Frontrow Technology
← All insights & guides
Guide

Cyber Security

Australian data breach statistics 2026: what the OAIC numbers show

1,205 data breaches were notified to the OAIC in 2025, the highest annual total since mandatory reporting began. Here are the verified numbers on causes, sectors, credentials, ransomware and costs, with every figure sourced to its OAIC reporting period.

Graeme Lodge · 11 July 2026 · 7 min read

Australian organisations notified 1,205 data breaches to the privacy regulator in 2025, an 8% rise on 2024 and the highest annual total since mandatory reporting began in 2018 (OAIC Notifiable Data Breaches statistics, calendar year 2025). Malicious or criminal activity caused 716 of them, and health service providers reported the most at 225 notifications.

The Office of the Australian Information Commissioner (OAIC) publishes Notifiable Data Breaches (NDB) statistics twice a year, and they are the closest thing Australia has to an official scoreboard of what is actually going wrong inside organisations. This page compiles the verified figures from the most recent published OAIC reports, with the reporting period stated against every number.

Key statistics at a glance

  • 1,205 data breach notifications in 2025, up 8% from 1,112 in 2024 and a record since the scheme began (OAIC Notifiable Data Breaches statistics, calendar year 2025)
  • 716 of the 1,205 notifications in 2025 were attributed to malicious or criminal activity (OAIC Notifiable Data Breaches statistics, calendar year 2025)
  • Health service providers reported the most breaches in 2025: 225 notifications, or 19% of the total (OAIC Notifiable Data Breaches statistics, calendar year 2025)
  • Human error caused 37% of breaches in the first half of 2025, up from 29% in the previous period (OAIC Notifiable Data Breaches Report, January to June 2025)
  • Phishing and compromised or stolen credentials together accounted for 55% of cyber incidents (OAIC Notifiable Data Breaches Report, July to December 2024)
  • Ransomware was behind 60 notifications, or 24% of cyber incidents (OAIC Notifiable Data Breaches Report, July to December 2024)
  • 67% of breaches affected 100 or fewer people, while the average cyber incident affected just over 10,000 individuals (OAIC Notifiable Data Breaches Report, January to June 2025)
  • 66% of breaches were identified within 30 days of occurring, and 52% were notified to the OAIC within 10 days (OAIC Notifiable Data Breaches Report, July to December 2024)
  • The average cost of an Australian data breach reached AUD $4.26 million (IBM Cost of a Data Breach Report 2024, Australian figures)

How many data breaches are reported in Australia?

The OAIC received 1,205 data breach notifications in the 2025 calendar year, an 8% increase on the 1,112 notifications received in 2024, which was itself the previous record (OAIC Notifiable Data Breaches statistics, calendar year 2025). The trend has been consistently upward: the second half of 2024 produced 595 notifications against 518 in the first half (OAIC Notifiable Data Breaches Report, July to December 2024), and the first half of 2025 produced 532 (OAIC Notifiable Data Breaches Report, January to June 2025), before the second half pushed the annual total to its new high.

Two caveats matter when reading these numbers. First, they count notifications, not incidents; only breaches likely to result in serious harm must be reported, so the true incident count is higher. Second, the wider threat picture is larger again: the Australian Signals Directorate received over 84,700 cybercrime reports in the 2024-25 financial year, roughly one every six minutes (ASD Annual Cyber Threat Report 2024-25).

What causes most Australian data breaches?

Malicious or criminal attacks are consistently the largest source. In the second half of 2024 they caused 404 notifications (69%), against 170 for human error (29%) and 12 for system faults (2%) (OAIC Notifiable Data Breaches Report, July to December 2024). In the first half of 2025 the malicious share was 59% (308 notifications), while human error jumped to 37% (193 notifications), a significant rise from 29% in the prior period (OAIC Notifiable Data Breaches Report, January to June 2025).

Inside the cyber incidents

The OAIC's most recent full breakdown of cyber incident methods covers July to December 2024, when 247 of the malicious-attack notifications were cyber incidents. The split (OAIC Notifiable Data Breaches Report, July to December 2024):

  • Phishing leading to compromised credentials: 84 notifications (34% of cyber incidents)
  • Compromised or stolen credentials, method unknown: 51 (21%)
  • Ransomware: 60 (24%)
  • Hacking: 23 (9%)
  • Brute-force attacks: 16 (6%)
  • Malware: 12 (5%)

Add those first two lines together and 55% of cyber incidents began with someone's credentials. Include brute-force attacks, which also target passwords, and roughly six in ten cyber breaches were identity attacks rather than exotic exploits.

Inside the human error breaches

Human error breaches are dominated by email. In July to December 2024, personal information sent to the wrong recipient by email caused 71 notifications (42% of human error breaches), unintended release or publication caused 39 (23%), and failure to use BCC caused 13 (8%) (OAIC Notifiable Data Breaches Report, July to December 2024). The same three causes topped the list again in the first half of 2025, with misdirected email alone at 44% of human error breaches (OAIC Notifiable Data Breaches Report, January to June 2025).

Which sectors report the most breaches?

