Data breaches surged to their highest level in three and a half years during the first half of 2024, according to new statistics from the Office of the Australian Information Commissioner (OAIC).
The office recorded 527 breaches in the first half of 2024, a sharp increase of nine percent from the latter half of 2023.
Among the most significant incidents was the MediSecure data breach, which impacted approximately 12.9 million Australians—the largest number affected by a breach since the Notifiable Data Breaches scheme began.
This breach underscores the growing vulnerability of both private and public sectors to data security threats.
The report also found that malicious and criminal attacks were the leading cause of data breaches, accounting for 67 percent of cases, with 57 percent of these incidents categorised as cyber security breaches.
The health sector and Australian government were the most frequent sources of breaches, reporting 19 percent and 12 percent of all incidents, respectively.
Australian Privacy Commissioner Carly Kind said every day, her office is notified of data breaches where Australians are at likely risk of serious harm.
“This harm can range from an increase in scams and the risk of identity theft to emotional distress and even physical harm,” Kind said.
She said current privacy and security measures are failing to keep pace with emerging threats.
“Privacy and security measures are not keeping up with the threats facing Australians’ personal information and addressing this must be a priority,” she added.
Kind noted that the Notifiable Data Breaches scheme has matured over the past six years and that expectations for organisations are higher than ever.
“The Notifiable Data Breaches scheme is now mature, and we are moving into a new era in which our expectations of entities are higher,” she said.
To tackle the issue, the Australian government has introduced the Privacy and Other Legislation Amendment Bill 2024. This proposed legislation aims to enhance the OAIC’s enforcement capabilities by introducing a more robust civil penalty regime and infringement notice powers.
Additionally, it seeks to clarify existing security obligations under Australian Privacy Principle 11, mandating organisations to implement comprehensive technical and organisational measures, such as data encryption and staff training, to mitigate information security risks.
Recent high-profile breaches have heightened concerns about data security.
The Latitude breach in 2023, affecting over 14 million individuals across Australia and New Zealand, was one of the largest in recent history.
Initially reported to involve only 328,000 individuals, further investigations revealed the broader impact.
Similarly, the Optus data breach, one of the largest ever in Australian history, compromised the personal information of up to 9.8 million customers, nearly 40 percent of the population.
The breach, believed to involve state-sponsored cybercriminals, raised significant questions about Australian data security policies and the handling of sensitive information.