🔒breach.co.nz · the NZ & Australia breach register 🛡 A Govern service

Every reported data breach in New Zealand & Australia — indexed, sourced, searchable.

We don't investigate. We index what regulators, courts and companies have already made public — every figure links back to its official source.

A$5.8M
largest confirmed penalty (first under the Privacy Act)
20
records indexed
193,056,000+
people affected (where disclosed)
NZ · AU
trans-Tasman coverage
Country All 🇳🇿 NZ 🇊🇺 AU Trust All ● Confirmed ○ Reported
Advertising
Your brand, in front of the right people
Reach GRC, security and procurement leaders across New Zealand & Australia.
Enquire → breach@govern.co.nz
Showing 20 recordsSorted: most recent
Partnered Health — national GP clinic network
🇊🇺 Multiple states (national clinic network) · breach 2026-06 · disclosed 2026-07-15
🏥 Healthcare · General Practice
People affected
Not disclosed
Data taken
Names, dates of birth, addresses, contact details, Medicare numbers, Private health insurance / DVA / concession card numbers
Regulator
OAIC
Trust tier
Reported
● Disclosed Source: Partnered Health · View record →
Sponsored placement
Reach decision-makers, in-feed
Native placement alongside the breaches your buyers are already reading.
Enquire → breach@govern.co.nz
Langley Twigg — Napier law firm
🇳🇿 Napier, Hawke's Bay · breach 2026-01-11 · disclosed 2026-01
⚖ Legal · Law firm
People affected
Not disclosed
Data taken
Client documents / case files, Passport scans (employee & client), Internal firm operational information
Regulator
NZ-Privacy-Commissioner
Trust tier
Reported
● Under investigation Source: Langley Twigg Law · View record →
Manage My Health
🇳🇿 New Zealand · breach 2026 · disclosed 2026
🏥 Healthcare · Patient portal
People affected
126,000 (approx)
Data taken
Patient health records and personal information
Regulator
NZ Privacy Commissioner
Trust tier
Confirmed
● Under investigation Source: Office of the Privacy Commissioner · View record →
Qantas
🇊🇺 Sydney, NSW (AU; NZ regulator also notified) · breach 2025-06 · disclosed 2025-07
🗂 Other · Aviation
People affected
5,700,000 (approx)
Data taken
Names, email addresses, Qantas Frequent Flyer numbers, addresses, dates of birth, phone numbers, No credit-card, financial or passport data (not stored in the affected system)
Regulator
OAIC
Trust tier
Confirmed
● Resolved Source: Qantas · View record →
Sydney Tools
🇊🇺 Sydney, NSW · breach 2025-03 · disclosed 2025-03
🛍 Retail
People affected
Not disclosed
Data taken
~34 million customer and order records exposed via a misconfigured database
Regulator
OAIC (notifiable)
Trust tier
Reported
● Disclosed Source: Cybernews · View record →
MediSecure
🇊🇺 Melbourne, VIC · breach 2024-04 · disclosed 2024-05
🏥 Healthcare · e-Prescriptions
People affected
12,900,000 (approx)
Data taken
Prescription and personal health information
Regulator
OAIC
Trust tier
Confirmed
● Disclosed Source: OAIC · View record →
MediaWorks
🇳🇿 Auckland · breach 2023-05 · disclosed 2023-06
🗂 Other · Media / broadcasting
People affected
403,000 (approx)
Data taken
Names, dates of birth, contact details and competition-entry data
Regulator
NZ Privacy Commissioner
Trust tier
Reported
● Under investigation Source: RNZ · View record →
Latitude Financial
🇊🇺 Melbourne, VIC (AU + NZ operations) · breach 2023-03 · disclosed 2023-03
💳 Finance
People affected
14,000,000 (approx)
Data taken
Driver licence numbers (~7.9M across AU & NZ), Passport numbers, financial statements and other personal details
Regulator
OAIC + NZ Privacy Commissioner (joint)
Trust tier
Confirmed
● Under investigation Source: OAIC · View record →
Mercury IT
🇳🇿 Wellington · breach 2022-11 · disclosed 2022-12
🖥 Technology · Managed IT / MSP
People affected
Not disclosed
Data taken
