The Office of the Australian Information Commissioner publishes the Notifiable Data Breaches statistics every six months. Most readers treat them as a press cycle — a chance to nod at the trend lines and move on. That is a missed opportunity. The figures, read carefully, are an unusually candid map of where Australian organisations are still losing personal information, which sectors are bearing the load, and where the Commissioner is most likely to look first when a breach lands on her desk.
The most recent dataset, covering 1 January to 30 June 2025, was published on the OAIC's new interactive dashboard in November 2025. It is the first reporting period since the Commissioner pivoted away from the long-form PDF report, and the change matters. The dashboard makes the data easier to interrogate and harder to wave away with a single talking point.
Here is how I would read it from the seat of a general counsel or a CISO who has to decide what to do about it on Monday.
What the latest figures actually say
The OAIC received 532 data breach notifications in the January–June 2025 period. That is a 10% decrease on the record-setting second half of 2024, and roughly flat against the 518 notifications recorded in the first half of 2024. Anyone selling the decrease as good news is selling too hard. Two consecutive half-years above 500 notifications is the new baseline; the volatility has narrowed and the number has stayed elevated.
The headline causal split:
- Malicious or criminal attacks: 59% of notifications (308 incidents).
- Human error: 37% of notifications (193 incidents) — up from 29% in the previous reporting period.
- The balance is system fault.
The sector concentration is also stable in shape if not in absolute numbers:
- Health service providers — 18% of notifications, again the most-breached sector.
- Finance — 14%.
- Australian Government agencies — 13%.
The Commissioner has been consistent in her framing. Carly Kind described the dashboard's purpose as helping "reporting entities learn from the experiences of others," and stressed the OAIC's intent to use "education and data-informed decision-making to protect Australians' personal information." That is the regulator telling the market, in measured terms, that ignorance of these patterns is no longer a defence.
The numbers behind the numbers
Three findings from this period deserve more weight than they have been given.
Human error is the line that moved
A jump from 29% to 37% in one reporting period is not statistical noise. The dominant cause within the human-error bucket continues to be personal information sent to the wrong recipient, particularly via email — the OAIC's own data attributes a substantial majority of human-error notifications to misdirected email, with failure to use BCC functionality a perennial contributor.
The operational implication is unglamorous and unavoidable: most of the controls that would have prevented these breaches are not in the SOC. They are in mail flow rules, DLP policies, and the training calendar. If your last twelve months of security spend went exclusively to EDR (endpoint detection and response — the agent-based tooling that watches for malicious behaviour on laptops and servers), and you have not refreshed your outbound email controls or your privacy training in two budget cycles, the OAIC has just told you which audit finding is coming.
Sector concentration tells you who the regulator is watching
When the same three sectors top the table for six successive reporting periods, the Commissioner does not need a strategic plan to know where to deploy enforcement attention. Health, finance, and government will continue to absorb a disproportionate share of regulatory scrutiny — not because the people in those sectors are less careful, but because they hold the most sensitive personal information at scale and operate in regulatory regimes (My Health Records Act 2012 (Cth), APRA Prudential Standard CPS 234 Information Security, the Privacy Act 1988 (Cth) Australian Privacy Principles) that already establish a high standard of expected conduct.
If you sit in one of those sectors, your breach-response runbook should assume the OAIC will engage actively, not perfunctorily.
The scale curve hasn't shifted, but the tail has
Around two-thirds of breaches in the period (67%) affected 100 or fewer individuals. That has been stable for years. What is not stable is the tail — the small number of incidents that affect tens of thousands or millions of Australians and that drive virtually all of the public, political, and litigation consequences. Boards that calibrate their breach-response investment to the median incident are calibrating to the wrong distribution. The 99th percentile is what determines whether the organisation makes the front page of The Australian and whether the Commissioner files in the Federal Court.
The enforcement environment has changed
The NDB dataset cannot be read in isolation from what the OAIC has actually been doing with its powers.
