OAIC launches new dashboard for data breaches

Published: 04 November 2025

The Office of the Australian Information Commissioner (OAIC) launched a new Notifiable Data Breaches (NDB) statistics dashboard today.

The new dashboard is an interactive tool that allows the Australian community to access, analyse and benchmark data received under the Notifiable Data Breaches (NDB) scheme. It has been created to help reporting entities, media and the public understand the volume and type of data breaches notified to the OAIC.

It provides a more dynamic view of the information previously contained in the OAIC's NDB reports, and will be updated every 6 months.

Australian Privacy Commissioner Carly Kind said the NDB dashboard highlights the OAIC's commitment to harnessing data to inform and educate, but also to take a data-driven approach to regulatory action.

"Our goal for the new NDB dashboard is to help reporting entities learn from the experiences of others - those organisations and agencies who have had to notify us of a data breach. We hope the tool is used to improve their own responses and reporting if a data breach occurs," Commissioner Kind said.

"As a regulatory body, we want to be proactive in guiding organisations, using education and data-informed decision-making to protect Australians' personal information."

The dashboard contains new statistics for January to June 2025. These show the OAIC was notified of 532 data breaches during the period, a 10% decrease compared with the previous six months.

Malicious or criminal attacks remained the largest source of data breaches (59%, at 308 notifications). The health sector continues to have the most reported data breaches (18% of reported data breaches), followed by the finance sector (14%) and Australian Government agencies (13%).

"The threat of data breaches, especially through the efforts of malicious actors, is unlikely to diminish, so we want to arm entities with data to help them keep personal information secure and to ensure they have an appropriate action plan should a breach occur," Commissioner Kind said.

In addition to the statistics dashboard, the OAIC has published a blog that includes a case study about outsourcing personal information handling to third parties, and with links to guides and resources to help entities prepare and respond to a data breach.

• An eligible (notifiable) data breach occurs when:
  • Personal information has been lost or accessed or disclosed without authorisation.
  • This is likely to result in serious harm to one or more individuals.
  • The organisation has not been able to prevent the likely risk of serious harm with remedial action.
• The Privacy Act requires organisations to take reasonable steps to conduct a data breach assessment within 30 days of becoming aware there are grounds to suspect they may have experienced an eligible data breach. Once the organisation forms a reasonable belief that there has been an eligible data breach, they must notify affected individuals and the OAIC as soon as practicable.
• Australian Privacy Principle 11 requires organisations to take reasonable steps to protect personal information held from misuse, interference and loss, as well as unauthorised access, modification or disclosure, and to destroy or de-identify the information when it is no longer required.
• The OAIC has published guidance on securing personal information and data breach preparation and response, as well as advice for individuals on responding to a data breach notification.