The OAIC’s January to June 2025 Data Breach Report & New Dashboard

The Office of the Australian Information Commissioner (OAIC) released its Data Breach Report for January to June 2025 much later than ‘usual’ this year. We didn’t get an update until early November, compared to 16 September 2024 for the January to June 2024 period. 

And when it did arrive, the report came in a different format. Typically, we would expect to see a 40-odd page PDF document, containing key statistics, a snapshot of the key takeaways, and a spotlight on key themes. 

That’s not what this report looked like. Instead, we found the OAIC’s new interactive dashboard. 

Introducing the OAIC Data Breach Dashboard

The dashboard is designed to allow users to interact and engage with the data breach statistics a little more closely. 

“Our goal for the new NDB dashboard is to help reporting entities learn from the experiences of others – those organisations and agencies who have had to notify us of a data breach. We hope the tool is used to improve their own responses and reporting if a data breach occurs…”, Commissioner Kind is quoted as saying in the OAIC’s announcement of the new dashboard. 

That same announcement states that the OAIC will update the information on the dashboard every 6 months, similar to what we’ve been seeing with the OAIC’s data breach reporting on six month periods for the past years. Perhaps the new dashboard format will reduce the time taken for that publication, which would be good news for those interested in timely information about the data breach environment.

Screenshot of the OAIC’s new NDB dashboard, taken November 10 2025

Is The OAIC Data Breach Dashboard An Improvement on the Previous Bi-Annual Reporting? 

In some ways, yes – the dashboard is an improvement. The OAIC’s notes highlight that this dashboard can easily be used for benchmarking by Australian organisations – and this is true. You can more easily flick between data for each reporting period using the dashboard compared to opening each report and scrolling through. That is, so long as you’re using a desktop – since no mobile version is currently available. 

However, you do also lose more detailed access to the OAIC’s examples and analysis of key themes. The only analysis from the OAIC this period was a case study covering a third party data breach – a type of data breach that “continue(s) to present challenges” for Australian organisations. 

The case study discusses a breach caused by a government-department-contracted software developer, which ran a script (without authorisation) that caused private documents to become publicly available online – on two separate occasions.The government agency identified both breaches and took actions to remove the public-facing documents and notify the affected individuals. In this case, there were measures in place intended to prevent third parties from taking actions (like this) without written permission – but, in our opinion, it appears that additional steps, like access controls and other technical measures, were not in place to prevent this from happening in the first place. 

The government agency noted, according to the case study, that it would review its measures. Meanwhile, the OAIC detailed that organisations should implement supplier risk management frameworks and robust security measures to prevent data breaches in the supply chain. 

• For more information on managing risk posed by third-party vendors, download our detailed e-guide. 

The OAIC’s various analyses were a valuable part of the reporting provided in each period over the past years, so it is a shame to see them go. Though, given the resource constraints at the OAIC, we aren’t especially surprised to see reduced analyses of data breach statistics. 

Takeaways From The January-June 2025 Data Breach Dashboard Reporting

Now onto our takeaways from the January-June 2025 reporting period. 

Spotlight on key metrics

• There were 532 data breaches in the January-June 2025 period, down 10% from July-December 2024, but marginally up year-over-year from the 518 reported in January-June 2024. 
• March and May were the busiest months for data breaches in Australia during this period. 
• 67% of data breaches impacted 100 or fewer people,
• Fewer breaches were caused by criminal attacks between January-June 2925 compared to the six month period prior, but human error breaches were much higher (37%, compared to 29%). 
• The health sector remained the most breached sector in Australia during this period. 
• The top three causes of human error breaches remained the same – PI sent by email to the wrong recipient (44%), unintended release, and failure to use BCC when sending an email. 
• Contact information and identity information were the most frequently breached personal information. 
• Breaches were, on average, identified and the OAIC notified more quickly between Jan-June 2025 compared to the previous period.

Key Takeaway: Organisations Need an Antidote to Human Error Breaches

The fairly significant leap in human error breaches this period highlights a growing need for organisations to implement technical measures to reduce the risk of human error breaches. 

The reality is that your human resources are, and will remain, a risk for your organisation. Training is a crucial step in reducing the risk they pose to your organisation, and we strongly advocate for regular training sessions and communications to build a culture of privacy.

But, humans are fallible, and even momentary lapses in judgement or thinking can have privacy implications. That’s why your training should be supported by robust technical measures that reduce privacy risk. 

Some common, and relatively easy-to-implement technical measures that can reduce the risk of personal information being sent by email include: 

1. Managing the use of auto-populate in the ‘to’ field in the email platform. 
2. Automatically inserting a prominent visual warning (e.g., a banner or pop-up) when a user drafts an email that includes recipients outside the organization’s domain. This prompts the sender to double-check external addresses before clicking ‘Send’ (which is most effective when backed by privacy training and regular reminders of the importance of not sending out PI to the wrong recipients).
3. Using BCC as default. 
4. Only sharing communications (especially those containing personal information) via a secure portal that can only be accessed with a password or login from the right recipient. 
5. Delaying the sending of all outbound emails to give your team time to identify and rectify mistakes (typically for 2 to 5 minutes), plus you can also require any emails being sent with sensitive information to be double-checked by another member of your team before it is sent to reduce the risk of sensitive information being breached this way. 

You can read more about reducing the risk of your team sending personal information to the wrong recipient and what to do if you send personal information to the wrong person in our earlier blogs. 

Other Action Items

These quick tips could help your organisation to address some of the major causes of data breaches in Australia: 

1. Regularly communicate with your team on ‘wrong recipient’ risk. These trainings should extend beyond email breaches, since verbal and physical mail breaches do still happen. These communications could be email updates that focus on relevant scenarios or discussing near misses – alongside regular training for your team. 
2. Access control should be implemented as standard for any documents containing personal or sensitive information. This could be as simple as creating secure links for Microsoft or Google documents (instead of sharing with anyone who has the link) or more complex technical measures. 
3. Strongly consider mandating the use of password-protected documents and communications and/or secure client portals instead of email attachments – particularly for sensitive information. This is true regardless of the sector you’re in. 

For assistance uplifting your organisations privacy, whether that’s tailored training or a privacy maturity review, reach out. Our team of experienced privacy consultants are available to help – starting with a free 30-minute consultation. 

Or enter your information below to receive insights like this in your inbox each month.