Data Breach Notifications Hit Record Highs

data breach growth chart

Data breach notifications hit record highs on both sides of the Tasman in 2025, with regulators in Australia and New Zealand both pointing to cyber attacks and vendor security gaps as the common thread.

Australia recorded 1,205 notifications under the Notifiable Data Breaches (NDB) scheme in the 2025 calendar year, the highest since the scheme began in 2018 and an 8 per cent rise on 2024's 1,112. The figures were published by the Office of the Australian Information Commissioner (OAIC) on 6 July 2026, drawing on notifications from businesses and Commonwealth agencies covered by the Privacy Act.

Underlying NDB scheme data for July to December 2025 shows 670 notifications in that six-month period, with malicious or criminal attacks accounting for 405 of them, more than double the 194 attributed to human error.

Health service providers were the most commonly affected sector across the year, accounting for 225 notifications, or 19 per cent of the total. Financial services (157 notifications), the Australian Government (118), business and professional associations (103), and education and legal, accounting and management services (81 each) rounded out the top five sectors by volume.

Health data was also at the centre of New Zealand's biggest privacy failure of the year. A December 2025 cyber breach of the Manage My Health patient portal compromised the health records, clinical notes and identity documents of close to 100,000 New Zealanders, with the stolen data later offered for sale on the dark web. It is New Zealand's largest-ever health data breach.

Cyber hacking remains the leading cause

Across the full year, malicious or criminal activity was attributable for 716 of the 1,205 Australian notifications. Within the July-to-December data, cyber incidents alone accounted for 253 notifications, ahead of social engineering or impersonation attacks (88) and rogue employee or insider threats (34).

"The threat posed to Australian businesses and organisations by data breaches is substantial and rising year on year, with 2025 recording the highest number of notifications received in a year since the commencement of the NDB scheme," said Australian Privacy Commissioner Carly Kind.

The OAIC's 2026 Australian Community Attitudes to Privacy Survey found data breaches are now the top perceived privacy risk among Australians, with 82 per cent concerned about the issue, up from 74 per cent in 2023.

New quick reference guide for entities

Alongside the statistics, the OAIC published a new quick reference guide for entities with NDB scheme obligations. The guide sets out four steps for responding to a breach: contain it to prevent further unauthorised access or disclosure; assess the incident to determine whether it is an eligible data breach; notify affected individuals and the OAIC where required; and review the incident to reduce the likelihood of a repeat. 

It includes a decision-making framework and self-assessment checklist to help entities determine whether a breach is likely to result in serious harm and therefore requires notification.

"With this new guide, entities subject to the Privacy Act will have quick access to essential information needed to act effectively when faced with a potential data breach, when they may be under significant pressure," Commissioner Kind said. "This will benefit both the entity, and the impacted community."

The guide is available as both an interactive webpage and a downloadable self-assessment checklist (PDF, 261 KB) from the OAIC website.

New Zealand sees breach notifications climb 27pc

New Zealand's Office of the Privacy Commissioner (OPC) reported a similar trend in its Annual Report 2024/25. The office received 1,093 privacy breach notifications in the year to 30 June 2025, up 27 per cent on the prior year, and 591 of those were classified as serious privacy breaches, a 43 per cent increase. Total privacy complaints from individuals rose 21 per cent to 1,598, a record high for the office.

"This year we also had a 27% increase in privacy breach notifications. It's clear that agencies need to respond to the challenge to be better at safeguarding New Zealanders' personal information," Privacy Commissioner Michael Webster said in the report. 

A March 2025 survey of more than 1,000 New Zealanders found 82 per cent wanted more control and choice over the collection and use of their personal information, mirroring the concern levels reported in Australia.

Unlike Australia's NDB scheme, New Zealand's Privacy Act 2020 carries no financial penalty regime for breaches, a gap the Commissioner has repeatedly flagged as reducing agencies' incentive to invest in privacy safeguards.

Manage My Health inquiry exposes vendor gap

Phase 1 findings from the OPC's inquiry into the Manage My Health breach, finalised by Commissioner Webster in mid-2026, found that both Manage My Health and Health New Zealand had failed to maintain reasonable security safeguards, in breach of the Health Information Privacy Code. Specific failures identified included multi-factor authentication that was not mandatory for users and the absence of any system to detect bulk data exfiltration.

The Commissioner is issuing compliance notices to both organisations. The inquiry has also prompted the OPC to recommend amending the Privacy Act so that third-party data processors and IT vendors can be held directly liable for security failures, rather than leaving agencies such as small GP clinics to carry the full compliance burden for systems they did not build.

The Office of the Privacy Commissioner's full Annual Report 2024/25 is available on its website.

 

Business Solution