Compliance Updates

Data Breach Notifications Increase to All-Time High in 2025, New NDB Stats Show

The Office of the Australian Information Commissioner (OAIC) has released its latest Notifiable Data Breaches (NDB) statistics, and the trend line keeps climbing. In 2025, the OAIC received 1,205 data breach notifications — an 8% increase on 2024’s 1,112, and the highest annual total since the mandatory reporting scheme began in 2018. For facilities managers, IT managers, and building owners overseeing access control, CCTV, and BMS networks, this is a timely reminder that the systems securing a building are themselves data-holding assets subject to these obligations.

What the numbers show

Malicious or criminal activity — predominantly cyber hacking — remains the leading cause of reported breaches, accounting for 716 of the 1,205 notifications in 2025. Health service providers were the most affected sector, representing 19% of all notifications (225 incidents), followed by financial services (157), Australian Government agencies (118), business and professional associations (103), education (81), and legal/accounting/management services (81).

While security integrators and building operators aren’t named as a discrete category in this dataset, the broader pattern is relevant: any organisation holding personal information — including visitor logs, access control credentials, CCTV footage with identifiable individuals, or tenant/resident databases tied to intercom and access systems — falls within scope of the Privacy Act’s notifiable breach obligations if a breach is likely to cause serious harm.

A new practical tool from the regulator

In response to the rising volume of notifications, the OAIC has published a quick reference guide and a downloadable self-assessment checklist to help entities determine whether an incident requires assessment, notification to the OAIC, and notification to affected individuals. This is a welcome, practical resource — particularly for smaller strata committees, clubs, and building operators who may not have in-house privacy counsel and are often unsure whether an incident (say, an access control database exposure or a compromised NVR with cloud backup) crosses the notification threshold.

The regulator also points to its 2026 Australian Community Attitudes to Privacy Survey, which found 82% of Australians now consider data breaches a top privacy concern, up from 74% in 2023. That shift in public sentiment matters operationally: building occupants, strata owners, and club members increasingly expect operators to demonstrate they take data handling seriously, not just physical security.

Operational implications for security and BMS operators

Security and building management systems generate and store more personal information than many operators realise:

  • Access control platforms (e.g. ICT Protege, Gallagher, Inner Range Integriti) hold cardholder names, credentials, and access logs.
  • CCTV and VMS platforms (e.g. Milestone, exacqVision) store footage that may constitute personal information under the Privacy Act, particularly where facial identification is possible.
  • Visitor management and intercom systems often capture contact details, vehicle registrations, and photos.
  • BMS networks, where poorly segmented, can expose adjacent IT infrastructure to lateral movement if compromised.

None of these systems are exempt from NDB obligations simply because they sit in the “security” rather than “IT” bucket. A breach of an access control server, a stolen NVR hard drive, or a compromised remote-access VPN into a BMS can all trigger notification requirements if serious harm to individuals is likely.

The Mallen take

We regularly see security and BMS infrastructure treated as separate from an organisation’s broader privacy and cyber risk register — often because it’s managed by a different team, or a different contractor, to core IT. The OAIC’s rising notification numbers are a good prompt to close that gap. Knowing what personal information your access control, CCTV, and intercom systems actually hold, how long it’s retained, and who can access it, is now baseline due diligence rather than a nice-to-have.

This is exactly the kind of gap that the Mallen site audit is designed to surface — mapping what devices exist, what data they hold, and where the exposure points are, before an incident forces the conversation. If your organisation hasn’t reviewed data retention settings on your NVRs or access control database in the last 12 months, the OAIC’s new self-assessment checklist is a reasonable place to start, alongside a technical review of your security network architecture.

Original source: OAIC media centre