πŸ”’breach.co.nz Β· the NZ & Australia breach register πŸ›‘οΈ A Govern service

Every reported data breach in New Zealand & Australia β€” indexed, sourced, searchable.

We don't investigate. We index what regulators, courts and companies have already made public β€” every figure links back to its official source.

A$5.8M
largest confirmed penalty (first under the Privacy Act)
76
records indexed
198,206,195+
people affected (where disclosed)
NZ Β· AU
trans-Tasman coverage
Country All πŸ‡³πŸ‡Ώ NZ πŸ‡¦πŸ‡Ί AU Trust All ● Confirmed β—‹ Reported
Advertising
Your brand, in front of the right people
Run-of-site leaderboard β€” the register, by-sector directory, Learn and Alerts.
Enquire β†’ breach@govern.co.nz
Showing 15 of 76 records
Partnered Health β€” national GP clinic network
πŸ‡¦πŸ‡Ί Multiple states (national clinic network) Β· breach 2026-06 Β· disclosed 2026-07-15
πŸ₯ Healthcare Β· General Practice
People affected
Not disclosed
Data taken
Names, dates of birth, addresses, contact details, Medicare numbers, Private health insurance / DVA / concession card numbers
Regulator
OAIC
Trust tier
Reported
● Disclosed Source: Partnered Health Β· View record β†’
Ochre Health (Tuggeranong)
πŸ‡¦πŸ‡Ί Canberra, ACT Β· breach 2026-06 Β· disclosed 2026-06
πŸ₯ Healthcare Β· GP clinic / medical centre
People affected
Not disclosed
Data taken
Unauthorised access via two compromised accounts on the HotDoc third-party booking platform (Tuggeranong clinic), Reported to include names, dates of birth, addresses, emails, phone numbers, Medicare numbers, DVA numbers, appointment details and billing information
Regulator
OAIC and ACSC (notified)
Trust tier
Reported
● Under investigation Source: Ochre Health Β· View record β†’
Sponsored placement
Reach decision-makers, in-feed
Native placement alongside the breaches your buyers are already reading.
Enquire β†’ breach@govern.co.nz
Queensland Department of Education
πŸ‡¦πŸ‡Ί Queensland Β· breach 2026-05 Β· disclosed 2026-05
πŸ›οΈ Government Β· State education department
People affected
Not disclosed
Data taken
Names, email addresses, school locations, student ID numbers and user messages; the Education Minister said there was no evidence passwords, dates of birth or financial information were accessed
Regulator
none
Trust tier
Reported
● Disclosed Source: Cyber Daily Β· View record β†’
Melbourne International Film Festival
πŸ‡¦πŸ‡Ί Melbourne, VIC Β· breach 2026-05 Β· disclosed 2026-05
πŸ—‚οΈ Other Β· Events / ticketing
People affected
26,782 (approx)
Data taken
Names, email addresses, phone numbers, addresses, customer IDs and membership/purchase data; MIFF said no credit-card data was involved
Regulator
ACSC (ASD) notified
Trust tier
Reported
● Disclosed Source: Cyber Daily Β· View record β†’
youX
πŸ‡¦πŸ‡Ί Australia Β· breach 2026-02 Β· disclosed 2026-02
πŸ’³ Finance Β· Consumer / automotive loan brokerage platform
People affected
444,538 (approx)
Data taken
Home addresses, income and debt details, government IDs (including about 5,010 driver-licence numbers in a preview), broker-customer SMS, vehicle identifiers, employee password hashes and financial-hardship notes
Regulator
OAIC notified
Trust tier
Reported
● Disclosed Source: Information Age (ACS) Β· View record β†’
Langley Twigg β€” Napier law firm
πŸ‡³πŸ‡Ώ Napier, Hawke's Bay Β· breach 2026-01-11 Β· disclosed 2026-01
βš–οΈ Legal Β· Law firm
People affected
Not disclosed
Data taken
Client documents / case files, Passport scans (employee & client), Internal firm operational information
Regulator
NZ-Privacy-Commissioner
Trust tier
Reported
● Under investigation Source: Langley Twigg Law Β· View record β†’
Neighbourly
πŸ‡³πŸ‡Ώ New Zealand Β· breach 2026-01 Β· disclosed 2026-01
πŸ–₯️ Technology Β· Community social network
People affected
Not disclosed
Data taken
