The Notifiable Data Breaches Report (July to December 2024) highlights several important shifts compared to the same period in 2023. The number of notifications increased from 483 in 2023 to 595 in 2024 (a 23% rise) marking the highest number reported in any six-month period since the scheme began. Human error breaches surpassed 2023 levels, growing in both number and complexity, while malicious or criminal attacks, though still the dominant category, dropped from 67% of all breaches to 60%. The Australian Government rose to become the second most affected sector, overtaking finance, reflecting a surge in multi-agency incidents. Notably, the number of affected individuals per breach fell, especially in cyber incidents, suggesting improved containment practices.
The 2024 report shows malicious or criminal attacks remained the leading cause of breaches (404 out of 595), with cyber incidents comprising 61% of these. However, unlike 2023, when ransomware and brute-force attacks led in scale, the 2024 breaches more frequently involved compromised credentials through phishing. Average numbers of affected individuals decreased, indicating quicker detection or narrower access during breaches. Fortunately, ransomware incidents affected fewer people on average (26,878) compared to previous years, and there were fewer mega-breaches (i.e., over 1 million people affected). This could be the result of strengthened security measures or better response protocols among organisations.
Human error was responsible for 29% of reported breaches (170 incidents), up from 144 in 2023. The most frequent mistakes involved sending personal information to the wrong recipient via email – a persistent vulnerability. Although these incidents typically affected fewer individuals (a median of 1 per breach), their sheer volume reflects continued weaknesses in procedural safeguards. Unauthorised disclosures and poor redaction practices also remained common, with little improvement from previous reporting periods. This trend suggests that many organisations still lack robust staff training and verification steps to prevent accidental disclosures.
Sector-specific trends showed that health service providers again topped the list with 121 breaches (up from 104), followed by the Australian Government (100 breaches), and the finance sector 54 breaches (up from 49). Government agencies experienced a dramatic rise in notifications, with a disproportionate number resulting from human error. In contrast, the retail sector saw a rise in breaches linked to cyber incidents. Meanwhile, multi-party breaches – those involving software or service providers impacting multiple clients – remained high, pointing to ongoing risk in outsourced data handling and highlighting the need for stronger contractual arrangements covering data retention and breach response responsibilities.
Timeliness in detecting and reporting breaches remained a concern. In 2024, 67% of incidents were identified within 30 days of occurrence, a slight dip from 2023. Breaches due to system faults continued to take longer to detect and report than those from human error or cyber incidents. Only 68% of entities notified the OAIC within 30 days of awareness – again a small decrease on the prior year. These delays undermine the goal of the Notifiable Data Breaches scheme: to allow affected individuals to act swiftly to mitigate harm. The report reinforces the need for organisations to embed breach response plans, enforce data minimisation, and implement preventive security and training measures.
Download the full report here: