Australian organisations reported 595 data breaches to the Office of the Australian Information Commissioner (OAIC) in the second half of 2024 — the highest number ever recorded in a six-month period since the Notifiable Data Breaches (NDB) scheme began in 2018.
That figure marks a steady increase from 518 in the first half of the year and underscores the rising complexity and frequency of cyber threats across sectors. Health service providers led the tally with 121 notifications (20%), followed by Australian Government agencies, finance, and legal/accounting firms.
The majority of breaches (69%) were the result of malicious or criminal attacks, with cyber incidents accounting for 247 reports. Phishing, compromised credentials, ransomware, and hacking remain the most common methods. Notably, phishing alone was behind 34% of all cyber incidents.
But not all breaches were driven by external attacks. 170 breaches (29%) stemmed from human error, with personal information being sent to the wrong recipient via email the leading cause.
While many breaches affected fewer than 100 individuals, others impacted thousands, with the average number of individuals affected by ransomware attacks reaching 26,878 per incident.
The implications for business are significant. Data breaches can disrupt operations, erode customer trust, and trigger costly investigations. For regulated industries, compliance obligations under the Privacy Act add further pressure to respond promptly and transparently.
This environment is reshaping how businesses approach cyber risk – including how insurers assess it. Underwriters are closely examining internal controls, breach detection timelines, and incident response procedures. Businesses without strong governance frameworks or documented recovery plans may face challenges securing adequate insurance cover.
As the risk landscape evolves, so too must the approach to managing it. Insurance may help absorb the financial impact, but it’s only one part of the solution. Robust cybersecurity practices, employee training, and swift breach identification remain essential safeguards in a climate where the question is no longer if a breach will occur – but how prepared you’ll be when it does.
For more information about how to manage your risk profile, contact your local PSC Insurance Broker.