Names, email addresses, posts, private messages and GPS / location data
Regulator
High Court (Auckland) injunction
Trust tier
Reported
● Under investigation Source: RNZ Β· View record β†’
Victorian Department of Education
πŸ‡¦πŸ‡Ί Victoria Β· breach 2026-01 Β· disclosed 2026-01
πŸ›οΈ Government Β· State schools
People affected
Not disclosed
Data taken
Student personal information across Victorian government schools
Regulator
OVIC; OAIC
Trust tier
Reported
● Under investigation Source: BleepingComputer Β· View record β†’
Prosura
πŸ‡¦πŸ‡Ί Β· breach 2026-01 Β· disclosed 2026-01
πŸ’³ Insurance Β· Rental-car / travel insurance
People affected
Not disclosed
Data taken
Names, phone numbers, email addresses, country of residence, invoicing and pricing data, travel destinations and policy start/end dates, Claim data reportedly including driver licences and related images
Regulator
none
Trust tier
Reported
● Under investigation Source: Cyber Daily Β· View record β†’
Manage My Health
πŸ‡³πŸ‡Ώ New Zealand Β· breach 2026 Β· disclosed 2026
πŸ₯ Healthcare Β· Patient portal
People affected
126,000 (approx)
Data taken
Patient health records and personal information
Regulator
NZ Privacy Commissioner
Trust tier
Confirmed
● Under investigation Source: Office of the Privacy Commissioner Β· View record β†’
University of Sydney
πŸ‡¦πŸ‡Ί Sydney, NSW Β· breach 2025-12 Β· disclosed 2025-12
πŸŽ“ Education
People affected
20,000+
Data taken
Personal information of staff, affiliates and applicants (via a third-party platform)
Regulator
OAIC; IPC NSW
Trust tier
Confirmed
● Under investigation Source: The University of Sydney Β· View record β†’
iiNet (TPG Telecom)
πŸ‡¦πŸ‡Ί Australia Β· breach 2025-08 Β· disclosed 2025-08
πŸ“‘ Telco
People affected
280,000 (approx)
Data taken
Email addresses, usernames, phone numbers; some modem setup passwords
Regulator
OAIC (notified)
Trust tier
Reported
● Disclosed Source: The Register Β· View record β†’
Qantas
πŸ‡¦πŸ‡Ί Sydney, NSW (AU; NZ regulator also notified) Β· breach 2025-06 Β· disclosed 2025-07
πŸ—‚οΈ Other Β· Aviation
People affected
5,700,000 (approx)
Data taken
Names, email addresses, Qantas Frequent Flyer numbers, addresses, dates of birth, phone numbers, No credit-card, financial or passport data (not stored in the affected system)
Regulator
OAIC
Trust tier
Confirmed
● Resolved Source: Qantas Β· View record β†’
Sydney Tools
πŸ‡¦πŸ‡Ί Sydney, NSW Β· breach 2025-03 Β· disclosed 2025-03
πŸ›οΈ Retail
People affected
Not disclosed
Data taken
~34 million customer and order records exposed via a misconfigured database
Regulator
OAIC (notifiable)
Trust tier
Reported
● Disclosed Source: Cybernews Β· View record β†’
Australian superannuation funds (coordinated attack)
πŸ‡¦πŸ‡Ί Australia Β· breach 2025-03 Β· disclosed 2025-04
πŸ’³ Finance Β· Superannuation
People affected
Not disclosed
Data taken
Member account access via credential stuffing; some funds reportedly withdrawn (~$500k reported)
Regulator
ASIC / APRA (engaged)
Trust tier
Reported
● Disclosed Source: SBS News Β· View record β†’
The Fullerton Hotel Sydney
πŸ‡¦πŸ‡Ί Sydney, NSW Β· breach 2025-03 Β· disclosed 2025-04
πŸ—‚οΈ Other Β· Hospitality / hotels
People affected
Not disclosed
Data taken
As claimed by the Akira ransomware group (~148 GB): passports, driver licences, employee records, corporate documents and the credit-card details of a small number of guests
Regulator
OAIC (notified)
Trust tier
Reported
● Under investigation Source: Cyber Daily Β· View record β†’
Australian Human Rights Commission
πŸ‡¦πŸ‡Ί Australia Β· breach 2025-03 Β· disclosed 2025-05
πŸ›οΈ Government Β· Federal statutory agency
People affected
Not disclosed
Data taken
Full names, email and residential addresses, mobile numbers, employer/role, and in some cases health information, schooling, religion and photographs
Regulator
OAIC notified
Trust tier
Reported
● Disclosed Source: Australian Human Rights Commission Β· View record β†’
Genea Fertility
πŸ‡¦πŸ‡Ί Sydney, NSW Β· breach 2025-02 Β· disclosed 2025-02
πŸ₯ Healthcare Β· IVF / fertility
People affected
Not disclosed
Data taken
Sensitive patient and fertility/medical records (published on the dark web)
Regulator
OAIC (notified)
Trust tier
Reported
● Under investigation Source: TechCrunch Β· View record β†’
Metricon Homes
πŸ‡¦πŸ‡Ί Australia Β· breach 2025 Β· disclosed 2025
πŸ—‚οΈ Other Β· Construction / home building
People affected
Not disclosed
Data taken
Employee and customer personal information posted to a dark-web leak site
Regulator
OAIC (notified)
Trust tier
Reported
● Disclosed Source: Breachsense Β· View record β†’
Health New Zealand β€” Te Whatu Ora (staff data)
πŸ‡³πŸ‡Ώ Central region (Capital, Coast & Hutt Valley; Wairarapa) Β· breach 2024-10 Β· disclosed 2025-03
πŸ₯ Healthcare Β· Public health system (staff data)
People affected
Not disclosed
Data taken
Staff occupational health and safety information, including medical assessments and health-related correspondence (2020–2024)
Regulator
OPC notified; NZ Police Cybercrime Unit investigating
Trust tier
Reported
● Disclosed Source: RNZ Β· View record β†’
Finsure
πŸ‡¦πŸ‡Ί Sydney, NSW Β· breach 2024-10 Β· disclosed 2024-11
πŸ’³ Finance Β· Mortgage aggregator
People affected
Not disclosed
Data taken
Names, email addresses, phone numbers and physical addresses
Regulator
none
Trust tier
Reported
● Disclosed Source: The Adviser Β· View record β†’
Total Tools
πŸ‡¦πŸ‡Ί Australia Β· breach 2024-09 Β· disclosed 2024-09
πŸ›οΈ Retail Β· Hardware / tools retailer
People affected
38,000 (approx)
Data taken
Names, email addresses, login credentials and credit-card information (per the company)
Regulator
ACSC and OAIC notified
Trust tier
Reported
● Disclosed Source: Cyber Daily Β· View record β†’
I-MED Radiology Network
πŸ‡¦πŸ‡Ί Australia Β· breach 2024-09 Β· disclosed 2024-09
πŸ₯ Healthcare Β· Medical imaging
People affected
Not disclosed
Data taken
Patient records and imaging referral information (tens of thousands of files)
Regulator
OAIC
Trust tier
Confirmed
● Under investigation Source: OAIC Β· View record β†’
Compass Group (Australia)
πŸ‡¦πŸ‡Ί Australia Β· breach 2024-09 Β· disclosed 2024-09
πŸ—‚οΈ Other Β· Catering & support services
People affected
Not disclosed
Data taken
Employee wage declarations, international passports, driver's licences and internal documents (exfiltrated by the Medusa group)
Regulator
ACSC and OAIC notified
Trust tier
Reported
● Disclosed Source: Cyber Daily Β· View record β†’
Squirrel
πŸ‡³πŸ‡Ώ New Zealand Β· breach 2024-07 Β· disclosed 2024-07
πŸ’³ Finance Β· Mortgage broking / peer-to-peer lending
People affected
600 (approx)
Data taken
Name, date of birth, and passport or driver-licence ID numbers (held by a third-party ID-verification onboarding system)
Regulator
none reported
Trust tier
Reported
● Disclosed Source: RNZ Β· View record β†’
Early Settler
πŸ‡¦πŸ‡Ί Australia (NZ customers also affected) Β· breach 2024-07 Β· disclosed 2024-08
πŸ›οΈ Retail Β· Furniture / homewares
People affected
Not disclosed
Data taken
Full names, emails, phone numbers, delivery addresses and some dates of birth; the company said no payment-card data was stored or exposed
Regulator
OAIC and ACSC; NZ Privacy Commissioner and CERT NZ notified
Trust tier
Reported
● Disclosed Source: Cyber Daily Β· View record β†’
Ticketmaster
πŸ‡¦πŸ‡Ί Global (Australian & NZ customers affected) Β· breach 2024-05 Β· disclosed 2024-06
πŸ›οΈ Retail Β· Ticketing
People affected
Not disclosed
Data taken
Names, contact details and some payment card information
Regulator
OAIC (notified)
Trust tier
Reported
● Disclosed Source: Ticketmaster Β· View record β†’
Outabox (NSW clubs & pubs)
