Home Resources Latest News & Insights Data disaster

Data disaster

Data breaches hit a record level in 2024 – and the threat shows no sign of abating. How can businesses protect the data they hold?
Published: 11/07/2025
Cyber Insurance
loading...

“This password has appeared in a data leak” – data breaches hit a record number  

Hardly a day goes by without a data breach making the news – retailers, universities, medical facilities, government departments, law firms, mining companies, charities, car hire companies, clubs, transport companies, manufacturers…the list goes on. 

At the time of writing, news had just broken that Qantas had fallen victim to a cyberattack. A cybercriminal targeted a Manilla-based Qantas call centre and used a vishing technique to gain access to a third-party platform used for customer service (a vishing attack – voice phishing – is where cybercriminals pose as trusted entities to trick victims into releasing sensitive data such as login credentials). The system breach resulted in the personal data of around six million of the airline’s customers being compromised. Full details were yet to be determined, but it was reported that customers’ names, email addresses, phone numbers, birth dates, and frequent flyer numbers had been exposed. Qantas stated: “Importantly, credit card details, personal financial information and passport details are not held in this system. No frequent flyer accounts were compromised, nor have passwords, PIN numbers or login details been accessed.” 

“Qantas has notified the Australian Cyber Security Centre and the Office of the Australian Information Commissioner. Given the criminal nature of this incident, the Australian Federal Police has also been notified. We will continue to support these agencies as the investigation continues,” the airline said. 

The Qantas incident, which occurred on 30 June 2025, is the latest in a succession of notifiable data breaches. 

A record number of notifiable data breaches 

In 2024, the number of data breaches that were required to be reported to the Office of the Australian Information Commissioner (OAIC) hit a record number.  

The OAIC reported there were 1,113 notifications made by businesses and government agencies during the year – a 25% increase on 2023 and the highest annual total since mandatory data breach notification requirements started in 2018.  

Data breaches must be reported to the OAIC when personal information is accessed or disclosed without authorisation or is lost. The Notifiable Data Breaches (NDB) scheme only applies to organisations and agencies covered by the Privacy Act 1988.  The NDB requires the organisation to notify affected individuals and the OAIC when a data breach involving personal information is likely to result in serious harm. 

Cybercriminals wreak havoc – but there is also a threat from within 

OAIC data indicated malicious and criminal attacks were the main source of breaches – accounting for 69% of notifications in the second half of 2024, with 61% of those being cybersecurity incidents. Phishing (compromised credentials) accounted for 34% of the cybersecurity incidents, ransomware 24%, compromised or stolen credentials (method unknown) 21%, hacking 9%, brute-force attack (compromised credentials) 7%, and malware was the source of 5% of incidents.  

OAIC GM of regulatory intelligence and strategy Annan Boag said there was a significant rise in data breaches caused by social engineering and impersonation, manipulating people into carrying out specific actions or divulging information. Social engineering/impersonation accounted for 28% of malicious and criminal attacks, while rogue employee/insider threats were responsible for 7%, and 4% were attributed to the theft of paperwork or a data storage device. The number of malicious or criminal attacks increased 17% in the latter half of 2024. 

Human error was responsible for 29% of the data breaches recorded between July and December 2024. Sending personal information to the wrong recipient (email) was the most prevalent human error, accounting for 42% of data breaches. Unauthorised disclosure (unintended release or publication) made up 23% of breaches, and 8% was attributed to a failure to use BCC when sending email. Human error breaches were up 10%. 

System failures accounted for 2% of data breaches. Unintended release or publication accounted for 58% of notifications, while the remaining 42% were due to unintended access. The number of system failure breaches was down 29%. 

The highest number of data breaches occurred in the health services sector (20% of all notifications), followed by the Australian Government (17%), finance industry including superannuation (9%), legal, accounting and management services (6%), and the retail sector (6%). 

As for the kinds of personal information involved in the breaches, contact information was most commonly compromised, followed by identify information, financial details, and health information. Tax file numbers, and other sensitive information was also exposed in a number of data breaches. 

“The trends we are observing suggest the threat of data breaches, especially through the efforts of malicious actors, is unlikely to diminish, and the risks to Australians are only likely to increase,” said Australian privacy commissioner Carly Kind in a statement. 

Is Australian data being breached every second? 

The OAIC figures only capture data breaches that are required to be reported under the NDB scheme – many more incidents occur which go unreported. In fact, one source puts the number in the millions. Research from VPN provider Surfshark revealed there were 47 million data breaches recorded in Australia during 2024 – that equates to one every second. It also found the average cost of a data breach reached A$4.26 million in 2024 – a 27% increase since 2020. 

Also of note, 49 million unique Australian email addresses have been exposed since 2024, resulting in 106.9 million leaked passwords and other sensitive details (on average, each email is linked to three data points, exposing phone numbers, addresses and passwords). 

According to Surfshark, 56% of breached users faced a risk of identity theft, account takeovers, or financial fraud. 

Figures from Statista show data breaches come at a cost. The average cost of a data breach incident across companies worldwide is US$4.88 million including detection, business losses, post-breach response, and notification costs. Among these, the detection and escalation of the data breach was the costliest segment, and business disruption and revenue loss were among the most common consequences of data breach incidents (claimed by over 55% of organisations worldwide). VPNRanks estimates the average cost of a data breach could rise to US$5.32 million in 2025. 

