There were 527 data breach notifications in Australia in the six months to June, up 9% compared with the preceding half to the highest half-year figure since 2020.

Privacy and security measures are not keeping up with the threats facing personal information, the Office of the Australian Information Commissioner says.

Cybersecurity incidents made up 38% of notifications. Businesses have been warned to guard against malicious actors using compromised credentials, plus ransomware and phishing.

“Almost every day, my office is notified of data breaches where Australians are at likely risk of serious harm ... from an increase in scams and the risk of identity theft, to emotional distress and even physical harm,” privacy commissioner Carly Kind said.

“It is no longer acceptable for privacy to be an afterthought; entities need to be taking a privacy-centric approach in everything they do.”

While 63% of data breaches affected 100 or fewer people, one in May at prescription delivery business MediSecure exposed the personal information of almost 13 million individuals – a record. It was the second breach recorded in Australia affecting more than 10 million people.  

Criminal attacks accounted for more than two-thirds of breaches. The health and government sectors notched the most breaches, making up 19% and 12% of notifications respectively.

The proposed Privacy and Other Legislation Amendment Bill 2024 would give the OAIC an enhanced civil penalty regime and infringement notice powers. It would also expressly require organisations to implement measures such as encrypting data, securing access to systems and premises, and undertaking staff training on information security risks.

The bill is in the House of Representatives, marking the first of a tranche of reforms to the Privacy Act.

“We would like to see all Australian organisations be required to build the highest levels of security into their operations,” Ms Kind said.