πŸ‡¦πŸ‡Ί New South Wales Β· breach 2024-05 Β· disclosed 2024-05
πŸ–₯️ Technology Β· Venue sign-in / facial-recognition vendor
People affected
1,000,000+
Data taken
Facial-recognition biometrics and driver licence scans, Signatures, home addresses and dates of birth, Club membership and gaming-machine usage data
Regulator
NSW Police; OAIC
Trust tier
Reported
● Under investigation Source: ACS Information Age Β· View record β†’
MediSecure
πŸ‡¦πŸ‡Ί Melbourne, VIC Β· breach 2024-04 Β· disclosed 2024-05
πŸ₯ Healthcare Β· e-Prescriptions
People affected
12,900,000 (approx)
Data taken
Prescription and personal health information
Regulator
OAIC
Trust tier
Confirmed
● Disclosed Source: OAIC Β· View record β†’
Firstmac
πŸ‡¦πŸ‡Ί Brisbane, QLD Β· breach 2024-04 Β· disclosed 2024-05
πŸ’³ Finance Β· Non-bank lender
People affected
Not disclosed
Data taken
Name, date of birth, address, email and phone number, External bank account details (BSB and account number) and driver licence number
Regulator
OAIC (notifiable)
Trust tier
Reported
● Disclosed Source: Bitdefender Β· View record β†’
Health New Zealand (Te Whatu Ora)
πŸ‡³πŸ‡Ώ New Zealand Β· breach 2024-02 Β· disclosed 2024-02
πŸ₯ Healthcare Β· Public health system
People affected
12,000 (approx)
Data taken
Personal information relating to COVID-19 vaccination records
Regulator
NZ Privacy Commissioner
Trust tier
Confirmed
● Resolved Source: Health New Zealand β€” Te Whatu Ora Β· View record β†’
ZircoDATA
πŸ‡¦πŸ‡Ί Victoria Β· breach 2024-02 Β· disclosed 2024-05
πŸ–₯️ Technology Β· Records-management supplier
People affected
Not disclosed
Data taken
Across downstream clients: full names, dates of birth, mobile and email; visa, driver-licence and passport data (a Home Affairs translating service); and archived family-violence and sexual-assault support records (a Monash Health client)
Regulator
National Cyber Security Coordinator; ACSC and OAIC
Trust tier
Reported
● Disclosed Source: Cyber Daily Β· View record β†’
Western Sydney University
πŸ‡¦πŸ‡Ί Sydney, NSW Β· breach 2024 Β· disclosed 2025-01
πŸŽ“ Education
People affected
Not disclosed
Data taken
Student and staff personal information across multiple incidents (incl. identity and enrolment data)
Regulator
OAIC; IPC NSW
Trust tier
Confirmed
● Under investigation Source: Western Sydney University Β· View record β†’
St Vincent's Health Australia
πŸ‡¦πŸ‡Ί Australia (national) Β· breach 2023-12 Β· disclosed 2023-12
πŸ₯ Healthcare Β· Hospitals & aged care
People affected
Not disclosed
Data taken
Data removed from the network
Regulator
Australian Cyber Security Centre; National Office of Cyber Security
Trust tier
Reported
● Under investigation Source: St Vincent's Health Australia Β· View record β†’
Nissan Oceania
πŸ‡¦πŸ‡Ί Australia & New Zealand Β· breach 2023-12 Β· disclosed 2024-03
πŸ—‚οΈ Other Β· Automotive & finance
People affected
100,000 (approx)
Data taken
Government identification (some Medicare, licence, passport numbers), and other personal information
Regulator
OAIC; ID Support NSW
Trust tier
Reported
● Resolved Source: ID Support NSW (NSW Government) Β· View record β†’
Court Services Victoria
πŸ‡¦πŸ‡Ί Victoria Β· breach 2023-12 Β· disclosed 2024-01
πŸ›οΈ Government Β· Courts administration
People affected
Not disclosed
Data taken
Audio-visual recordings and transcripts of court hearings (Supreme, County, Magistrates', Children's and Coroners courts)
Regulator
Victoria Police; Victorian Department of Government Services
Trust tier
Reported
● Disclosed Source: Court Services Victoria Β· View record β†’
National Disability Insurance Agency
πŸ‡¦πŸ‡Ί Australia Β· breach 2023-11 Β· disclosed 2023-11
πŸ›οΈ Government Β· Federal disability agency
People affected
Not disclosed
Data taken
Full name, date of birth, gender and address/postcode of NDIS participants (some of whom were minors at the time)
