The recent data breach at the Australian Human Rights Commission (AHRC) is a stark reminder of what's at stake when public sector cybersecurity falls short.
The exposure of sensitive personal information—coupled with a delayed response that exceeded the Notifiable Data Breach (NDB) Scheme's 72-hour notification benchmark—highlights systemic challenges in how government agencies prepare for, detect, and respond to cyber threats.
This breach isn't an isolated event. Between 2020 and 2024, over 1,200 data breaches have been reported under the OAIC's Notifiable Data Breaches (NDB) Scheme, and public sector bodies continue to face increasing scrutiny for their role in safeguarding the personal data of Australians.
Fragmented Regulations = Unprotected Citizens
Australia's public sector operates under fragmented cyber reporting rules. Federal agencies must comply with the NDB scheme, while states like NSW have introduced their own Mandatory Notification of Data Breaches (MNDB) frameworks. However, many entities—including local councils, universities, and even federal political parties—are exempt from any meaningful breach disclosure requirements.
This patchwork approach creates regulatory blind spots, allowing incidents like the NSW Department of Education breach (2023) and now the AHRC breach (2025) to slip through the cracks without timely reporting or accountability.
Worse still, there are no financial penalties for non-compliance at the Commonwealth level, leaving federal agencies little incentive to improve.
Trends in Government Sector Breaches
According to OAIC data, malicious attacks account for the majority of breaches, with phishing and social engineering making up a significant share. The public sector continues to be one of the most targeted verticals, and in the Jan-Jun 2024 period alone:
- 87% of federal agency notifications were made more than 30 days after discovering a breach.
- The Australian Government sector experienced the highest number of social engineering-based breaches, including impersonation and identity fraud.
Other persistent weaknesses include:
- Cloud misconfigurations: Such as the 2024 myGov data exposure caused by an unsecured AWS S3 bucket.
- Legacy systems: With 60% of federal agencies still running Windows Server 2012, which reached end-of-life in 2023.
- Supply chain vulnerabilities: The AHRC breach reportedly originated from a third-party software vendor lacking ISO 27001 certification.
What Needs to Change?
- Stronger Mandates & Enforcement: We need unified federal and state data breach laws with mandatory reporting for all government bodies and meaningful penalties for failure to comply.
- Security-First Procurement: Agencies must ensure vendors meet certification and control requirements before granting access to sensitive systems.
- Continuous Testing & Threat Simulation: Public sector organizations should regularly engage in penetration testing, red teaming, and Essential Eight effectiveness assessments to identify and close security gaps before adversaries can exploit them.
- Accelerated Modernization: Legacy systems must be phased out in favour of modern, secure-by-design architecture, particularly in high-risk areas like identity management, citizen portals, and healthcare records.
Rebuilding Trust Through Security
Citizens expect government institutions to protect their data with the same rigour they apply to public safety. But when breaches go undetected for months—or aren't reported at all—trust erodes.
At Trustwave, we work with government agencies to provide:
The AHRC breach should serve as a wake-up call. As cyber threats grow in sophistication and frequency, the public sector must respond with urgency, coordination, and accountability.
If your agency is navigating fragmented frameworks or legacy environments, we're here to help.
