πŸ”’breach.co.nz Β· the NZ & Australia breach register πŸ›‘οΈ A Govern service

Every reported data breach in New Zealand & Australia β€” indexed, sourced, searchable.

We don't investigate. We index what regulators, courts and companies have already made public β€” every figure links back to its official source.

A$5.8M
largest confirmed penalty (first under the Privacy Act)
52
records indexed
196,477,130+
people affected (where disclosed)
NZ Β· AU
trans-Tasman coverage
Country All πŸ‡³πŸ‡Ώ NZ πŸ‡¦πŸ‡Ί AU Trust All ● Confirmed β—‹ Reported
Advertising
Your brand, in front of the right people
Run-of-site leaderboard β€” the register, by-sector directory and Learn.
Enquire β†’ breach@govern.co.nz
Showing 20 of 52 records
Partnered Health β€” national GP clinic network
πŸ‡¦πŸ‡Ί Multiple states (national clinic network) Β· breach 2026-06 Β· disclosed 2026-07-15
πŸ₯ Healthcare Β· General Practice
People affected
Not disclosed
Data taken
Names, dates of birth, addresses, contact details, Medicare numbers, Private health insurance / DVA / concession card numbers
Regulator
OAIC
Trust tier
Reported
● Disclosed Source: Partnered Health Β· View record β†’
Ochre Health (Tuggeranong)
πŸ‡¦πŸ‡Ί Canberra, ACT Β· breach 2026-06 Β· disclosed 2026-06
πŸ₯ Healthcare Β· GP clinic / medical centre
People affected
Not disclosed
Data taken
Unauthorised access via two compromised accounts on the HotDoc third-party booking platform (Tuggeranong clinic), Reported to include names, dates of birth, addresses, emails, phone numbers, Medicare numbers, DVA numbers, appointment details and billing information
Regulator
OAIC and ACSC (notified)
Trust tier
Reported
● Under investigation Source: Ochre Health Β· View record β†’
Sponsored placement
Reach decision-makers, in-feed
Native placement alongside the breaches your buyers are already reading.
Enquire β†’ breach@govern.co.nz
Queensland Department of Education
πŸ‡¦πŸ‡Ί Queensland Β· breach 2026-05 Β· disclosed 2026-05
πŸ›οΈ Government Β· State education department
People affected
Not disclosed
Data taken
Names, email addresses, school locations, student ID numbers and user messages; the Education Minister said there was no evidence passwords, dates of birth or financial information were accessed
Regulator
none
Trust tier
Reported
● Disclosed Source: Cyber Daily Β· View record β†’
Langley Twigg β€” Napier law firm
πŸ‡³πŸ‡Ώ Napier, Hawke's Bay Β· breach 2026-01-11 Β· disclosed 2026-01
βš–οΈ Legal Β· Law firm
People affected
Not disclosed
Data taken
Client documents / case files, Passport scans (employee & client), Internal firm operational information
Regulator
NZ-Privacy-Commissioner
Trust tier
Reported
● Under investigation Source: Langley Twigg Law Β· View record β†’
Victorian Department of Education
πŸ‡¦πŸ‡Ί Victoria Β· breach 2026-01 Β· disclosed 2026-01
πŸ›οΈ Government Β· State schools
People affected
Not disclosed
Data taken
Student personal information across Victorian government schools
Regulator
OVIC; OAIC
Trust tier
Reported
● Under investigation Source: BleepingComputer Β· View record β†’
Prosura
πŸ‡¦πŸ‡Ί Β· breach 2026-01 Β· disclosed 2026-01
πŸ’³ Insurance Β· Rental-car / travel insurance
People affected
Not disclosed
Data taken
Names, phone numbers, email addresses, country of residence, invoicing and pricing data, travel destinations and policy start/end dates, Claim data reportedly including driver licences and related images
