Are data breaches increasing or are we just hearing about them more?


There are two words every organisation prays they never hear. Words that invoke more fear and panic than the “boogey man”. Those two words? Data breach.  

Unlike the boogey man, data breaches are very real. American Express, Canberra Medical Centre, Canva, Latitude and the now infamous Optus and Medibank data breaches have dominated headlines in recent years. Data breaches are the inescapable mainstay of our newsfeeds. But are data breaches really happening more frequently? Or are organisations just being more transparent and we’re hearing about them more? 

Let’s look at the stats. 

OAIC Notifiable Data Breach Reports 

Every 6 months the Office of the Australian Information Commissioner (OAIC) publishes their Notifiable Data Breaches Report analysing trends in the data breaches notified to the OAIC in the 6-month period prior. The most recent Report covering the July – December 2023 period confirmed there were 483 notifications made to the OAIC during the relevant period. This was up 19% from the previous period where the OAIC received 409 notifications. In July – December 2022 the number of notifications reached 497. 

Figures from previous periods include: 

  • January – June 2022 – 396 notifications. 
  • July – December 2021 – 464 notifications 
  • January – June 2021 – 446 notifications 
  • July – December 2020 – 583 notifications 
  • January – June 2020 – 518 notifications 

There is no obvious upward trend in notifiable data breaches. However, with regulatory screws tightening and community expectations around privacy rising, it may be that data breaches are becoming more “newsworthy”.  

This may be in part due to the rise in data breaches caused by malicious or criminal activity. In 2018, malicious activity accounted for just over half of all notified data breaches but in recent years that figure has been as high as 70%.  

Recent developments in AI, including voice spoofing and generative AI have not gone unnoticed by cyber criminals who are deploying AI tools for malicious purposes. For example, cyber criminals are using AI tools to attempt mass or repeated system infiltrations and by generating highly convincing phishing emails, enticing employees to make the ill-fated mistake of clicking a link or providing details which grants the unknown actor access to a whole host of information held by an organisation.  

What is a notifiable data breach? 

The Notifiable Data Breaches (NDB) Scheme was introduced into the Privacy Act in 2018. When organisations experience unauthorised access to or unauthorised disclosure of personal information that is likely to result in serious harm to one or more individuals and that risk of harm cannot be prevented, the organisation must notify the OAIC. This is considered to be an ‘eligible data breach’ for the purposes of the NDB Scheme. 

Griffin Legal are privacy experts with experience providing legal advice and assistance to organisations who have suffered data breaches. We understand how upsetting and challenging a data breach can be and are committed to supporting you through every step of the process. 

Parental Leave for Casual Employees

For casual employees the unpredictability of their employment can be a major source of stress as often casual employees miss out on many of the entitlements that full-time and part-time employees enjoy. For many, this concern is further exacerbated when they learn that they are about to become a parent. It should therefore be of …
Read more

Purchasing an Off-the-Plan Property

The interest in “off-the-plan” properties is ever increasing and is becoming more popular for buyers. An off-the-plan purchase is one where the Buyer enters into a contract to purchase a property that has not yet been constructed. Due to the prolonged settlement period for an off-the-plan purchase it is imperative for buyers and sellers to …
Read more