๐Ÿ”’breach.co.nz ยท the NZ & Australia breach register ๐Ÿ›ก๏ธ A Govern service
๐ŸŽ“ For students & practitioners

Understand the breaches โ€” not just read about them.

Every record in the register is a real-world case study. This section explains the concepts behind them, the frameworks that govern them in New Zealand, Australia and abroad, and exactly where our data comes from โ€” and where it doesn't.

Start here

Key concepts you'll see across the register
๐Ÿ—„๏ธ
Data breach
Unauthorised access to, or disclosure of, personal or sensitive information.
Seen in: every record
๐Ÿ“ค
Exfiltration
The attacker copies data out of the network โ€” the step that turns an intrusion into a breach.
Seen in: Australian Clinical Labs
๐Ÿ”’
Ransomware
Malware that encrypts systems for extortion โ€” increasingly paired with data theft ("double extortion").
Seen in: Langley Twigg
๐ŸŽฃ
Phishing & credential theft
Tricking staff into handing over logins โ€” still the most common entry point.
The most common first step
๐Ÿ”—
Supply-chain / third-party
The victim is breached through a vendor or IT provider, not directly.
Seen in: Partnered Health
๐Ÿ•ณ๏ธ
Dark-web leak
Stolen data published or sold on hidden forums when a ransom isn't paid.
Seen in: Langley Twigg
๐Ÿชช
PII
Personally identifiable information โ€” names, IDs, Medicare/licence numbers, health data.
Seen in: Partnered Health
๐Ÿ””
Notifiable breach
A breach serious enough that the law requires notifying the regulator and those affected.
The trigger for most records
โš–๏ธ
Civil penalty
A court-ordered fine for failing privacy obligations โ€” e.g. Australia's first, A$5.8M.
Seen in: Australian Clinical Labs
Sponsored placement
Reach decision-makers, in-feed
Native placement alongside the breaches your buyers are already reading.
Enquire โ†’ breach@govern.co.nz

The rulebooks

National & international frameworks that govern this space
๐Ÿ‡ณ๐Ÿ‡ฟ New Zealand ๐Ÿ‡ฆ๐Ÿ‡บ Australia ๐ŸŒ International
NZISM
New Zealand Information Security Manual ยท GCSB / NCSC ยท v3.9
NZ government's technical security standard โ€” the baseline controls agencies and many businesses use.
nzism.gcsb.govt.nz โ†’
Privacy Act 2020
Office of the Privacy Commissioner ยท 13 Information Privacy Principles
Sets how organisations must handle personal information, and mandatory notification of serious breaches.
www.privacy.org.nz โ†’
NCSC (incorporating CERT NZ)
Lead operational cyber agency ยท merger completed 2024
Where cyber incidents are now reported in NZ, and the source of the quarterly Cyber Security Insights.
www.ncsc.govt.nz โ†’
Protective Security Requirements
NZ Government protective security policy
The broader framework covering governance, personnel, physical and information security.
www.protectivesecurity.govt.nz โ†’
Australian Government ISM
Australian Signals Directorate / ACSC ยท "the ISM"
Australia's equivalent of NZISM โ€” the cyber security controls framework for systems and data.
www.cyber.gov.au โ†’
Essential Eight
ACSC ยท mitigation strategies + maturity model
Eight prioritised controls (patching, MFA, backupsโ€ฆ) that prevent most incidents.
www.cyber.gov.au โ†’
Privacy Act 1988 + APPs
OAIC ยท 13 Australian Privacy Principles
Governs personal information handling; civil penalties for serious breaches now reach A$50M.
www.oaic.gov.au/privacy/australian-privacy-principles โ†’
Notifiable Data Breaches (NDB)
OAIC ยท mandatory reporting scheme
Requires notifying the OAIC and affected people of eligible breaches โ€” the source of much AU data.
www.oaic.gov.au/privacy/notifiable-data-breaches โ†’
ISO/IEC 27001
International standard ยท ISMS certification
The globally recognised standard for an Information Security Management System.
NIST Cybersecurity Framework
US NIST ยท CSF 2.0
A widely adopted risk-based framework for structuring a security programme.
GDPR
European Union ยท General Data Protection Regulation
The benchmark privacy law that shaped notification regimes worldwide.
SOC 2 ยท PCI DSS
AICPA ยท PCI Security Standards Council
SOC 2 attests to a provider's controls; PCI DSS governs how card data must be protected.

Where our data comes from

Full transparency โ€” sources we draw from, and ones we don't

โœ… Sources we draw from

โœ“OAICpenalties, determinations, NDB reports
โœ“NZ Privacy Commissionerbreach notifications, case notes
โœ“NCSC / CERT NZcyber insights, advisories
โœ“ACSCframeworks, alerts
โœ“Federal Court / courtsjudgments & orders
โœ“Have I Been Pwnednamed breach index
โœ“Company disclosures & credible mediaclearly labelled when a regulator hasn't yet acted

โ›” Sources we don't

โœ•The breached data itselfwe index the fact of a breach โ€” never host or link leaked data
โœ•Threat-actor claims at face valueransomware gangs' "victim" posts are not proof
โœ•Anonymous forums & social postsunverified, unattributable
โœ•Public breach submissionswe don't take submissions โ€” it keeps the register accurate & defensible
โœ•Our own estimatesif there's no official figure, we label the gap rather than guess
๐Ÿ”— Every record links back to its primary source, and each field follows a fixed source rule. See the Methodology page for the full field-by-field standard.