Beyond data breaches  

In addition to the data breach threat, email scams are also on the rise. There were around 91,000 email scams reported in 2024, according to data from the ACCC’s Scamwatch. In January and February 2025 alone, nearly 18,000 incidents were lodged. Almost $300 million has been lost to email scams since 2020.  

Also increasing are ransomware threats. According to Bitdefender’s March 2025 threat report, Australia ranked sixth globally for ransomware detections in February 2025, having recorded 962 incidents. This represents a 126% increase year-over-year (compared to 425 incidents in February 2024). 

The Australian Cyber Security Centre notes a cybercrime is reported every six minutes. 

Compromised data erodes trust 

October 2024 research from Cloudflare found 41% of respondents across Asia-Pacific said their organisation experienced a data breach in the past 12 months, with 47% indicating they suffered from more than 10 data breaches.  

High profile data breaches – including Australian National University (2018), Canva (2019), Optus (2022), Medibank (2022) and Latitude (2023) – have raised awareness about the type and volume of data organisations hold – and how well they protect that data. 

Consumers (customers and clients) are increasingly cognisant of what information they are handing over to businesses, and concerned about the security of their information. 

According to the OAIC’s 2023 survey, 74% of Australians feel data breaches are one of the biggest privacy risks they face today, and 62% see the protection of their personal information as a major concern in their life. Little wonder as almost half (47%) said they had been informed by an organisation that their personal information was involved in a data breach in the 12 months prior to completing the survey, with three-quarters (76%) saying they experienced harm as a direct result. Half (52%) saw an increase in scams and spam and almost a third (29%) said they had to replace key identity documents, such as a driver’s licence or passport. One in ten (12%) experienced emotional or psychological harm. Almost half (47%) of people said they would stop using a service if their data was involved in a breach. 

Another survey by the University of New South Wales found more than 70% of consumers believe they have very little or no control over what personal information online businesses share with other companies and only a third feel they have at least moderate control over whether businesses use their personal information to create a profile about them.  

Honeycomb Strategy’s Brands Beyond Breaches 2024 – A Brand Playbook for Privacy Protection report revealed Australians are increasingly prioritising the security of their personal data, with 75% saying they would prefer data privacy over a personalised experience, and 90% demanding transparency in how their personal data is handled. 

Almost two-thirds (64%) of Australians lack confidence in the ability of large organisations to keep their personal data safe, and 83% are concerned about the security of information held by their service providers, according to research from strategic insights consultancy Nature. 

OAIC’s Australian Community Attitudes to Privacy Survey 2023 also found 84% want more control and choice over the collection and use of their information, and 89% would like businesses and government agencies to do more to protect their personal information. 

The impact of being caught up in a data breach can be far-reaching. There is the potential for private and sensitive information to be exposed – and the affected person to be vulnerable to cyberattack, identity theft, fraud or even blackmail/extortion. 

The ramifications have led more victims of data breaches to seek compensation through legal proceedings, including class actions (Optus and Medibank breaches being prime examples). 

The government has also cracked down on data breaches, with new and amended laws. Regulators are also focussed on data protection and are prosecuting offending organisations. 

The increased scrutiny is not being ignored by businesses. 

According to Economist Impact’s Sight unseen: navigating out-of-sight risks in Asia-Pacific report, 90% of executives deem cybersecurity threats and data breaches high-priority risks.  

Data privacy was also cited as a foremost concern for 2025 among 45% of IT and cybersecurity decision-makers in Australia and New Zealand in an Artic Wolf survey. It also found 85% of Australian and New Zealand organisations had experienced a cyber incident in the past year, and local businesses were 9% more likely to suffer significant breaches.  

A survey by McGrathNicol in 2024 found cybersecurity was the number-one concern for businesses. It is a sentiment echoed in numerous executive and business surveys. 

Protecting data  

“Businesses and government agencies need to step up privacy and security measures to keep pace. Australians trust businesses and government agencies with their personal information and expect it to be treated with care and kept secure,” privacy commissioner Kind said. 

To help protect the data held, businesses may consider: 

  • Only collecting the personal information necessary. 
  • Restricting access to personal information (implementing access controls). 
  • Securely storing personal information (including paperwork) – both digitally and physically. 
  • Deleting or de-identifying personal information when it is no longer needed. 
  • Establishing clear data collection and use policies. 
  • Clearly communicating data policies with stakeholders including employees and customers. 
  • Ensuring employees are trained in best-practices for handling private information. 
  • Establishing procedures and protocols to identify, respond to, notify affected persons, and report data breaches.     
  • Maintaining good cybersecurity hygiene including: 
    • keeping software updated 
    • changing factory or administrator passwords in place on Wi-Fi, modem or any devices 
    • ensuring strong passwords are used and regularly changed 
    • using multifactor authentication 
    • securing Wi-Fi networks 
    • updating security on devices 
    • encrypting data 
    • installing anti-virus protection software 
    • regularly backing up data 
    • running cybersecurity audits (assessing vulnerabilities and conducting penetration tests), and 
    • keeping up-to-date with cybersecurity matters. 
  • Ensuring equipment and devices are kept secure – both digitally and physically. 
  • Disposing of old IT equipment and records securely. 

Businesses should also consider the insurance options that may be available to help provide financial protection should there be a data breach. Talk to your EBM Account Manager about cyber insurance and other liability covers that may be suitable. 

Published: 11/07/2025
Cyber Insurance