indicates required fields
"*" indicates required fields
Privacy 108 collects your name and email to send you our newsletter. If you do not provide this information, we will be unable to send it to you. We may use third-party service providers (such as email marketing platforms) to distribute our communications. Some providers may store information overseas, including in the United States. For more information about how we handle your personal information, including how to access or correct it or make a complaint, please see our Privacy Policy or contact us at hello@privacy108.com.au. You can unsubscribe at any time using the link in our emails or by contacting hello@privacy108.com.au.
