πŸ”’breach.co.nz Β· the NZ & Australia breach register πŸ›‘οΈ A Govern service

Every reported data breach in New Zealand & Australia β€” indexed, sourced, searchable.

We don't investigate. We index what regulators, courts and companies have already made public β€” every figure links back to its official source.

A$5.8M
largest confirmed penalty (first under the Privacy Act)
43
records indexed
196,477,130+
people affected (where disclosed)
NZ Β· AU
trans-Tasman coverage
Country All πŸ‡³πŸ‡Ώ NZ πŸ‡¦πŸ‡Ί AU Trust All ● Confirmed β—‹ Reported
Advertising
Your brand, in front of the right people
Reach GRC, security and procurement leaders across New Zealand & Australia.
Enquire β†’ breach@govern.co.nz
Showing 43 recordsSorted: most recent
Partnered Health β€” national GP clinic network
πŸ‡¦πŸ‡Ί Multiple states (national clinic network) Β· breach 2026-06 Β· disclosed 2026-07-15
πŸ₯ Healthcare Β· General Practice
People affected
Not disclosed
Data taken
Names, dates of birth, addresses, contact details, Medicare numbers, Private health insurance / DVA / concession card numbers
Regulator
OAIC
Trust tier
Reported
● Disclosed Source: Partnered Health Β· View record β†’
Sponsored placement
Reach decision-makers, in-feed
Native placement alongside the breaches your buyers are already reading.
Enquire β†’ breach@govern.co.nz
Langley Twigg β€” Napier law firm
πŸ‡³πŸ‡Ώ Napier, Hawke's Bay Β· breach 2026-01-11 Β· disclosed 2026-01
βš–οΈ Legal Β· Law firm
People affected
Not disclosed
Data taken
Client documents / case files, Passport scans (employee & client), Internal firm operational information
Regulator
NZ-Privacy-Commissioner
Trust tier
Reported
● Under investigation Source: Langley Twigg Law Β· View record β†’
Victorian Department of Education
πŸ‡¦πŸ‡Ί Victoria Β· breach 2026-01 Β· disclosed 2026-01
πŸ›οΈ Government Β· State schools
People affected
Not disclosed
Data taken
Student personal information across Victorian government schools
Regulator
OVIC; OAIC
Trust tier
Reported
● Under investigation Source: BleepingComputer Β· View record β†’
Manage My Health
πŸ‡³πŸ‡Ώ New Zealand Β· breach 2026 Β· disclosed 2026
πŸ₯ Healthcare Β· Patient portal
People affected
126,000 (approx)
Data taken
Patient health records and personal information
Regulator
NZ Privacy Commissioner
Trust tier
Confirmed
● Under investigation Source: Office of the Privacy Commissioner Β· View record β†’
University of Sydney
πŸ‡¦πŸ‡Ί Sydney, NSW Β· breach 2025-12 Β· disclosed 2025-12
πŸŽ“ Education
People affected
20,000+
Data taken
Personal information of staff, affiliates and applicants (via a third-party platform)
Regulator
OAIC; IPC NSW
Trust tier
Confirmed
● Under investigation Source: The University of Sydney Β· View record β†’
iiNet (TPG Telecom)
πŸ‡¦πŸ‡Ί Australia Β· breach 2025-08 Β· disclosed 2025-08
πŸ“‘ Telco
People affected
280,000 (approx)
Data taken
Email addresses, usernames, phone numbers; some modem setup passwords
Regulator
OAIC (notified)
Trust tier
Reported
● Disclosed Source: The Register Β· View record β†’
Qantas
πŸ‡¦πŸ‡Ί Sydney, NSW (AU; NZ regulator also notified) Β· breach 2025-06 Β· disclosed 2025-07
πŸ—‚οΈ Other Β· Aviation
People affected
5,700,000 (approx)
Data taken