Regulator
AFP (charges and sentencing); NDIS Quality and Safeguards Commission
Trust tier
Reported
● Resolved Source: NDIA Β· View record β†’
DP World Australia
πŸ‡¦πŸ‡Ί Australia (national ports) Β· breach 2023-11 Β· disclosed 2023-11
πŸ—‚οΈ Other Β· Port & logistics operator
People affected
Not disclosed
Data taken
Personal information of current and former employees
Regulator
National Cyber Security Coordinator; OAIC
Trust tier
Reported
● Under investigation Source: DP World Australia Β· View record β†’
Harcourts (Australia)
πŸ‡¦πŸ‡Ί Australia Β· breach 2023-10 Β· disclosed 2023-11
πŸ—‚οΈ Other Β· Real estate
People affected
Not disclosed
Data taken
Names, addresses, bank details and signatures, Photo identification of prospective renters
Regulator
OAIC (notified)
Trust tier
Reported
● Disclosed Source: InnovationAus Β· View record β†’
Pizza Hut Australia
πŸ‡¦πŸ‡Ί Australia Β· breach 2023-09 Β· disclosed 2023-09
πŸ›οΈ Retail Β· Hospitality
People affected
193,000 (approx)
Data taken
Names, delivery addresses, contact details; some order and payment records
Regulator
OAIC (notified)
Trust tier
Reported
● Disclosed Source: BleepingComputer Β· View record β†’
TissuPath
πŸ‡¦πŸ‡Ί Melbourne, VIC Β· breach 2023-08 Β· disclosed 2023-09
πŸ₯ Healthcare Β· Anatomical pathology
People affected
Not disclosed
Data taken
Names, dates of birth, gender, phone, address, Medicare numbers, health-insurance details, referring-doctor information and scanned pathology referrals
Regulator
OAIC and ACSC notified
Trust tier
Reported
● Disclosed Source: Cyber Daily Β· View record β†’
Dymocks
πŸ‡¦πŸ‡Ί Sydney, NSW Β· breach 2023-06 Β· disclosed 2023-09
πŸ›οΈ Retail
People affected
836,000 (approx)
Data taken
Names, dates of birth, email and postal addresses, membership details
Regulator
OAIC (notified)
Trust tier
Reported
● Disclosed Source: BleepingComputer Β· View record β†’
MediaWorks
πŸ‡³πŸ‡Ώ Auckland Β· breach 2023-05 Β· disclosed 2023-06
πŸ—‚οΈ Other Β· Media / broadcasting
People affected
403,000 (approx)
Data taken
Names, dates of birth, contact details and competition-entry data
Regulator
NZ Privacy Commissioner
Trust tier
Reported
● Under investigation Source: RNZ Β· View record β†’
HWL Ebsworth
πŸ‡¦πŸ‡Ί National (Australia) Β· breach 2023-04 Β· disclosed 2023-06
βš–οΈ Legal
People affected
Not disclosed
Data taken
Legal and government client documents; personal information of individuals, Data linked to ~65 Australian government agencies
Regulator
OAIC; multiple government agencies
Trust tier
Reported
● Resolved Source: HWL Ebsworth Β· View record β†’
Tasmanian Department for Education, Children and Young People
πŸ‡¦πŸ‡Ί Tasmania Β· breach 2023-03 Β· disclosed 2023-04
πŸ›οΈ Government Β· State education department (GoAnywhere / Cl0p breach)
People affected
Not disclosed
Data taken
Names, addresses, financial invoices and statements, bank account numbers and student-assistance applications; children's names, homerooms and year levels; dates of birth for some TasTAFE students
Regulator
Tasmanian Government incident (CyberCX engaged)
Trust tier
Reported
● Disclosed Source: iTnews Β· View record β†’
Latitude Financial
πŸ‡¦πŸ‡Ί Melbourne, VIC (AU + NZ operations) Β· breach 2023-03 Β· disclosed 2023-03
πŸ’³ Finance
People affected
14,000,000 (approx)
Data taken
Driver licence numbers (~7.9M across AU & NZ), Passport numbers, financial statements and other personal details
Regulator
OAIC + NZ Privacy Commissioner (joint)
Trust tier
Confirmed
● Under investigation Source: OAIC Β· View record β†’
Te PΕ«kenga β€” Competenz
πŸ‡³πŸ‡Ώ New Zealand Β· breach 2023 Β· disclosed 2023
πŸŽ“ Education Β· Vocational education
People affected
6,130+
Data taken
Personal and financial information of learners and staff
Regulator
Office of the Privacy Commissioner (NZ)
