OAIC Figures Show Data Breaches in Australia Are on the Rise

In May 2025, the Office of the Australian Information Commissioner (OAIC) reported that it was notified of 1,113 data breaches during 2024. These latest figures indicate a 25% increase compared to the 893 data breaches reported in Australia back in 2023. It was the highest yearly total since breach notifications became mandatory under the Notifiable Data Breaches (NDB) scheme back in 2018.

These figures provide a stark reminder for organisations in Australia and beyond to strengthen their cybersecurity measures or risk hitting the headlines. More and more businesses are relying on a digital first operating model, using a variety of systems and applications to run their businesses. These days its not just office staff who are equipped with laptops and computers, tablets and mobile devices are used by staff in hospitals, shops, factories and industrial settings and by staff on the road. This enables businesses to collect data and communicate with staff from wherever they are working from.

The wide use of mobile devices and tablets for staff to complete tasks has streamlined operational processes and provides businesses with a wealth of data to support decision-making, but it has also broadened the attack surface for cyber criminals. A simple human error like leaving a device unlocked can mean sensitive data can get into the wrong hands and systems can be compromised.

While companies wouldn’t be without those systems and devices due to the efficiencies they bring, organisations need to be vigilant and put measures in place to manage cyber risk, resolve cyber incidents, and comply with data privacy regulations to safeguard systems and protect company data.

Which industries are experiencing the most data breaches?

According to the latest OAIC figures, the five sectors with the most data breaches in Australia included healthcare, government, financial services, legal, accounting and management services, and retail. These sectors tend to hold a lot of personal data and in some cases payment details, making them a prime target for cyber criminals. These also tend to be sectors where most staff will use some kind of digital device to complete their tasks, giving cyber criminals more access points and increasing the chances of human errors that could lead to data breaches.

How can organisations reduce the likelihood of cyber-attacks?

Firms can reduce the likelihood of their systems being compromised through cyber-attacks and data breaches by establishing effective cyber risk management processes, implementing governance procedures and effective controls, and ensuring swift resolution of cyber incidents. Here are 5 ways organisations can reduce the likelihood of cyber-attacks.

1. Cyber Risk Management

To effectively manage cyber risk, firms must build a cyber risk register and actively monitor cyber risk, this is best managed using GRC software. Each cyber risk must be logged, categorised, and rated, and key risk indicators (KRIs) must be established. Risk levels must be monitored against KRIs regularly to detect rising risk levels. Risk levels should be monitored through regular cyber risk assessments and by monitoring any relevant IT data. If firms use GRC software to manage cyber risk, these solutions can often integrate with your other IT systems to pull data into the platform via APIs to track risk levels based on live operational data and real threats.

2. Controls

Once the full range of cyber risks are identified and risk levels are being monitored, firms should look to implement controls to ensure risk levels remain within the desired risk appetite. In the case of cyber risk, a control might be a piece of software to protect against malware and ransomware, it might be a firewall or encryption, it might be staff training or an IT usage policy, or it might be a regular check or inspection. Whatever the controls are, they will need to be checked and tested regularly to ensure they are effective in mitigating the associated risk.

Firms should report regularly on cyber risk exposure and control effectiveness and actively address rising risk levels and failed or ineffective controls to keep risk within their desired risk appetite.

3. Cyber Incident Management

In a largely digital operating model, cyber incidents and data breaches will happen, and it is how companies respond and deal with these incidents that matters. Firms must establish clear reporting routes for staff to log cyber incidents and data breaches, and clear escalation routes must be defined.

Many firms use the incident management capabilities within GRC software to capture, escalate, and resolve their cyber incidents. Staff use online forms to log incidents and can easily upload, photos, evidence, and URLs to capture the full extent of the incident. Incidents are automatically escalated to the relevant stakeholder and remediating actions are captured using case management workflows until the incident is resolved. Businesses can conduct root cause analysis to understand why incidents are happening, report on causes and consequences, and implement controls to prevent future occurrences.

4. Compliance with Data Privacy and Cybersecurity Standards

To ensure the organisation is aligned with modern cybersecurity protocols, most businesses must achieve compliance with a range of data privacy and cybersecurity standards. Commonly adopted frameworks include ISO 27001, GDPR, CPS 234, NIST, NIS2, and Cyber Essentials and there are many more.

To ensure compliance, mature firms use GRC software to build an obligations register, capturing each regulation or standard and its requirements. They then document the compliance actions taken to meet each requirement. These actions might be a policy or operating procedure, they might be a regular check or inspection, or they might be security software or equipment. Capturing these vital steps and processes helps firms to achieve compliance with each requirement.

With most firms required to follow the same regulations, many GRC software platforms offer out-of-the-box compliance frameworks to help firms to align their processes with widely used cybersecurity and data privacy frameworks including ISO 27001, GDPR, CPS 234, NIST, NIS2 and more. These frameworks enable firms to implement the necessary checks and controls to align their processes with the standards. These tools also offer workflows for regulatory change management. Each regulation is mapped to the relevant processes, policies, and compliance actions. Therefore, when a regulation changes, firms can easily understand which policies and procedures will need to be amended, and they can fully document what was changed and when, providing a complete audit trail for regulators.

5. Cyber Asset Management

To have a secure IT infrastructure, organisations must ensure their hardware is current and their software licences are up to date. This requires effective cyber asset management. Firms must keep a comprehensive list of their cyber assets, enabling them to monitor usage, age, and expiry dates. Not only does this help organisations to ensure that their IT infrastructure is robust enough to meet modern demands, but it helps teams to budget to replace aging equipment and fund licence renewals.

Why Managing Cyber Risk Should be a Priority

Although data breaches are on the rise, there are so many ways that firms can strengthen their cybersecurity posture. By effectively managing cyber risk and technology risk with the relevant controls, capturing and resolving cyber incidents quickly, and ensuring compliance with data privacy regulations and standards, firms can significantly reduce the chances of a data breach.

By implementing GRC software and effectively managing and mitigating cyber risk, firms can feel confident that they are doing all they can to reduce the likelihood of a data breach or cyber-attack. To find out how GRC software from Riskonnect can support your organisation to identify and mitigate cyber risk and implement effective controls, request a demo.