Names, email addresses, Qantas Frequent Flyer numbers, addresses, dates of birth, phone numbers, No credit-card, financial or passport data (not stored in the affected system)
Regulator
OAIC
Trust tier
Confirmed
● Resolved Source: Qantas Β· View record β†’
Sydney Tools
πŸ‡¦πŸ‡Ί Sydney, NSW Β· breach 2025-03 Β· disclosed 2025-03
πŸ›οΈ Retail
People affected
Not disclosed
Data taken
~34 million customer and order records exposed via a misconfigured database
Regulator
OAIC (notifiable)
Trust tier
Reported
● Disclosed Source: Cybernews Β· View record β†’
Australian superannuation funds (coordinated attack)
πŸ‡¦πŸ‡Ί Australia Β· breach 2025-03 Β· disclosed 2025-04
πŸ’³ Finance Β· Superannuation
People affected
Not disclosed
Data taken
Member account access via credential stuffing; some funds reportedly withdrawn (~$500k reported)
Regulator
ASIC / APRA (engaged)
Trust tier
Reported
● Disclosed Source: SBS News Β· View record β†’
Genea Fertility
πŸ‡¦πŸ‡Ί Sydney, NSW Β· breach 2025-02 Β· disclosed 2025-02
πŸ₯ Healthcare Β· IVF / fertility
People affected
Not disclosed
Data taken
Sensitive patient and fertility/medical records (published on the dark web)
Regulator
OAIC (notified)
Trust tier
Reported
● Under investigation Source: TechCrunch Β· View record β†’
Metricon Homes
πŸ‡¦πŸ‡Ί Australia Β· breach 2025 Β· disclosed 2025
πŸ—‚οΈ Other Β· Construction / home building
People affected
Not disclosed
Data taken
Employee and customer personal information posted to a dark-web leak site
Regulator
OAIC (notified)
Trust tier
Reported
● Disclosed Source: Breachsense Β· View record β†’
I-MED Radiology Network
πŸ‡¦πŸ‡Ί Australia Β· breach 2024-09 Β· disclosed 2024-09
πŸ₯ Healthcare Β· Medical imaging
People affected
Not disclosed
Data taken
Patient records and imaging referral information (tens of thousands of files)
Regulator
OAIC
Trust tier
Confirmed
● Under investigation Source: OAIC Β· View record β†’
Ticketmaster
πŸ‡¦πŸ‡Ί Global (Australian & NZ customers affected) Β· breach 2024-05 Β· disclosed 2024-06
πŸ›οΈ Retail Β· Ticketing
People affected
Not disclosed
Data taken
Names, contact details and some payment card information
Regulator
OAIC (notified)
Trust tier
Reported
● Disclosed Source: Ticketmaster Β· View record β†’
Outabox (NSW clubs & pubs)
πŸ‡¦πŸ‡Ί New South Wales Β· breach 2024-05 Β· disclosed 2024-05
πŸ–₯️ Technology Β· Venue sign-in / facial-recognition vendor
People affected
1,000,000+
Data taken
Facial-recognition biometrics and driver licence scans, Signatures, home addresses and dates of birth, Club membership and gaming-machine usage data
Regulator
NSW Police; OAIC
Trust tier
Reported
● Under investigation Source: ACS Information Age Β· View record β†’
MediSecure
πŸ‡¦πŸ‡Ί Melbourne, VIC Β· breach 2024-04 Β· disclosed 2024-05
πŸ₯ Healthcare Β· e-Prescriptions
People affected
12,900,000 (approx)
Data taken
Prescription and personal health information
Regulator
OAIC
Trust tier
Confirmed
● Disclosed Source: OAIC Β· View record β†’
Health New Zealand (Te Whatu Ora)
πŸ‡³πŸ‡Ώ New Zealand Β· breach 2024-02 Β· disclosed 2024-02
πŸ₯ Healthcare Β· Public health system
People affected
12,000 (approx)
Data taken
Personal information relating to COVID-19 vaccination records
Regulator
NZ Privacy Commissioner
Trust tier
Confirmed
