Lessons from the Frontlines of Australia's Data Breaches

In 2025, privacy is a test of organisational resilience, trust, and strategic foresight.                              

The Office of the Australian Information Commissioner’s (OAIC) latest Notifiable Data Breach (NDB) Report paints a stark picture. From July to December 2024, there were 595 notifiable data breaches, the most ever recorded in a single half-year reporting period. Malicious or criminal attacks accounted for 69% of them, with phishing, ransomware and compromised credentials leading the charge. This isn’t just a technical issue. It’s a wake-up call.    

At the same time, the rise of generative AI has altered the cyber threat landscape. AI is now used to supercharge phishing attacks, impersonate executives with deepfakes, and scan networks for vulnerabilities. These tools reduce the level of sophistication required to mount a successful attack, while increasing the potential for harm. AI isn’t just a future risk; it’s a present threat.    

So what can we learn from the breaches we’ve already seen? Let’s unpack some of the key lessons from recent Australian data breaches and regulatory activity.    

Before we get to the NDB scheme – data breaches under the Privacy Act    

It’s important to understand that a data breach is not, in itself, automatically a breach of the Privacy Act.    

There is no obligation under APP 11 or any other provision to absolutely prevent all data breaches. The law requires organisations to take reasonable steps to protect personal information. That is a contextual, risk-based standard. And sometimes, even when reasonable steps are taken, a breach may still occur, especially given the growing sophistication of cyber threats.    

However, in many cases, if you peel back the curtain on a major breach, you don’t find cutting-edge attackers. You find corners cut, budgets trimmed, and basic vulnerabilities left unpatched. That’s when you run into regulatory trouble.    

Technically, the only absolute legal obligation an organisation has in the immediate aftermath of a data breach under the Privacy Act is to assess and, if required, comply with the NDB scheme. But whether or not a breach amounts to a breach of the Privacy Act more broadly will depend on what steps were taken before the breach occurred and how reasonable those steps were, in light of the risks.    

How the NDB regime works    

Under the NDB scheme, organisations subject to the Privacy Act must notify affected individuals and the OAIC when they experience a data breach that is likely to result in serious harm. The steps are clear:    

1. Contain the breach
2. Assess the harm (within 30 days)
3. Notify affected individuals and the OAIC

Importantly, before notification obligations arise, entities must undertake a "reasonable and expeditious assessment" to determine whether serious harm is likely. This dual requirement often creates tension in practice. "Reasonable" suggests taking into account all the circumstances, including operational constraints and cost. But "expeditious" requires urgency and speed. In reality, these goals can be difficult to reconcile: a thorough assessment may require forensic investigators, legal review and executive decision-making – all of which can be expensive and complex. Organisations are often caught in a bind: act too slowly and risk regulatory scrutiny; act too quickly and risk making an inaccurate determination or blowing the budget on day 2.    

The OAIC expects organisations to take a risk-based approach to assessing serious harm, with the focus squarely on the potential impacts on individuals. Simply not knowing whether data was accessed is not an excuse, uncertainty can itself increase the likelihood of serious harm.    

The data breach regime was recently strengthened by the Privacy and Other Legislation Amendment Act 2024, which introduced:    

• Civil Penalties and Infringement Notices - New civil penalties and infringement notices for inadequate or incomplete breach notifications.
• Temporary Exemptions for Information Sharing - The Minister can temporarily override the APPs (for up to 12 months) to allow data sharing aimed at reducing harm following a serious breach.
• APP 11 Now Explicitly Covers Non-Technical Controls - "Reasonable steps" for security now include both technical and organisational measures, like staff training and security policies, aligning the law with OAIC best practice and global standards.
• OAIC Can Require Support for Affected Individuals - After a breach, the OAIC can direct organisations to assist people, including helping replace credentials or funding identity theft support services.
• Stronger Powers for the OAIC - The OAIC now has tougher investigative tools like, judicial warrants, broader seizure powers and use of reasonable force on things (not people) when executing a warrant.

The OAIC now has sharper, faster, and more flexible enforcement tools. The days of low-consequence investigations are over.    

What should organisations be doing now? Key takeaways    

In a landscape shaped by relentless cyber threats, increasingly assertive regulators, and rising public scrutiny, organisations can no longer afford a reactive approach to data breach response. The lessons from recent breaches are clear and consistent.    

