connect@uscdata.com
    USC Data logo
    Request a Risk Assessment

    Fast response. No obligation.

    Back to Resources
    Data Privacy

    Data Breaches in 2026: The AU & US Numbers Every Board Should Know

    In 2021 we wrote that 30% of Australian businesses had experienced a security breach. In 2026 the picture is worse, the regulators are angrier, and the cost has nearly doubled. Here's where things actually stand — and what to do about it.

    Originally published August 2021 · Updated May 2026 7 min read
    Cybersecurity breach concept 2026

    🇦🇺 Australia — the 2026 picture

    • The OAIC's Notifiable Data Breaches reports have shown record-high notification volumes through 2024 and 2025, with malicious or criminal attack the leading cause and ransomware a persistent driver.
    • Health, finance, government and education remain the most-breached sectors year after year.
    • The Privacy and Other Legislation Amendment Act 2024 introduced civil penalties of up to AU$50M (or 30% of adjusted turnover, or 3× the benefit obtained) and a statutory tort for serious invasions of privacy.
    • Tranche 2 reforms (2025–2026) remove the small business exemption and introduce a "fair and reasonable" handling test plus automated decision-making transparency.
    • APRA CPS 234 and CPS 230 (in force July 2025) put board-level accountability on information security and operational resilience for regulated entities.
    • The SOCI Act now bites for critical infrastructure — including data storage and processing.
    • Independent surveys (ACSC, ASBFEO, ABS) consistently find 40–60% of Australian SMBs have experienced a cyber incident in the past 12 months.

    🇺🇸 United States — the 2026 picture

    • The Identity Theft Resource Center's annual data breach reports have shown record breach counts in 2023 and 2024, with the trend continuing into 2025.
    • IBM's 2024 Cost of a Data Breach Report put the global average cost at USD $4.88M — a record high — with the US average over USD $9.36M.
    • Healthcare remains the most expensive sector for breaches, averaging well over USD $9M per incident.
    • 20+ US states now have comprehensive consumer privacy laws on the books, each with its own definition of sensitive data and breach-notification requirements.
    • SEC Regulation S-P (amended 2024) requires 30-day breach notification for advisers and broker-dealers.
    • NYDFS Part 500 (amended Nov 2024) requires 72-hour breach reporting and explicit board accountability.
    • HIPAA enforcement by HHS/OCR remains the single largest source of data-protection fines in the US.

    What's actually causing breaches in 2026

    1. Phishing and credential theft — still the #1 initial access vector globally.
    2. Compromised vendors and SaaS supply chains — MOVEit, Snowflake-customer incidents and a string of file-transfer compromises have made third-party risk the leading cause of disclosure.
    3. Misconfigured cloud storage — open buckets and over-permissive sharing in SharePoint, OneDrive, Google Drive and Box.
    4. Unstructured data sprawl — sensitive data sitting in shared drives, email and ticketing systems that nobody has inventoried.
    5. Shadow AI — staff pasting client and financial data into consumer AI tools.
    6. Ransomware — double- and triple-extortion remains the dominant business model for organised cybercrime.

    The honest truth about sensitive client data

    Most organisations cannot answer the question "where is our sensitive client data right now?" with any confidence. Our scans across mid-market clients consistently find that 30–60% of files in shared drives are redundant, obsolete or trivial — and a meaningful percentage contain unprotected PII, PHI or financial information that should have been deleted years ago. You can't protect what you can't see.

    What boards should be asking in 2026

    1. Where does our sensitive data physically live, and who has access to it?
    2. What percentage of our data store is ROT, and what's our remediation plan?
    3. How quickly could we notify regulators under OAIC, SEC, NYDFS or HIPAA timelines?
    4. Have we tested an incident response plan in the last 12 months — including an AI-related leak?
    5. Do our material vendors meet our own standards under CPS 230 / NYDFS Part 500?
    6. Do we have a written, enforced policy on staff use of generative AI?

    A practical 90-day reduction plan

    1. Discover. Run a full PII scan with Priivacy across your shared drives, M365, Google Workspace and email archives — entirely inside your firewall.
    2. Reduce. Eliminate ROT and apply retention policies via Data Cleanup.
    3. Govern. Lock down access, encrypt at rest and in transit, enforce MFA everywhere, and stand up controls under GRC Frameworks.
    4. Respond. Test your IR plan and align notification timing with the regimes that apply to you.

    Local-first scanning

    Priivacy never extracts your data. All scanning runs inside your environment; only metadata and aggregate findings ever leave your firewall.

    Don't risk storing what you don't need

    Find out exactly where your sensitive client data lives — and remediate it in 90 days.

    Run a Data Health Assessment