Trust tier
Reported
● Disclosed Source: BusinessDesk Β· View record β†’
Telstra (unlisted-number disclosure)
πŸ‡¦πŸ‡Ί Australia Β· breach 2022-12 Β· disclosed 2022-12
πŸ“‘ Telco Β· Telecommunications
People affected
132,000 (approx)
Data taken
Names, addresses and phone numbers of customers who had paid for unlisted (silent) numbers
Regulator
ACMA (regulator action)
Trust tier
Confirmed
● Resolved Source: ACMA Β· View record β†’
Queensland University of Technology
πŸ‡¦πŸ‡Ί Brisbane, QLD Β· breach 2022-12 Β· disclosed 2023-02
πŸŽ“ Education Β· University
People affected
11,405 (approx)
Data taken
Names and, for many, tax file numbers and bank account numbers (tax file numbers for 3,820 people); affected people were mostly current and former staff
Regulator
Relevant Queensland and federal authorities notified
Trust tier
Reported
● Disclosed Source: iTnews Β· View record β†’
Mercury IT
πŸ‡³πŸ‡Ώ Wellington Β· breach 2022-11 Β· disclosed 2022-12
πŸ–₯️ Technology Β· Managed IT / MSP
People affected
Not disclosed
Data taken
Coronial files and post-mortem reports (~14,500 files, Ministry of Justice), Health and insurance records via downstream agencies
Regulator
NZ Privacy Commissioner
Trust tier
Reported
● Under investigation Source: NZ Herald Β· View record β†’
Woolworths MyDeal
πŸ‡¦πŸ‡Ί Melbourne, VIC Β· breach 2022-10 Β· disclosed 2022-10
πŸ›οΈ Retail
People affected
2,200,000 (approx)
Data taken
Names, email addresses, phone numbers, delivery addresses (subset: dates of birth)
Regulator
OAIC
Trust tier
Reported
● Disclosed Source: Inside Retail Β· View record β†’
Medibank
πŸ‡¦πŸ‡Ί Melbourne, VIC Β· breach 2022-10 Β· disclosed 2022-10
πŸ’³ Insurance Β· Health insurance
People affected
9,700,000 (approx)
Data taken
Names, dates of birth, contact details, Medicare numbers, Sensitive health claims data (subset of customers)
Regulator
OAIC
Trust tier
Confirmed
● Before the courts Source: OAIC Β· View record β†’
Pinnacle Midlands Health Network
πŸ‡³πŸ‡Ώ Hamilton, Waikato Β· breach 2022-09 Β· disclosed 2022-10
πŸ₯ Healthcare Β· Primary care / GP network
People affected
450,000 (approx)
Data taken
Patient addresses and National Health Index (NHI) numbers, Immunisation and screening status, and data about services provided
Regulator
Office of the Privacy Commissioner (NZ)
Trust tier
Reported
● Under investigation Source: RNZ Β· View record β†’
Vinomofo
πŸ‡¦πŸ‡Ί Australia Β· breach 2022-09 Β· disclosed 2022-10
πŸ›οΈ Retail Β· Online wine retailer
People affected
928,760 (approx)
Data taken
Names, gender, dates of birth, contact information and some financial information
Regulator
OAIC β€” Privacy Commissioner determination (breach of APP 11.1)
Trust tier
Confirmed
● Resolved Source: OAIC Β· View record β†’
Optus
πŸ‡¦πŸ‡Ί Sydney, NSW Β· breach 2022-09 Β· disclosed 2022-09
πŸ“‘ Telco
People affected
9,500,000 (approx)
Data taken
Names, dates of birth, phone numbers, email addresses, Driver licence, passport and Medicare numbers (subset of customers)
Regulator
OAIC
Trust tier
Confirmed
● Before the courts Source: OAIC Β· View record β†’
Deakin University
πŸ‡¦πŸ‡Ί Victoria Β· breach 2022-07 Β· disclosed 2022-07
πŸŽ“ Education Β· University
People affected
46,980 (approx)
Data taken
Names, student ID numbers, mobile numbers, university email addresses and recent unit results; about 9,997 people then received scam SMS messages
Regulator
OVIC notified
Trust tier
Reported
● Disclosed Source: iTnews Β· View record β†’
CTARS (NDIS client-management provider)
πŸ‡¦πŸ‡Ί Australia Β· breach 2022-05 Β· disclosed 2022-05
πŸ₯ Healthcare Β· Disability / NDIS case-management software (third-party provider)
People affected
Not disclosed
Data taken
Names, dates of birth, addresses, phone numbers, emails, usernames/passwords and genders, Sensitive health and disability data
Regulator