Health has topped every OAIC report since the scheme began, and 2025 was no exception. The top sectors for the 2025 calendar year (OAIC Notifiable Data Breaches statistics, calendar year 2025):

  1. 1Health service providers: 225 notifications (19%)
  2. 2Finance and superannuation: 157 notifications
  3. 3Australian Government: 118 notifications
  4. 4Business and professional associations: 103 notifications
  5. 5Education and legal, accounting and management services: 81 notifications each

The pattern is stable across periods: in July to December 2024 health reported 121 breaches (20%) and the Australian Government 100 (17%) (OAIC Notifiable Data Breaches Report, July to December 2024), and in the first half of 2025 health led on 18%, followed by finance on 14% and government on 13% (OAIC Notifiable Data Breaches Report, January to June 2025). What these sectors share is a high volume of sensitive personal information handled by busy people over email, which is exactly where the cause statistics point.

How big are the breaches?

Most notified breaches are small: 67% affected 100 or fewer people in the first half of 2025, and the most common band in the prior period was a single person (OAIC Notifiable Data Breaches Report, January to June 2025; July to December 2024). Cyber incidents skew much larger, affecting just over 10,000 individuals on average in the first half of 2025 (OAIC Notifiable Data Breaches Report, January to June 2025). On speed, 66% of breaches were identified within 30 days of occurring, and 52% were notified to the OAIC within 10 days of the entity becoming aware (OAIC Notifiable Data Breaches Report, July to December 2024).

How much does a data breach cost in Australia?

The OAIC does not publish cost figures, so the following come from separately labelled sources. IBM's Cost of a Data Breach Report 2024 put the average cost of an Australian data breach at a record AUD $4.26 million, with Australian organisations taking an average of 266 days to identify and contain an incident, eight days longer than the global average (IBM Cost of a Data Breach Report 2024, Australian figures). At the small business end, the average self-reported cost of a single cybercrime report was $56,600 in the 2024-25 financial year, up 14% year on year (ASD Annual Cyber Threat Report 2024-25). The gap between those two numbers reflects what they measure: full enterprise breach lifecycles versus individual self-reported incidents.

Who has to report a breach?

The NDB scheme covers entities regulated by the Privacy Act 1988: businesses and not-for-profits with annual turnover above $3 million, plus all private health service providers, credit reporting bodies, tax file number recipients and Australian Government agencies regardless of turnover. When one of these entities suspects an eligible data breach, it has 30 days to assess whether the breach is likely to result in serious harm to any individual. If it is, the entity must notify both the OAIC and the affected individuals as soon as practicable.

The stakes for getting this wrong rose sharply with the 2022 Privacy Act amendments, which lifted maximum penalties for serious or repeated privacy interference to the greater of $50 million, three times the benefit obtained, or 30% of adjusted turnover. Many small businesses sit under the $3 million threshold and assume the scheme does not touch them; any business handling health information or tax file numbers should check that assumption before an incident forces the question.

What the numbers mean for Australian businesses

Read together, the OAIC statistics describe a threat that is persistent rather than exotic. Notifications keep setting records, but the causes barely move: credentials get phished or stolen, and staff email the wrong person. For an organisation running Microsoft 365, that is genuinely good news, because the controls that address both failure modes are licensing and configuration decisions, not research projects. Frontrow Technology helps Australian businesses assess where their Microsoft 365 tenancy stands against exactly these breach patterns.

Statistics compiled July 2026 from the most recent published OAIC reports. Figures are quoted against their original reporting period; the OAIC now publishes NDB data through its statistics dashboard and periodic reports, so later periods may revise the picture.

Common questions

Frequently asked

How many data breaches were reported in Australia in 2025?
The OAIC received 1,205 data breach notifications in the 2025 calendar year, an 8% increase on the 1,112 received in 2024 and the highest annual total since the Notifiable Data Breaches scheme began in 2018 (OAIC Notifiable Data Breaches statistics, calendar year 2025).
What is the most common cause of data breaches in Australia?
Malicious or criminal attacks, which caused 716 of the 1,205 notifications in 2025 (OAIC Notifiable Data Breaches statistics, calendar year 2025). Within cyber incidents, phishing and compromised or stolen credentials together accounted for 55% (OAIC Notifiable Data Breaches Report, July to December 2024). Human error caused a further 37% of all breaches in the first half of 2025.
Which industry has the most data breaches in Australia?
Health service providers, with 225 notifications in 2025, or 19% of the national total. Finance followed with 157 and the Australian Government with 118 (OAIC Notifiable Data Breaches statistics, calendar year 2025). Health has topped every OAIC reporting period since the scheme began.
How much does a data breach cost an Australian business?
IBM's Cost of a Data Breach Report 2024 put the Australian average at AUD $4.26 million, with 266 days on average to identify and contain an incident. For small businesses, the ASD Annual Cyber Threat Report 2024-25 recorded an average self-reported cost of $56,600 per cybercrime report, up 14% year on year.
When does a data breach have to be reported to the OAIC?
An entity covered by the Privacy Act has 30 days to assess a suspected eligible data breach, and must notify the OAIC and affected individuals as soon as practicable if serious harm is likely. In practice, 52% of breaches were notified within 10 days of the entity becoming aware (OAIC Notifiable Data Breaches Report, July to December 2024).

Want Frontrow to run this with your team?

A 30-minute call with a senior consultant. No deck. Frontrow walks through your tenant, your priorities and the next sensible move.