Regulator
none
Trust tier
Reported
● Under investigation Source: Cyber Daily Β· View record β†’
Manage My Health
πŸ‡³πŸ‡Ώ New Zealand Β· breach 2026 Β· disclosed 2026
πŸ₯ Healthcare Β· Patient portal
People affected
126,000 (approx)
Data taken
Patient health records and personal information
Regulator
NZ Privacy Commissioner
Trust tier
Confirmed
● Under investigation Source: Office of the Privacy Commissioner Β· View record β†’
University of Sydney
πŸ‡¦πŸ‡Ί Sydney, NSW Β· breach 2025-12 Β· disclosed 2025-12
πŸŽ“ Education
People affected
20,000+
Data taken
Personal information of staff, affiliates and applicants (via a third-party platform)
Regulator
OAIC; IPC NSW
Trust tier
Confirmed
● Under investigation Source: The University of Sydney Β· View record β†’
iiNet (TPG Telecom)
πŸ‡¦πŸ‡Ί Australia Β· breach 2025-08 Β· disclosed 2025-08
πŸ“‘ Telco
People affected
280,000 (approx)
Data taken
Email addresses, usernames, phone numbers; some modem setup passwords
Regulator
OAIC (notified)
Trust tier
Reported
● Disclosed Source: The Register Β· View record β†’
Qantas
πŸ‡¦πŸ‡Ί Sydney, NSW (AU; NZ regulator also notified) Β· breach 2025-06 Β· disclosed 2025-07
πŸ—‚οΈ Other Β· Aviation
People affected
5,700,000 (approx)
Data taken
Names, email addresses, Qantas Frequent Flyer numbers, addresses, dates of birth, phone numbers, No credit-card, financial or passport data (not stored in the affected system)
Regulator
OAIC
Trust tier
Confirmed
● Resolved Source: Qantas Β· View record β†’
Sydney Tools
πŸ‡¦πŸ‡Ί Sydney, NSW Β· breach 2025-03 Β· disclosed 2025-03
πŸ›οΈ Retail
People affected
Not disclosed
Data taken
~34 million customer and order records exposed via a misconfigured database
Regulator
OAIC (notifiable)
Trust tier
Reported
● Disclosed Source: Cybernews Β· View record β†’
Australian superannuation funds (coordinated attack)
πŸ‡¦πŸ‡Ί Australia Β· breach 2025-03 Β· disclosed 2025-04
πŸ’³ Finance Β· Superannuation
People affected
Not disclosed
Data taken
Member account access via credential stuffing; some funds reportedly withdrawn (~$500k reported)
Regulator
ASIC / APRA (engaged)
Trust tier
Reported
● Disclosed Source: SBS News Β· View record β†’
The Fullerton Hotel Sydney
πŸ‡¦πŸ‡Ί Sydney, NSW Β· breach 2025-03 Β· disclosed 2025-04
πŸ—‚οΈ Other Β· Hospitality / hotels
People affected
Not disclosed
Data taken
As claimed by the Akira ransomware group (~148 GB): passports, driver licences, employee records, corporate documents and the credit-card details of a small number of guests
Regulator
OAIC (notified)
Trust tier
Reported
● Under investigation Source: Cyber Daily Β· View record β†’
Genea Fertility
πŸ‡¦πŸ‡Ί Sydney, NSW Β· breach 2025-02 Β· disclosed 2025-02
πŸ₯ Healthcare Β· IVF / fertility
People affected
Not disclosed
Data taken
Sensitive patient and fertility/medical records (published on the dark web)
Regulator
OAIC (notified)
Trust tier
Reported
● Under investigation Source: TechCrunch Β· View record β†’
Metricon Homes
πŸ‡¦πŸ‡Ί Australia Β· breach 2025 Β· disclosed 2025
πŸ—‚οΈ Other Β· Construction / home building
People affected
Not disclosed
Data taken
Employee and customer personal information posted to a dark-web leak site
Regulator
OAIC (notified)
Trust tier
Reported
● Disclosed Source: Breachsense Β· View record β†’
Finsure
πŸ‡¦πŸ‡Ί Sydney, NSW Β· breach 2024-10 Β· disclosed 2024-11
πŸ’³ Finance Β· Mortgage aggregator
People affected
Not disclosed
Data taken
Names, email addresses, phone numbers and physical addresses
Regulator
none
Trust tier
Reported
● Disclosed Source: The Adviser Β· View record β†’
I-MED Radiology Network
πŸ‡¦πŸ‡Ί Australia Β· breach 2024-09 Β· disclosed 2024-09
πŸ₯ Healthcare Β· Medical imaging
People affected
Not disclosed
Data taken
Patient records and imaging referral information (tens of thousands of files)
Regulator
OAIC
Trust tier
Confirmed
● Under investigation Source: OAIC Β· View record β†’
Ticketmaster
πŸ‡¦πŸ‡Ί Global (Australian & NZ customers affected) Β· breach 2024-05 Β· disclosed 2024-06
πŸ›οΈ Retail Β· Ticketing
People affected
Not disclosed
Data taken
Names, contact details and some payment card information
Regulator
OAIC (notified)
Trust tier
Reported
● Disclosed Source: Ticketmaster Β· View record β†’
Outabox (NSW clubs & pubs)
πŸ‡¦πŸ‡Ί New South Wales Β· breach 2024-05 Β· disclosed 2024-05
πŸ–₯️ Technology Β· Venue sign-in / facial-recognition vendor
People affected
1,000,000+
Data taken
Facial-recognition biometrics and driver licence scans, Signatures, home addresses and dates of birth, Club membership and gaming-machine usage data
Regulator
NSW Police; OAIC
Trust tier
Reported
● Under investigation Source: ACS Information Age Β· View record β†’
MediSecure
πŸ‡¦πŸ‡Ί Melbourne, VIC Β· breach 2024-04 Β· disclosed 2024-05
πŸ₯ Healthcare Β· e-Prescriptions
People affected
12,900,000 (approx)
Data taken
Prescription and personal health information
Regulator
OAIC
Trust tier
Confirmed
● Disclosed Source: OAIC Β· View record β†’
Firstmac
πŸ‡¦πŸ‡Ί Brisbane, QLD Β· breach 2024-04 Β· disclosed 2024-05
πŸ’³ Finance Β· Non-bank lender
People affected
Not disclosed
Data taken
Name, date of birth, address, email and phone number, External bank account details (BSB and account number) and driver licence number
Regulator
OAIC (notifiable)
Trust tier
Reported
● Disclosed Source: Bitdefender Β· View record β†’
Health New Zealand (Te Whatu Ora)
πŸ‡³πŸ‡Ώ New Zealand Β· breach 2024-02 Β· disclosed 2024-02
πŸ₯ Healthcare Β· Public health system
People affected
12,000 (approx)
Data taken
Personal information relating to COVID-19 vaccination records
Regulator
NZ Privacy Commissioner
Trust tier
Confirmed
● Resolved Source: Health New Zealand β€” Te Whatu Ora Β· View record β†’
Western Sydney University
πŸ‡¦πŸ‡Ί Sydney, NSW Β· breach 2024 Β· disclosed 2025-01
πŸŽ“ Education
People affected
Not disclosed
Data taken
Student and staff personal information across multiple incidents (incl. identity and enrolment data)
Regulator
OAIC; IPC NSW
Trust tier
Confirmed
● Under investigation Source: Western Sydney University Β· View record β†’
St Vincent's Health Australia
πŸ‡¦πŸ‡Ί Australia (national) Β· breach 2023-12 Β· disclosed 2023-12
πŸ₯ Healthcare Β· Hospitals & aged care
People affected
Not disclosed
Data taken
Data removed from the network
Regulator
Australian Cyber Security Centre; National Office of Cyber Security
Trust tier
Reported
● Under investigation Source: St Vincent's Health Australia Β· View record β†’
Nissan Oceania
πŸ‡¦πŸ‡Ί Australia & New Zealand Β· breach 2023-12 Β· disclosed 2024-03
πŸ—‚οΈ Other Β· Automotive & finance
People affected
100,000 (approx)
Data taken
Government identification (some Medicare, licence, passport numbers), and other personal information
Regulator
OAIC; ID Support NSW
Trust tier
Reported
● Resolved Source: ID Support NSW (NSW Government) Β· View record β†’
DP World Australia
πŸ‡¦πŸ‡Ί Australia (national ports) Β· breach 2023-11 Β· disclosed 2023-11
πŸ—‚οΈ Other Β· Port & logistics operator
People affected
Not disclosed
Data taken
Personal information of current and former employees
Regulator
National Cyber Security Coordinator; OAIC
Trust tier
Reported
● Under investigation Source: DP World Australia Β· View record β†’
Harcourts (Australia)
πŸ‡¦πŸ‡Ί Australia Β· breach 2023-10 Β· disclosed 2023-11
πŸ—‚οΈ Other Β· Real estate
People affected
Not disclosed
Data taken
Names, addresses, bank details and signatures, Photo identification of prospective renters
Regulator
OAIC (notified)
Trust tier
Reported
● Disclosed Source: InnovationAus Β· View record β†’
Pizza Hut Australia
πŸ‡¦πŸ‡Ί Australia Β· breach 2023-09 Β· disclosed 2023-09
πŸ›οΈ Retail Β· Hospitality
People affected
193,000 (approx)
Data taken
Names, delivery addresses, contact details; some order and payment records
Regulator
OAIC (notified)
Trust tier
Reported
● Disclosed Source: BleepingComputer Β· View record β†’
Dymocks
πŸ‡¦πŸ‡Ί Sydney, NSW Β· breach 2023-06 Β· disclosed 2023-09
πŸ›οΈ Retail
People affected
836,000 (approx)
Data taken
Names, dates of birth, email and postal addresses, membership details
Regulator
OAIC (notified)
Trust tier
Reported
● Disclosed Source: BleepingComputer Β· View record β†’
MediaWorks
πŸ‡³πŸ‡Ώ Auckland Β· breach 2023-05 Β· disclosed 2023-06
πŸ—‚οΈ Other Β· Media / broadcasting
People affected
403,000 (approx)
Data taken
Names, dates of birth, contact details and competition-entry data
Regulator
NZ Privacy Commissioner
Trust tier
Reported
● Under investigation Source: RNZ Β· View record β†’
HWL Ebsworth
πŸ‡¦πŸ‡Ί National (Australia) Β· breach 2023-04 Β· disclosed 2023-06
βš–οΈ Legal
People affected
Not disclosed
Data taken
Legal and government client documents; personal information of individuals, Data linked to ~65 Australian government agencies
Regulator
OAIC; multiple government agencies
Trust tier
Reported
● Resolved Source: HWL Ebsworth Β· View record β†’
Latitude Financial
πŸ‡¦πŸ‡Ί Melbourne, VIC (AU + NZ operations) Β· breach 2023-03 Β· disclosed 2023-03
πŸ’³ Finance
People affected
14,000,000 (approx)
Data taken
Driver licence numbers (~7.9M across AU & NZ), Passport numbers, financial statements and other personal details
Regulator
OAIC + NZ Privacy Commissioner (joint)
Trust tier
Confirmed
● Under investigation Source: OAIC Β· View record β†’
Te PΕ«kenga β€” Competenz
πŸ‡³πŸ‡Ώ New Zealand Β· breach 2023 Β· disclosed 2023
πŸŽ“ Education Β· Vocational education
People affected
6,130+
Data taken
Personal and financial information of learners and staff
Regulator
Office of the Privacy Commissioner (NZ)
Trust tier
Reported
● Disclosed Source: BusinessDesk Β· View record β†’
Mercury IT
πŸ‡³πŸ‡Ώ Wellington Β· breach 2022-11 Β· disclosed 2022-12
πŸ–₯️ Technology Β· Managed IT / MSP
People affected
Not disclosed
Data taken
Coronial files and post-mortem reports (~14,500 files, Ministry of Justice), Health and insurance records via downstream agencies
Regulator
NZ Privacy Commissioner
Trust tier
Reported
● Under investigation Source: NZ Herald Β· View record β†’
Woolworths MyDeal
πŸ‡¦πŸ‡Ί Melbourne, VIC Β· breach 2022-10 Β· disclosed 2022-10
