Understand the breaches โ not just read about them.
Every record in the register is a real-world case study. This section explains the concepts behind
them, the frameworks that govern them in New Zealand, Australia and abroad, and exactly where our data comes
from โ and where it doesn't.
Start here
Key concepts you'll see across the register
๐๏ธ
Data breach
Unauthorised access to, or disclosure of, personal or sensitive information.
Seen in: every record
๐ค
Exfiltration
The attacker copies data out of the network โ the step that turns an intrusion into a breach.
Seen in: Australian Clinical Labs
๐
Ransomware
Malware that encrypts systems for extortion โ increasingly paired with data theft ("double extortion").
Seen in: Langley Twigg
๐ฃ
Phishing & credential theft
Tricking staff into handing over logins โ still the most common entry point.
The most common first step
๐
Supply-chain / third-party
The victim is breached through a vendor or IT provider, not directly.
Seen in: Partnered Health
๐ณ๏ธ
Dark-web leak
Stolen data published or sold on hidden forums when a ransom isn't paid.
Seen in: Langley Twigg
๐ชช
PII
Personally identifiable information โ names, IDs, Medicare/licence numbers, health data.
Seen in: Partnered Health
๐
Notifiable breach
A breach serious enough that the law requires notifying the regulator and those affected.
The trigger for most records
โ๏ธ
Civil penalty
A court-ordered fine for failing privacy obligations โ e.g. Australia's first, A$5.8M.
Seen in: Australian Clinical Labs
Sponsored placement
Reach decision-makers, in-feed
Native placement alongside the breaches your buyers are already reading.
The globally recognised standard for an Information Security Management System.
NIST Cybersecurity Framework
US NIST ยท CSF 2.0
A widely adopted risk-based framework for structuring a security programme.
GDPR
European Union ยท General Data Protection Regulation
The benchmark privacy law that shaped notification regimes worldwide.
SOC 2 ยท PCI DSS
AICPA ยท PCI Security Standards Council
SOC 2 attests to a provider's controls; PCI DSS governs how card data must be protected.
Where our data comes from
Full transparency โ sources we draw from, and ones we don't
โ Sources we draw from
โOAICpenalties, determinations, NDB reports
โNZ Privacy Commissionerbreach notifications, case notes
โNCSC / CERT NZcyber insights, advisories
โACSCframeworks, alerts
โFederal Court / courtsjudgments & orders
โHave I Been Pwnednamed breach index
โCompany disclosures & credible mediaclearly labelled when a regulator hasn't yet acted
โ Sources we don't
โThe breached data itselfwe index the fact of a breach โ never host or link leaked data
โThreat-actor claims at face valueransomware gangs' "victim" posts are not proof
โAnonymous forums & social postsunverified, unattributable
โPublic breach submissionswe don't take submissions โ it keeps the register accurate & defensible
โOur own estimatesif there's no official figure, we label the gap rather than guess
๐ Every record links back to its primary source, and each field follows a fixed source rule. See the Methodology page for the full field-by-field standard.