Coronial files and post-mortem reports (~14,500 files, Ministry of Justice), Health and insurance records via downstream agencies
Regulator
NZ Privacy Commissioner
Trust tier
Reported
● Under investigation Source: NZ Herald · View record →
Woolworths MyDeal
🇊🇺 Melbourne, VIC · breach 2022-10 · disclosed 2022-10
🛍 Retail
People affected
2,200,000 (approx)
Data taken
Names, email addresses, phone numbers, delivery addresses (subset: dates of birth)
Regulator
OAIC
Trust tier
Reported
● Disclosed Source: Inside Retail · View record →
Medibank
🇊🇺 Melbourne, VIC · breach 2022-10 · disclosed 2022-10
💳 Insurance · Health insurance
People affected
9,700,000 (approx)
Data taken
Names, dates of birth, contact details, Medicare numbers, Sensitive health claims data (subset of customers)
Regulator
OAIC
Trust tier
Confirmed
● Before the courts Source: OAIC · View record →
Optus
🇊🇺 Sydney, NSW · breach 2022-09 · disclosed 2022-09
📡 Telco
People affected
9,500,000 (approx)
Data taken
Names, dates of birth, phone numbers, email addresses, Driver licence, passport and Medicare numbers (subset of customers)
Regulator
OAIC
Trust tier
Confirmed
● Before the courts Source: OAIC · View record →
Australian Clinical Labs — Medlab Pathology
🇊🇺 Sydney, NSW · breach 2022-02 · disclosed 2022-07
🏥 Healthcare · Pathology
People affected
223,000+
Data taken
Names, addresses, contact details, Medicare card numbers, Medical & pathology results
Regulator
OAIC
Penalty
AUD 5.8M
● Penalty issued Source: OAIC · View record →
Waikato DHB (Te Whatu Ora Waikato)
🇳🇿 Hamilton, Waikato · breach 2021-05 · disclosed 2021-05
🏥 Healthcare · Public hospital
People affected
Not disclosed
Data taken
Patient and staff personal and health information (leaked to media / dark web)
Regulator
NZ Privacy Commissioner
Trust tier
Confirmed
● Resolved Source: Te Whatu Ora · View record →
Air New Zealand — Airpoints
🇳🇿 Auckland · breach 2021-03 · disclosed 2021-03
🗂 Other · Aviation / loyalty programme
People affected
Not disclosed
Data taken
Airpoints member account details (names, contact and loyalty information)
Regulator
NZ Privacy Commissioner
Trust tier
Reported
● Resolved Source: RNZ · View record →
Reserve Bank of New Zealand (Accellion FTA)
🇳🇿 Wellington · breach 2020-12 · disclosed 2021-01
🏛 Government · Central bank
People affected
Not disclosed
Data taken
Commercially and personally sensitive information held in a third-party file-transfer service
Regulator
NZ Privacy Commissioner
Trust tier
Confirmed
● Resolved Source: Reserve Bank of New Zealand · View record →
Service NSW
🇊🇺 New South Wales · breach 2020-04 · disclosed 2020-09
🏛 Government
People affected
104,000 (approx)
Data taken
Personal information contained in staff email accounts (~3.8M documents)
Regulator
NSW Auditor-General / IPC NSW
Trust tier
Confirmed
● Resolved Source: Service NSW · View record →
TÅ« Ora Compass Health
🇳🇿 Wellington region · breach 2019-08 · disclosed 2019-09
🏥 Healthcare · Primary health organisation
People affected
1,000,000 (approx)
Data taken
Enrolled patient information (names, dates of birth, contact and health-related data)
Regulator
NZ Privacy Commissioner
Trust tier
Reported
● Resolved Source: Cyber Security Hub · View record →
Canva
🇊🇺 Sydney, NSW · breach 2019-05 · disclosed 2019-05
🖥 Technology
People affected
137,000,000 (approx)
Data taken
Usernames, names, email addresses and hashed passwords
Regulator
none
Trust tier
Reported
● Resolved Source: UpGuard · View record →
Australian National University
🇊🇺 Canberra, ACT · breach 2018-11 · disclosed 2019-06
🎓 Education
People affected
200,000 (approx)
Data taken
Up to 19 years of staff, student and visitor personal data (names, addresses, bank details, academic records)
Regulator
none (public incident report)
Trust tier
Confirmed
● Resolved Source: Australian National University · View record →