πŸ›οΈ Retail
People affected
2,200,000 (approx)
Data taken
Names, email addresses, phone numbers, delivery addresses (subset: dates of birth)
Regulator
OAIC
Trust tier
Reported
● Disclosed Source: Inside Retail Β· View record β†’
Medibank
πŸ‡¦πŸ‡Ί Melbourne, VIC Β· breach 2022-10 Β· disclosed 2022-10
πŸ’³ Insurance Β· Health insurance
People affected
9,700,000 (approx)
Data taken
Names, dates of birth, contact details, Medicare numbers, Sensitive health claims data (subset of customers)
Regulator
OAIC
Trust tier
Confirmed
● Before the courts Source: OAIC Β· View record β†’
Pinnacle Midlands Health Network
πŸ‡³πŸ‡Ώ Hamilton, Waikato Β· breach 2022-09 Β· disclosed 2022-10
πŸ₯ Healthcare Β· Primary care / GP network
People affected
450,000 (approx)
Data taken
Patient addresses and National Health Index (NHI) numbers, Immunisation and screening status, and data about services provided
Regulator
Office of the Privacy Commissioner (NZ)
Trust tier
Reported
● Under investigation Source: RNZ Β· View record β†’
Optus
πŸ‡¦πŸ‡Ί Sydney, NSW Β· breach 2022-09 Β· disclosed 2022-09
πŸ“‘ Telco
People affected
9,500,000 (approx)
Data taken
Names, dates of birth, phone numbers, email addresses, Driver licence, passport and Medicare numbers (subset of customers)
Regulator
OAIC
Trust tier
Confirmed
● Before the courts Source: OAIC Β· View record β†’
CTARS (NDIS client-management provider)
πŸ‡¦πŸ‡Ί Australia Β· breach 2022-05 Β· disclosed 2022-05
πŸ₯ Healthcare Β· Disability / NDIS case-management software (third-party provider)
People affected
Not disclosed
Data taken
Names, dates of birth, addresses, phone numbers, emails, usernames/passwords and genders, Sensitive health and disability data
Regulator
OAIC and ACSC (notified)
Trust tier
Reported
● Disclosed Source: Information Age (ACS) Β· View record β†’
Australian Clinical Labs β€” Medlab Pathology
πŸ‡¦πŸ‡Ί Sydney, NSW Β· breach 2022-02 Β· disclosed 2022-07
πŸ₯ Healthcare Β· Pathology
People affected
223,000+
Data taken
Names, addresses, contact details, Medicare card numbers, Medical & pathology results
Regulator
OAIC
Penalty
AUD 5.8M
● Penalty issued Source: OAIC Β· View record β†’
South Australian Government (Frontier Software)
πŸ‡¦πŸ‡Ί Adelaide, SA Β· breach 2021-11 Β· disclosed 2021-12
πŸ›οΈ Government Β· State government payroll (third-party provider)
People affected
80,000 (approx)
Data taken
Name, date of birth and home address, Tax file number and bank account details, Remuneration, tax withheld and superannuation details
Regulator
South Australian Government; OAIC
Trust tier
Reported
● Disclosed Source: BleepingComputer Β· View record β†’
AA Traveller
πŸ‡³πŸ‡Ώ New Zealand Β· breach 2021-08 Β· disclosed 2022-05
πŸ—‚οΈ Other Β· Travel / tourism
People affected
Not disclosed
Data taken
Names, addresses and contact details (phone/email), For older records, expired credit-card numbers held on a legacy system
Regulator
NZ Office of the Privacy Commissioner (notified)
Trust tier
Reported
● Disclosed Source: RNZ Β· View record β†’
Waikato DHB (Te Whatu Ora Waikato)
πŸ‡³πŸ‡Ώ Hamilton, Waikato Β· breach 2021-05 Β· disclosed 2021-05
πŸ₯ Healthcare Β· Public hospital
People affected
Not disclosed
Data taken
Patient and staff personal and health information (leaked to media / dark web)
Regulator
NZ Privacy Commissioner
Trust tier
Confirmed
● Resolved Source: Te Whatu Ora Β· View record β†’