● Resolved Source: Health New Zealand β€” Te Whatu Ora Β· View record β†’
Western Sydney University
πŸ‡¦πŸ‡Ί Sydney, NSW Β· breach 2024 Β· disclosed 2025-01
πŸŽ“ Education
People affected
Not disclosed
Data taken
Student and staff personal information across multiple incidents (incl. identity and enrolment data)
Regulator
OAIC; IPC NSW
Trust tier
Confirmed
● Under investigation Source: Western Sydney University Β· View record β†’
St Vincent's Health Australia
πŸ‡¦πŸ‡Ί Australia (national) Β· breach 2023-12 Β· disclosed 2023-12
πŸ₯ Healthcare Β· Hospitals & aged care
People affected
Not disclosed
Data taken
Data removed from the network
Regulator
Australian Cyber Security Centre; National Office of Cyber Security
Trust tier
Reported
● Under investigation Source: St Vincent's Health Australia Β· View record β†’
Nissan Oceania
πŸ‡¦πŸ‡Ί Australia & New Zealand Β· breach 2023-12 Β· disclosed 2024-03
πŸ—‚οΈ Other Β· Automotive & finance
People affected
100,000 (approx)
Data taken
Government identification (some Medicare, licence, passport numbers), and other personal information
Regulator
OAIC; ID Support NSW
Trust tier
Reported
● Resolved Source: ID Support NSW (NSW Government) Β· View record β†’
DP World Australia
πŸ‡¦πŸ‡Ί Australia (national ports) Β· breach 2023-11 Β· disclosed 2023-11
πŸ—‚οΈ Other Β· Port & logistics operator
People affected
Not disclosed
Data taken
Personal information of current and former employees
Regulator
National Cyber Security Coordinator; OAIC
Trust tier
Reported
● Under investigation Source: DP World Australia Β· View record β†’
Harcourts (Australia)
πŸ‡¦πŸ‡Ί Australia Β· breach 2023-10 Β· disclosed 2023-11
πŸ—‚οΈ Other Β· Real estate
People affected
Not disclosed
Data taken
Names, addresses, bank details and signatures, Photo identification of prospective renters
Regulator
OAIC (notified)
Trust tier
Reported
● Disclosed Source: InnovationAus Β· View record β†’
Pizza Hut Australia
πŸ‡¦πŸ‡Ί Australia Β· breach 2023-09 Β· disclosed 2023-09
πŸ›οΈ Retail Β· Hospitality
People affected
193,000 (approx)
Data taken
Names, delivery addresses, contact details; some order and payment records
Regulator
OAIC (notified)
Trust tier
Reported
● Disclosed Source: BleepingComputer Β· View record β†’
Dymocks
πŸ‡¦πŸ‡Ί Sydney, NSW Β· breach 2023-06 Β· disclosed 2023-09
πŸ›οΈ Retail
People affected
836,000 (approx)
Data taken
Names, dates of birth, email and postal addresses, membership details
Regulator
OAIC (notified)
Trust tier
Reported
● Disclosed Source: BleepingComputer Β· View record β†’
MediaWorks
πŸ‡³πŸ‡Ώ Auckland Β· breach 2023-05 Β· disclosed 2023-06
πŸ—‚οΈ Other Β· Media / broadcasting
People affected
403,000 (approx)
Data taken
Names, dates of birth, contact details and competition-entry data
Regulator
NZ Privacy Commissioner
Trust tier
Reported
● Under investigation Source: RNZ Β· View record β†’
HWL Ebsworth
πŸ‡¦πŸ‡Ί National (Australia) Β· breach 2023-04 Β· disclosed 2023-06
βš–οΈ Legal
People affected
Not disclosed
Data taken
Legal and government client documents; personal information of individuals, Data linked to ~65 Australian government agencies
Regulator
OAIC; multiple government agencies
Trust tier
Reported
● Resolved Source: HWL Ebsworth Β· View record β†’
Latitude Financial
