More people affected by ‘high risk’ data breaches

Published: 1 May 2025

The Office of the Data Protection Authority (“ODPA”) has released the latest personal data breach statistics for Q1 2025. 

Every quarter the ODPA shares insights from recent breach data towards improving breach preparedness for public, private and third sector organisations . 
 
From 1 January-31 March 2025, there were a total of 49 self-reported personal data breaches, an almost 50% increase over the previous quarter. 
 
These breaches affected 1,258 people, down from the previous quarterly figure of 4,914. However, more people (732, up from 187) were affected by ‘high risk’ breaches. 

In essence, there was a significant increase of breaches reported in this quarter with a greater proportion representing high risks to affected individuals. 

Case study:  

During Q1, the ODPA received notification of a personal data breach where an organisation had been made aware that a client’s e-mail account had been compromised by a cyber-criminal.

Despite the client providing a new e-mail address to be used, the organisation continued sending private correspondence to the hacked account. 

Considering this breach, we urge organisations to ensure that employees are aware of and follow security procedures for compromised accounts.

Where contact information is known to be outdated or compromised, swift steps must be taken to update such information across all databases.

This was particularly important in this case, given the known risk of information being sent to a cyber-criminal with malicious intent.

General guidance on how to handle a data breach can be found at Handling Data Breaches · ODPA

2025 Q1 Potential harms identified

2025 Q1 Nature of relationship

2025 Q1 How organisations discovered breaches

2025 Q1 Breaches reported

2025 Q1 Types of personal data affected

2025 Q1 ODPA Assessment of risk

2025 Q1 Data subjects notified under section 43 of the law