OAIC and ACSC (notified)
Trust tier
Reported
● Disclosed Source: Information Age (ACS) Β· View record β†’
Australian Clinical Labs β€” Medlab Pathology
πŸ‡¦πŸ‡Ί Sydney, NSW Β· breach 2022-02 Β· disclosed 2022-07
πŸ₯ Healthcare Β· Pathology
People affected
223,000+
Data taken
Names, addresses, contact details, Medicare card numbers, Medical & pathology results
Regulator
OAIC
Penalty
AUD 5.8M
● Penalty issued Source: OAIC Β· View record β†’
South Australian Government (Frontier Software)
πŸ‡¦πŸ‡Ί Adelaide, SA Β· breach 2021-11 Β· disclosed 2021-12
πŸ›οΈ Government Β· State government payroll (third-party provider)
People affected
80,000 (approx)
Data taken
Name, date of birth and home address, Tax file number and bank account details, Remuneration, tax withheld and superannuation details
Regulator
South Australian Government; OAIC
Trust tier
Reported
● Disclosed Source: BleepingComputer Β· View record β†’
AA Traveller
πŸ‡³πŸ‡Ώ New Zealand Β· breach 2021-08 Β· disclosed 2022-05
πŸ—‚οΈ Other Β· Travel / tourism
People affected
Not disclosed
Data taken
Names, addresses and contact details (phone/email), For older records, expired credit-card numbers held on a legacy system
Regulator
NZ Office of the Privacy Commissioner (notified)
Trust tier
Reported
● Disclosed Source: RNZ Β· View record β†’
Waikato DHB (Te Whatu Ora Waikato)
πŸ‡³πŸ‡Ώ Hamilton, Waikato Β· breach 2021-05 Β· disclosed 2021-05
πŸ₯ Healthcare Β· Public hospital
People affected
Not disclosed
Data taken
Patient and staff personal and health information (leaked to media / dark web)
Regulator
NZ Privacy Commissioner
Trust tier
Confirmed
● Resolved Source: Te Whatu Ora Β· View record β†’
Air New Zealand β€” Airpoints
πŸ‡³πŸ‡Ώ Auckland Β· breach 2021-03 Β· disclosed 2021-03
πŸ—‚οΈ Other Β· Aviation / loyalty programme
People affected
Not disclosed
Data taken
Airpoints member account details (names, contact and loyalty information)
Regulator
NZ Privacy Commissioner
Trust tier
Reported
● Resolved Source: RNZ Β· View record β†’
Transport for NSW
πŸ‡¦πŸ‡Ί New South Wales Β· breach 2021-01 Β· disclosed 2021-02
πŸ›οΈ Government Β· Transport agency (Accellion breach)
People affected
Not disclosed
Data taken
Driver-licence information, names, email and residential addresses and contact numbers
Regulator
Cyber Security NSW; NSW Police
Trust tier
Reported
● Disclosed Source: Transport for NSW Β· View record β†’
NSW Health
πŸ‡¦πŸ‡Ί New South Wales Β· breach 2021-01 Β· disclosed 2021-06
πŸ₯ Healthcare Β· State health department (Accellion breach)
People affected
Not disclosed
Data taken
Identity information and, in some cases, health-related personal information contained in files accessed; NSW Health said medical-records systems were not affected
Regulator
NSW Police (Strike Force Martine); Cyber Security NSW
Trust tier
Reported
● Disclosed Source: NSW Health Β· View record β†’
Reserve Bank of New Zealand (Accellion FTA)
πŸ‡³πŸ‡Ώ Wellington Β· breach 2020-12 Β· disclosed 2021-01
πŸ›οΈ Government Β· Central bank
People affected
Not disclosed
Data taken
Commercially and personally sensitive information held in a third-party file-transfer service
Regulator
NZ Privacy Commissioner
Trust tier
Confirmed
● Resolved Source: Reserve Bank of New Zealand Β· View record β†’
Ambulance Tasmania
πŸ‡¦πŸ‡Ί Tasmania Β· breach 2020-11 Β· disclosed 2021-01
πŸ₯ Healthcare Β· State ambulance service
People affected
Not disclosed
Data taken
Patient names, incident locations, age, gender and the medical condition or nature of the callout
Regulator
Referred to Tasmania Police; Tasmanian Department of Health investigation
Trust tier
Reported
● Disclosed Source: The Examiner Β· View record β†’
ProctorU
πŸ‡¦πŸ‡Ί Australian universities (global platform) Β· breach 2020-08 Β· disclosed 2020-08
πŸŽ“ Education Β· EdTech
People affected
444,000 (approx)