πŸ‡¦πŸ‡Ί Melbourne, VIC (AU + NZ operations) Β· breach 2023-03 Β· disclosed 2023-03
πŸ’³ Finance
People affected
14,000,000 (approx)
Data taken
Driver licence numbers (~7.9M across AU & NZ), Passport numbers, financial statements and other personal details
Regulator
OAIC + NZ Privacy Commissioner (joint)
Trust tier
Confirmed
● Under investigation Source: OAIC Β· View record β†’
Te PΕ«kenga β€” Competenz
πŸ‡³πŸ‡Ώ New Zealand Β· breach 2023 Β· disclosed 2023
πŸŽ“ Education Β· Vocational education
People affected
6,130+
Data taken
Personal and financial information of learners and staff
Regulator
Office of the Privacy Commissioner (NZ)
Trust tier
Reported
● Disclosed Source: BusinessDesk Β· View record β†’
Mercury IT
πŸ‡³πŸ‡Ώ Wellington Β· breach 2022-11 Β· disclosed 2022-12
πŸ–₯️ Technology Β· Managed IT / MSP
People affected
Not disclosed
Data taken
Coronial files and post-mortem reports (~14,500 files, Ministry of Justice), Health and insurance records via downstream agencies
Regulator
NZ Privacy Commissioner
Trust tier
Reported
● Under investigation Source: NZ Herald Β· View record β†’
Woolworths MyDeal
πŸ‡¦πŸ‡Ί Melbourne, VIC Β· breach 2022-10 Β· disclosed 2022-10
πŸ›οΈ Retail
People affected
2,200,000 (approx)
Data taken
Names, email addresses, phone numbers, delivery addresses (subset: dates of birth)
Regulator
OAIC
Trust tier
Reported
● Disclosed Source: Inside Retail Β· View record β†’
Medibank
πŸ‡¦πŸ‡Ί Melbourne, VIC Β· breach 2022-10 Β· disclosed 2022-10
πŸ’³ Insurance Β· Health insurance
People affected
9,700,000 (approx)
Data taken
Names, dates of birth, contact details, Medicare numbers, Sensitive health claims data (subset of customers)
Regulator
OAIC
Trust tier
Confirmed
● Before the courts Source: OAIC Β· View record β†’
Pinnacle Midlands Health Network
πŸ‡³πŸ‡Ώ Hamilton, Waikato Β· breach 2022-09 Β· disclosed 2022-10
πŸ₯ Healthcare Β· Primary care / GP network
People affected
450,000 (approx)
Data taken
Patient addresses and National Health Index (NHI) numbers, Immunisation and screening status, and data about services provided
Regulator
Office of the Privacy Commissioner (NZ)
Trust tier
Reported
● Under investigation Source: RNZ Β· View record β†’
Optus
πŸ‡¦πŸ‡Ί Sydney, NSW Β· breach 2022-09 Β· disclosed 2022-09
πŸ“‘ Telco
People affected
9,500,000 (approx)
Data taken
Names, dates of birth, phone numbers, email addresses, Driver licence, passport and Medicare numbers (subset of customers)
Regulator
OAIC
Trust tier
Confirmed
● Before the courts Source: OAIC Β· View record β†’
Australian Clinical Labs β€” Medlab Pathology
πŸ‡¦πŸ‡Ί Sydney, NSW Β· breach 2022-02 Β· disclosed 2022-07
πŸ₯ Healthcare Β· Pathology
People affected
223,000+
Data taken
Names, addresses, contact details, Medicare card numbers, Medical & pathology results
Regulator
OAIC
Penalty
AUD 5.8M
● Penalty issued Source: OAIC Β· View record β†’
South Australian Government (Frontier Software)
πŸ‡¦πŸ‡Ί Adelaide, SA Β· breach 2021-11 Β· disclosed 2021-12
πŸ›οΈ Government Β· State government payroll (third-party provider)
People affected
80,000 (approx)
Data taken
Name, date of birth and home address, Tax file number and bank account details, Remuneration, tax withheld and superannuation details
Regulator
South Australian Government; OAIC
