How data breaches and privacy incidents are triggering a new wave of investigations and regulatory enforcement

The global privacy and cyber landscape have shifted dramatically in just a few years. What was once viewed as a contained compliance issue within individual organisations is now a multi-jurisdictional regulatory event — triggering coordinated investigations, significant civil penalties, class actions, regulatory enforcement across borders, and in some cases, even international sanctions. 

In Australia, high-profile breaches involving Optus, Medibank and Latitude Financial have exposed the scale of personal information held by Australian organisations and the profound consequences when those systems fail. These incidents did not occur in isolation, they reflect a broader structural shift: 

• Australia now has one of the highest internet penetration rates globally, with over 97% of the population online making digital connectivity and data exchange central to daily life and business. 

• Businesses increasingly operate in cloud-based, interconnected ecosystems. With some surveys suggesting that more than 80 % of Australian businesses now use some form of cloud service. 

• Personal data is more central to business models than ever before. 

• Cybercrime reports to the Australian Cyber Security Centre (ACSC) continue to rise year-on-year. with individuals and businesses facing identity fraud, online shopping fraud and other malicious activity at alarming rates. 

Collectively, these trends reflect a global shift toward greater dependency on digital technologies and a corresponding escalation in privacy and security risk that regulators and organisations must navigate. 

A surge in regulatory investigations 

At the federal level, the Office of the Australian Information Commissioner (OAIC) has moved decisively into an era of heightened investigative enforcement.  

Major investigations  

In recent times, the Office of the Australian Information Commissioner (OAIC) has conducted numerous major investigations into Singtel Optus, Medibank, Latitude Financial and Australian Clinical Labs. These matters highlight the scale and technical sophistication of contemporary privacy investigations, where large volumes of sensitive personal information, complex IT environments, and international regulatory cooperation are now common features of major enforcement activity. 

The volume behind the headlines 

While major investigations capture media attention, the day-to-day regulatory workload is even more significant. 

Under the Notifiable Data Breaches (NDB) scheme IN 2024-25: 

• Businesses and government agencies reported more than 1,100 data breaches to the regulator and the public in 2024 – the highest annual total since mandatory data breach notification requirements started in 2018. 

• For the period 1 July to 31 December 2024 the OAIC were notified of 595 data breaches ending the year with a total 1,113 notifications. This is a 25% increase from 893 notifications in 2023. 

These figures reflect the high and increasing volume of breach notifications the OAIC is managing each year under the NDB scheme. 

Beyond breach notifications, according to the Office of the Australian Information Commissioner Annual Report 2024–25, the OAIC’s freedom of information (FOI) investigative activity over that period included a significant increase in Freedom of Information reviews, with a total of 248 Information Commissioner (IC) views were finalised by way of a published decision under s 55K of the FOI Act – this is a significant increase compared to the previous year where 207 reviews were finalised in this way. 

These complaint-handling and FOI functions operate alongside major investigations creating layered and concurrent regulatory demand.  

The state-level parallel 

The pressure is not confined to the federal sphere. 

For example, at the state level, regulators such as the Office of the Information Commissioner Queensland (OIC Queensland) perform parallel oversight functions under: 

• The Right to Information Act 2009 (Qld) 

• The Information Privacy Act 2009 (Qld) 

The OIC Queensland investigates agency decisions, handles privacy complaints and monitors compliance across Queensland government bodies. Similar oversight bodies exist in every Australian state and territory. 

As digital transformation accelerates across government services — including online portals, cloud systems and data sharing arrangements — state regulators face comparable challenges: 

• Rising complaint volumes 

• Increased expectations for transparency 

• Complex privacy assessments involving digital systems 

• Public scrutiny following cyber incidents 

The cumulative effect is a nationwide regulatory environment where privacy oversight is increasingly investigative, technically demanding and enforcement-oriented. 

The expanding enforcement landscape: Investigations, class actions and sanctions 

A modern data breach rarely ends with regulatory correspondence. 

Today, a serious breach can trigger: 

1. Regulatory investigation and potential civil penalties 

2. Representative or class action litigation seeking compensation for affected individuals 

3. Parallel inquiries by other domestic or international regulators 

4. Potential sanctions mechanisms targeting perpetrators in cross-border cyber incidents 

This convergence has led many observers to describe the situation as a regulatory “deluge”, not just one enforcement process, but several layers of accountability happening all at once.  

Challenges for regulators in an era of investigative escalation 

The increase in both volume and complexity of investigations presents significant operational challenges for regulatory agencies. 

1. Scale and technical complexity 

Modern breaches often involve: 

• Cloud infrastructure 

• Encrypted or exfiltrated datasets 

• Third-party vendors 

• Cross-jurisdictional elements 

Investigating these matters requires forensic, legal and technological expertise. 

2. Resource allocation and prioritisation 

With the volume of data privacy breaches increasing annually (plus complaints and FOI reviews), regulators must apply risk-based triaging models to determine: 

• Which matters warrant full investigation 

• Which require monitoring or remediation undertakings 

• Which may escalate to prosecution  

3. Evidence management 

Large-scale breaches can involve: 

• Millions of data records 

• Extensive internal correspondence 

• Technical logs and expert reports 

Managing, analysing and presenting this material in briefs of evidence demands sophisticated digital case management capability. 

4. Parallel proceedings 

Where class actions are filed alongside regulatory investigations, agencies must carefully manage: 

• Procedural fairness 

• Disclosure obligations 

• Timing of determinations 

• Public communications 

Permanent shift in the regulatory landscape 

The rise of the digital economy has changed the way privacy risks affect Australian organisations. Data is more valuable, more mobile, and more exposed than ever before. Breaches are no longer rare exceptions, they’ve become a regular part of the operating environment. 

For regulators at a commonwealth and state level, this shift has meant: 

• Setting up specialist investigative units to handle complex cases 

• Expanding Commissioner-initiated inquiries to proactively target high-risk issues 

• Managing hundreds of data breach notifications each year 

• Navigating overlapping litigation and enforcement processes 

The takeaway is clear: privacy regulation in Australia has moved from a reactive, compliance-focused approach to one of sustained investigative enforcement. Today, a data breach doesn’t just trigger a single response — it can set off a chain reaction of regulatory, legal, and reputational consequences, reshaping how agencies enforce the law, how organisations manage data, and how individuals exercise their rights in an increasingly digital world. 

Bringing control to complexity: How platforms like Comtrac can help 

In a landscape defined by ever-growing data volumes, complex IT environments, cross-jurisdictional investigations, and overlapping regulatory and legal processes, being a regulator in this space has never been more challenging. This is where a purpose-built investigative platform like Comtrac can make a real difference. 

Comtrac allows regulators and organisations to streamline the entire investigative process, from the moment a breach is reported to the compilation of a full brief of evidence. Its capabilities include: 

• Built for investigative practice: Comtrac is designed specifically for managing regulatory investigations, rather than being adapted from a generic case management system.

• Automated mapping of evidence to regulatory obligations: Ensures all relevant data aligns with statutory requirements and compliance standards. 

• Governance-ready: Provides real-time dashboards and reporting that enable executive leadership to maintain oversight of caseloads and emerging risks. 

• AI-enhanced efficiency: Tools assist investigators with structuring briefs, managing evidence, and producing consistent, court-ready briefs of evidence and investigation reports. 

• Security and compliance assured: IRAP-aligned infrastructure ensures that sensitive electoral and personal information is protected and meets Commonwealth security requirements. 

Comtrac can transform what would otherwise be a chaotic and reactive process into a structured, efficient, and defensible approach giving regulators the confidence to act decisively and protect individuals’ privacy in a digital-first world.