Data taken
Names, email and home addresses, and hashed passwords (incl. Australian university students)
Regulator
none
Trust tier
Reported
● Disclosed Source: Honi Soit Β· View record β†’
Regis Healthcare
πŸ‡¦πŸ‡Ί Australia Β· breach 2020-07 Β· disclosed 2020-08
πŸ₯ Healthcare Β· Aged care
People affected
Not disclosed
Data taken
Personal data copied and, in part, published by the Maze double-extortion group; reporting referenced resident/client and employee information
Regulator
OAIC and ACSC notified
Trust tier
Reported
● Disclosed Source: iTnews Β· View record β†’
Toll Group
πŸ‡¦πŸ‡Ί Melbourne, VIC Β· breach 2020-05 Β· disclosed 2020-05
πŸ—‚οΈ Other Β· Transport & logistics
People affected
Not disclosed
Data taken
Personal information of past and present employees, Details of commercial agreements with current and former enterprise customers
Regulator
OAIC (notified)
Trust tier
Reported
● Disclosed Source: iTnews Β· View record β†’
Service NSW
πŸ‡¦πŸ‡Ί New South Wales Β· breach 2020-04 Β· disclosed 2020-09
πŸ›οΈ Government
People affected
104,000 (approx)
Data taken
Personal information contained in staff email accounts (~3.8M documents)
Regulator
NSW Auditor-General / IPC NSW
Trust tier
Confirmed
● Resolved Source: Service NSW Β· View record β†’
P&N Bank
πŸ‡¦πŸ‡Ί Perth, WA Β· breach 2019-12 Β· disclosed 2020-01
πŸ’³ Finance Β· Customer-owned bank
People affected
100,000 (approx)
Data taken
Names, addresses, email addresses, age, customer and account numbers, and account balances; the bank said funds, government-ID numbers and ID documents were held separately and not accessed
Regulator
WA Police / federal authorities
Trust tier
Reported
● Disclosed Source: BleepingComputer Β· View record β†’
TΕ« Ora Compass Health
πŸ‡³πŸ‡Ώ Wellington region Β· breach 2019-08 Β· disclosed 2019-09
πŸ₯ Healthcare Β· Primary health organisation
People affected
1,000,000 (approx)
Data taken
Enrolled patient information (names, dates of birth, contact and health-related data)
Regulator
NZ Privacy Commissioner
Trust tier
Reported
● Resolved Source: Cyber Security Hub Β· View record β†’
Canva
πŸ‡¦πŸ‡Ί Sydney, NSW Β· breach 2019-05 Β· disclosed 2019-05
πŸ–₯️ Technology
People affected
137,000,000 (approx)
Data taken
Usernames, names, email addresses and hashed passwords
Regulator
none
Trust tier
Reported
● Resolved Source: UpGuard Β· View record β†’
LandMark White
πŸ‡¦πŸ‡Ί Sydney, NSW Β· breach 2019-01 Β· disclosed 2019-02
πŸ’³ Finance Β· Property valuation
People affected
Not disclosed
Data taken
Property-valuation records containing borrowers' and owners' personal contact details; about 137,500 valuation records exposed and later leaked on a dark-web forum
Regulator
NSW Police Cybercrime Squad (arrest and charges)
Trust tier
Reported
● Before the courts Source: iTnews Β· View record β†’
Australian National University
πŸ‡¦πŸ‡Ί Canberra, ACT Β· breach 2018-11 Β· disclosed 2019-06
πŸŽ“ Education
People affected
200,000 (approx)
Data taken
Up to 19 years of staff, student and visitor personal data (names, addresses, bank details, academic records)
Regulator
none (public incident report)
Trust tier
Confirmed
● Resolved Source: Australian National University Β· View record β†’
PageUp
πŸ‡¦πŸ‡Ί Melbourne, VIC Β· breach 2018-05 Β· disclosed 2018-06
πŸ–₯️ Technology Β· HR / recruitment SaaS
People affected
Not disclosed
Data taken
Job-applicant personal details and reference contact information, and PageUp employee usernames/passwords (hashed); PageUp said tax file numbers and financial/bank details were not affected
Regulator
OAIC (inquiries); ACSC engaged
Trust tier
Reported
● Disclosed Source: Information Age (ACS) Β· View record β†’
GGOVERN Cybersecurity Assurance Β· Govern house You’re reading everyone else’s breach. Make sure you’re not the next entry. Talk to Govern β†’