You do not need our opinion on where Australian breaches come from. You do not need a vendor’s threat report, a conference keynote, or a consultant’s framework. The regulator publishes the numbers every six months, drawn from breaches organisations were legally required to report — and read across the data, they say the same thing we have said all along. The door is the same door. It has been the same door for years. And it is still open.
In its most recent reporting period, January to June 2025, the Office of the Australian Information Commissioner received 532 data breach notifications under the Notifiable Data Breaches scheme. Malicious or criminal attacks were the largest source, at 59 per cent — 308 of those notifications. And the share driven by ordinary human error rose to 37 per cent, up from 29 per cent in the prior period. Cyber incidents in that window affected, on average, just over 10,000 individuals each.
None of it is novel
Look at how the malicious attacks actually succeed, and the pattern is almost monotonous. In the OAIC’s July–December 2024 report, phishing led the cyber causes at 34 per cent, ransomware followed at 24 per cent, and stolen or compromised credentials accounted for 20 per cent. Social engineering and impersonation — manipulating a person into handing over access — ran at 28 per cent of malicious incidents, and was especially pronounced across Australian Government notifications. None of these are exotic. None of them required a previously unknown vulnerability. They are the front door, the help desk, and the borrowed login.
| Source / cause of breach | Share (OAIC period) | What it actually is |
|---|---|---|
| Malicious or criminal attack | 59% · Jan–Jun 2025 | The majority, and overwhelmingly cyber. Not novel exploits — stolen access and trusted-channel abuse. |
| Human error | 37% · Jan–Jun 2025 | Rising, up from 29%. Misdirected email is consistently the single largest sub-category — data sent to the wrong recipient. |
| Phishing (share of cyber incidents) | 34% · Jul–Dec 2024 | Leading cyber cause. A person persuaded to enter a credential where they should not. |
| Stolen / compromised credentials (share of cyber incidents) | 20% · Jul–Dec 2024 | A valid login in the wrong hands. To most systems, indistinguishable from a legitimate user. |
| Social engineering / impersonation (share of malicious attacks) | 28% · Jul–Dec 2024 | The human convinced to open the door. Especially prevalent in government notifications. |
Sources: OAIC Notifiable Data Breaches statistics. Overall source-of-breach shares are from the January–June 2025 report; the phishing, credentials and social-engineering figures are from the July–December 2024 report. Scroll the table sideways on mobile.
Read that column on the right from top to bottom. It is the soft layer — credentials, people, and the trusted channels between them — not the hardened perimeter everyone keeps re-buying. The breaches that hurt Australia are not getting cleverer. They are getting more familiar.
The sectors holding the most data are losing it
The OAIC’s sector breakdown is just as steady. Health was again the most-breached sector at 18 per cent of notifications, followed by finance at 14 per cent and Australian Government agencies at 13 per cent. These are not fringe operators with no security budget. They are the most regulated, most scrutinised, most heavily resourced holders of sensitive data in the country — and they sit at the top of the list year after year. When the best-defended keep losing to the same methods, the problem is not effort. It is where everyone is looking.
The controls already exist
Here is the part that should be liberating rather than depressing. Almost none of this requires a control that has not yet been invented. Phishing-resistant multi-factor authentication, credential monitoring, least-privilege access, careful handling of who can send what to whom — the mitigations for the dominant breach causes are mature, documented, and in most cases already partly deployed. The recurring failure is not a missing technology. It is not knowing where your own door is standing open before someone else finds it.
That is the gap a passive external assessment is built to close. It does not test your systems and it does not touch them. It assembles the same view an attacker builds first — your organisation as it appears from the public internet — and maps it to the exact categories the regulator counts.
Finding your open door before it becomes a notification
- Where credentials tied to your domains already sit in public breach and infostealer data — the “stolen credentials” line, measured as a live count rather than a worry.
- Which login portals and interfaces are reachable from the internet, and which lack the protections that would blunt a phishing-led intrusion.
- The forgotten subdomains, exposed services and misconfigurations that turn an ordinary credential into a full compromise.
- Findings expressed as risk and mapped to Australian Privacy Principle 11 — ready for the board pack, not just the security backlog.
Stop predicting the next attack. Find your open door first.
The industry spends enormous energy forecasting the next novel threat. The regulator’s data quietly insists it will look a great deal like the last one: a stolen login, a convincing message, a record sent to the wrong place, a door left answering. You cannot patch your way out of a problem you have not located. Find your exposure from the outside, govern it, and you move from reacting to a notification to preventing one — on your terms, before the count includes you.