Trust tier
Reported
● Disclosed Source: BleepingComputer Β· View record β†’
Waikato DHB (Te Whatu Ora Waikato)
πŸ‡³πŸ‡Ώ Hamilton, Waikato Β· breach 2021-05 Β· disclosed 2021-05
πŸ₯ Healthcare Β· Public hospital
People affected
Not disclosed
Data taken
Patient and staff personal and health information (leaked to media / dark web)
Regulator
NZ Privacy Commissioner
Trust tier
Confirmed
● Resolved Source: Te Whatu Ora Β· View record β†’
Air New Zealand β€” Airpoints
πŸ‡³πŸ‡Ώ Auckland Β· breach 2021-03 Β· disclosed 2021-03
πŸ—‚οΈ Other Β· Aviation / loyalty programme
People affected
Not disclosed
Data taken
Airpoints member account details (names, contact and loyalty information)
Regulator
NZ Privacy Commissioner
Trust tier
Reported
● Resolved Source: RNZ Β· View record β†’
Reserve Bank of New Zealand (Accellion FTA)
πŸ‡³πŸ‡Ώ Wellington Β· breach 2020-12 Β· disclosed 2021-01
πŸ›οΈ Government Β· Central bank
People affected
Not disclosed
Data taken
Commercially and personally sensitive information held in a third-party file-transfer service
Regulator
NZ Privacy Commissioner
Trust tier
Confirmed
● Resolved Source: Reserve Bank of New Zealand Β· View record β†’
ProctorU
πŸ‡¦πŸ‡Ί Australian universities (global platform) Β· breach 2020-08 Β· disclosed 2020-08
πŸŽ“ Education Β· EdTech
People affected
444,000 (approx)
Data taken
Names, email and home addresses, and hashed passwords (incl. Australian university students)
Regulator
none
Trust tier
Reported
● Disclosed Source: Honi Soit Β· View record β†’
Toll Group
πŸ‡¦πŸ‡Ί Melbourne, VIC Β· breach 2020-05 Β· disclosed 2020-05
πŸ—‚οΈ Other Β· Transport & logistics
People affected
Not disclosed
Data taken
Personal information of past and present employees, Details of commercial agreements with current and former enterprise customers
Regulator
OAIC (notified)
Trust tier
Reported
● Disclosed Source: iTnews Β· View record β†’
Service NSW
πŸ‡¦πŸ‡Ί New South Wales Β· breach 2020-04 Β· disclosed 2020-09
πŸ›οΈ Government
People affected
104,000 (approx)
Data taken
Personal information contained in staff email accounts (~3.8M documents)
Regulator
NSW Auditor-General / IPC NSW
Trust tier
Confirmed
● Resolved Source: Service NSW Β· View record β†’
TΕ« Ora Compass Health
πŸ‡³πŸ‡Ώ Wellington region Β· breach 2019-08 Β· disclosed 2019-09
πŸ₯ Healthcare Β· Primary health organisation
People affected
1,000,000 (approx)
Data taken
Enrolled patient information (names, dates of birth, contact and health-related data)
Regulator
NZ Privacy Commissioner
Trust tier
Reported
● Resolved Source: Cyber Security Hub Β· View record β†’
Canva
πŸ‡¦πŸ‡Ί Sydney, NSW Β· breach 2019-05 Β· disclosed 2019-05
πŸ–₯️ Technology
People affected
137,000,000 (approx)
Data taken
Usernames, names, email addresses and hashed passwords
Regulator
none
Trust tier
Reported
● Resolved Source: UpGuard Β· View record β†’
Australian National University
πŸ‡¦πŸ‡Ί Canberra, ACT Β· breach 2018-11 Β· disclosed 2019-06
πŸŽ“ Education
People affected
200,000 (approx)
Data taken
Up to 19 years of staff, student and visitor personal data (names, addresses, bank details, academic records)
Regulator
none (public incident report)
Trust tier
Confirmed
● Resolved Source: Australian National University Β· View record β†’