Air New Zealand β€” Airpoints
πŸ‡³πŸ‡Ώ Auckland Β· breach 2021-03 Β· disclosed 2021-03
πŸ—‚οΈ Other Β· Aviation / loyalty programme
People affected
Not disclosed
Data taken
Airpoints member account details (names, contact and loyalty information)
Regulator
NZ Privacy Commissioner
Trust tier
Reported
● Resolved Source: RNZ Β· View record β†’
Reserve Bank of New Zealand (Accellion FTA)
πŸ‡³πŸ‡Ώ Wellington Β· breach 2020-12 Β· disclosed 2021-01
πŸ›οΈ Government Β· Central bank
People affected
Not disclosed
Data taken
Commercially and personally sensitive information held in a third-party file-transfer service
Regulator
NZ Privacy Commissioner
Trust tier
Confirmed
● Resolved Source: Reserve Bank of New Zealand Β· View record β†’
Ambulance Tasmania
πŸ‡¦πŸ‡Ί Tasmania Β· breach 2020-11 Β· disclosed 2021-01
πŸ₯ Healthcare Β· State ambulance service
People affected
Not disclosed
Data taken
Patient names, incident locations, age, gender and the medical condition or nature of the callout
Regulator
Referred to Tasmania Police; Tasmanian Department of Health investigation
Trust tier
Reported
● Disclosed Source: The Examiner Β· View record β†’
ProctorU
πŸ‡¦πŸ‡Ί Australian universities (global platform) Β· breach 2020-08 Β· disclosed 2020-08
πŸŽ“ Education Β· EdTech
People affected
444,000 (approx)
Data taken
Names, email and home addresses, and hashed passwords (incl. Australian university students)
Regulator
none
Trust tier
Reported
● Disclosed Source: Honi Soit Β· View record β†’
Toll Group
πŸ‡¦πŸ‡Ί Melbourne, VIC Β· breach 2020-05 Β· disclosed 2020-05
πŸ—‚οΈ Other Β· Transport & logistics
People affected
Not disclosed
Data taken
Personal information of past and present employees, Details of commercial agreements with current and former enterprise customers
Regulator
OAIC (notified)
Trust tier
Reported
● Disclosed Source: iTnews Β· View record β†’
Service NSW
πŸ‡¦πŸ‡Ί New South Wales Β· breach 2020-04 Β· disclosed 2020-09
πŸ›οΈ Government
People affected
104,000 (approx)
Data taken
Personal information contained in staff email accounts (~3.8M documents)
Regulator
NSW Auditor-General / IPC NSW
Trust tier
Confirmed
● Resolved Source: Service NSW Β· View record β†’
TΕ« Ora Compass Health
πŸ‡³πŸ‡Ώ Wellington region Β· breach 2019-08 Β· disclosed 2019-09
πŸ₯ Healthcare Β· Primary health organisation
People affected
1,000,000 (approx)
Data taken
Enrolled patient information (names, dates of birth, contact and health-related data)
Regulator
NZ Privacy Commissioner
Trust tier
Reported
● Resolved Source: Cyber Security Hub Β· View record β†’
Canva
πŸ‡¦πŸ‡Ί Sydney, NSW Β· breach 2019-05 Β· disclosed 2019-05
πŸ–₯️ Technology
People affected
137,000,000 (approx)
Data taken
Usernames, names, email addresses and hashed passwords
Regulator
none
Trust tier
Reported
● Resolved Source: UpGuard Β· View record β†’
Australian National University
πŸ‡¦πŸ‡Ί Canberra, ACT Β· breach 2018-11 Β· disclosed 2019-06
πŸŽ“ Education
People affected
200,000 (approx)
Data taken
Up to 19 years of staff, student and visitor personal data (names, addresses, bank details, academic records)
Regulator
none (public incident report)
Trust tier
Confirmed
● Resolved Source: Australian National University Β· View record β†’
GGOVERN Cybersecurity Assurance Β· Govern house You’re reading everyone else’s breach. Make sure you’re not the next entry. Talk to Govern β†’