1. Integrated Cyber and Privacy Governance and Minimum Controls Cybersecurity and privacy are no longer separate domains. The OAIC’s enforcement actions against Medibank and Australian Clinical Labs under APP 11 show that inadequate cyber security is a privacy failure. But the OAIC isn’t the only regulator in the mix. ASIC’s actions against RI Advice and now FIIG Securities allege cyber failings breached AFS licence obligations. APRA has also begun to beat the drum more loudly under CPS 234 and the incoming CPS 230, especially in superannuation. When one incident attracts three regulators, you know the old silos won’t cut it anymore. Integrated, board-level governance is essential.    

Further, some of the most devastating data breaches in Australia have resulted not from advanced threats, but from failures to implement basic, well-understood security measures. Things like multi-factor authentication (MFA), active directory hygiene, strong password policies, and regular cyber awareness training are now considered non-negotiables. These are the “low-hanging fruit”, easy to implement, high-impact, and closely watched by regulators. If you haven’t addressed the basics, you’re not just increasing your breach risk, you’re sending a signal to regulators that you’re failing at foundational privacy and security governance.    

2. Legal Privilege Must Be Strategised, Not Assumed The privilege battles in Optus and Medibank show how quickly post-breach investigation reports can become discoverable. Courts are looking at the dominant purpose of the report, how it was commissioned, who saw it, and what it was used for. If you want to maintain privilege, legal must be in the driver’s seat early. That includes carefully scoped engagement letters, limited circulation, consistent language in internal and external comms, and strict alignment with the purpose of legal advice. Protocols matter. Casual language and poor governance can cost you your legal shield.    

3. The Risks of Ransom Payment Go Beyond Ethics - The OAIC has clarified that paying a ransom does not remove the obligation to notify, nor does it automatically reduce the risk of serious harm.    

     Paying a ransom does not necessarily reduce the likelihood of serious harm to individuals... the organisation may have no way of verifying the attacker’s promises.    

Ultimately, if serious harm is likely, you must still notify, payment or not.    

Many ransomware payments may also breach sanctions, AML/CTF, or foreign interference laws, even where enforcement may currently be soft. My personal view? Avoid payment in almost all cases. You’re fuelling a criminal enterprise, often with no guarantee the data will be deleted. But I also recognise it’s complex. That’s why organisations should develop a pre-agreed position with their board before they face this decision. Be aligned, be prepared but don’t expect payment to make the problem go away.    

And remember: even when exfiltration can’t be confirmed, the risk of unauthorised access or re-identification may be enough to trigger notification prior to any publication of that data on the dark web.    

A reminder also that under new federal legislation, ransomware payments must now be reported to the ASD. While the ASD is not a regulator and is limited in its use of that information, this mandatory reporting will increase government visibility over ransomware incidents. If you're paying a ransom, it’s no longer just between you, your insurer, and the attacker, it’s on the national radar.    

4. Data Retention and Governance Are Still Failing Australia has a deeply ingrained information collection culture. The OAIC called this out at the start of Privacy Awareness Week. But what’s collected is rarely deleted. Many organisations have poorly defined or unimplemented retention and destruction regimes. The result? When breaches happen, you’re exposed,  not just because of the breach itself, but because of all the old, unnecessary data you failed to clean up. Organisations must get better at:    

• Understanding their data holdings
• Enforcing their retention schedules
• Eliminating the “just in case” mindset

The federal government is currently reviewing Australia’s data retention obligations and it should. With over 700 overlapping provisions across federal laws alone, the current framework lacks consistency, clarity, and usability. It’s near impossible for organisations to navigate in practice. A streamlined, modernised regime would support both compliance and stronger privacy outcomes.    

5. Test Your Response — And Make It Real Running an IT drill once a year won’t cut it. Testing should simulate the full lifecycle: legal decision-making, executive governance, media response, supplier escalation, and regulatory notification. But the test must be pegged at the right level. Too easy, and you learn nothing. Too hard, and teams disengage. The sweet spot is a test that pushes, but doesn’t break, your people. Work with experienced providers to design bespoke scenarios and crucially, don’t overshare. If everyone knows what’s coming, it’s not a test, it’s theatre.    

6. Supplier and Third-Party Risk Can’t Be Outsourced Your ecosystem is only as strong as its weakest link. Good third-party risk management covers:  

• Due diligence at onboarding
• Strong contracts with minimum obligations and escalation rights
• Audit and access rights that are actually exercised
• Flow-through of obligations to subcontractors and sub-subcontractors

And beware the over reliance on ISO 27001. It’s a framework and not a security guarantee. It certifies that an organisation is following its own selected controls, not that those controls are appropriate for your risk or data. Always look behind the badge. Ask questions. Simulate breaches that start in your supply chain.    

Because when things go wrong, regulators and customers won’t care who was technically “at fault”, they’ll ask what you did to prevent it.