In October 2025 the Federal Court imposed Australia's first civil penalty under the Privacy Act 1988 (Cth) — $5.8 million against Australian Clinical Labs Limited in Australian Information Commissioner v Australian Clinical Labs Limited (No 2) [2025] FCA 1224. The civil penalty proceedings against Medibank Private Limited remain on foot, with the Commissioner alleging serious interferences with the privacy of 9.7 million Australians arising out of the October 2022 incident. Meta's $50 million payment program under an enforceable undertaking, settled in late 2024, is a separate but adjacent reminder that the OAIC is now reaching for the full toolbox.
Two things follow.
First, the question "what will the OAIC actually do?" has been answered. The regulator will litigate, and superior courts will quantify privacy interference in the millions. That changes the cost-benefit of pre-breach investment and post-breach response.
Second, the conduct the Commissioner cared about in ACL and Medibank is conduct that is plainly visible in the NDB statistics — failure to take reasonable steps to protect personal information from misuse and unauthorised access. The OAIC is not being coy about the link between its dashboard and its docket.
Using the report on Monday morning
For a busy reader, here is what I would do with this dataset if I had a half-day and the ear of an executive committee.
Re-baseline what "reasonable steps" looks like
Section 11.1 of the Australian Privacy Principles requires APP entities to take such steps "as are reasonable in the circumstances" to protect personal information. The OAIC publishes a Guide to securing personal information that operationalises that standard, and the dashboard is now the most authoritative source on what the threat picture for "reasonable" actually contains in 2026. If the last time you reviewed your APP 11 control map was before the Medibank or Optus matters, it is out of date.
Test the assessment-and-notification clock
Part IIIC of the Privacy Act 1988 (Cth) requires assessment of a suspected eligible data breach within 30 days, and notification "as soon as practicable" once the threshold is met. The OAIC has noted that breaches in the most recent period were identified and reported more quickly than in the prior period — which means the cohort you will be benchmarked against is moving faster, not slower. A tabletop that ends with "we'd probably notify within the 30 days" is not a tabletop; it is reassurance theatre. Run the clock end-to-end against a realistic incident, including counsel-led assessment and the practical mechanics of notifying tens of thousands of individuals.
Treat the human-error spike as a board-level risk
If 37% of notified breaches are now human-error driven, then a meaningful share of your residual privacy risk is sitting in mail flow, document handling, and the practices of staff who have never opened a SIEM. The control set is well understood — DLP on outbound channels, rigorous handling of bulk recipient lists, mandatory BCC tooling, classification-aware sharing controls in the document platform — and the budgetary case is unusually easy to make against current OAIC data.
Pre-position your privileged response posture
When the incident that lands you on the Commissioner's radar arrives, the work that determines the outcome happens in the first two days. Engagement structure, scope of forensic work, control of internal narrative, and the discoverability of working documents are decided then or never. Every Australian organisation holding meaningful volumes of personal information should have a written breach-response protocol that names a forensic partner, names breach counsel, and sets out how the two will engage on day zero. (For our take on how easy it is to leak privilege in those first forty-eight hours, see DFIR under privilege: getting the scope right on day zero.)
Where this lands for boards and their advisers
The headline story of the January–June 2025 period — fewer notifications than the record-setting prior half — is the least useful sentence to take away. The useful sentences are the ones underneath: human error has moved sharply, the sector concentration is hardening, the scale tail is what kills you, and the regulator now has a credible enforcement record to back the warnings on its dashboard. None of that is comfortable reading, and none of it should be.
Where we tend to come in
Most of the work we do for clients in this area is not glamorous. It is reviewing APP 11 control maps against the OAIC's current view, rewriting breach-response protocols so that privilege is preserved from the first call, running tabletop exercises against the 30-day clock, and standing behind the resulting work product when a regulator or a court asks who was on the engagement and what their instructions were. If any of that resembles a gap on your side, the breach response and privacy advisory practice is where that conversation usually starts.
The techniques described in this post are in active use against Australian organisations. Artificer Cyber provides privileged incident response and digital forensics — your legal counsel is in the engagement structure from day one, protecting your investigation and your organisation.