Australia recorded an estimated 1.1 million leaked accounts in the first quarter of 2026 (Q1 2026), ranking 15th globally by breach volume and signalling ongoing exposure to cyber and privacy incidents that can affect insurers, brokers, and their clients.
Surfshark’s latest quarterly breach analysis indicates that 1.1 million Australian accounts were compromised between January and March 2026, contributing to an estimated cumulative total of 207.2 million leaked accounts linked to Australian users. Globally, 210.3 million accounts were breached in the same quarter, with the US accounting for 29% of incidents. France ranked second, followed by India, Brazil, and the UK. Since 2004, Surfshark estimates that 622.4 million Australian personal records have been exposed in breaches. Each affected email address is typically linked to three additional data points. Passwords (110.2 million records) and first names (52.6 million) are the most common data elements involved.
The compromised data frequently extends to identifiers and contact details used in financial and insurance transactions. Surfshark’s figures show exposure of 314,100 Social Security Numbers and 88,500 payment card numbers, alongside 20.3 million phone numbers and 20.7 million physical addresses. These categories align with information routinely collected for policy issuance, customer onboarding, and claims management, increasing potential consequences when data is exfiltrated or mishandled. On a comparative basis, Surfshark reports that the worldwide number of breached accounts in the first quarter of 2026 was three times higher than in the same period in 2025. Compared with the fourth quarter of 2025 (Q4 2025), the global breach count was up 22%, indicating continued growth in incidents affecting user accounts.
The breach trends are emerging alongside rapid adoption of artificial intelligence tools in corporate environments. In 2025, 20.2% of companies reported using AI, up from 8.7% in 2023. The increase has prompted discussion about whether new AI-related systems and data flows are intersecting with the growth in breaches. According to Surfshark chief security officer Tomas Stamulis, the way AI is deployed can change how much data organisations hold and how it is distributed across systems. He said that as firms introduce AI, “they increase the amount of user data stored, expand the number of digital systems they use, and integrate more platforms to manage larger volumes of user data.”
Stamulis added: “These AI-driven systems also collect and log more detailed user information for automation, analytics, and model improvement. While this improves the company’s efficiency, it also means there are many more systems for businesses to secure, more opportunities for error, and more points where sensitive information such as user credentials and personal data can be exposed. As a result, hackers now have a larger and more complex environment to exploit and execute attacks, including data breaches.”
Stamulis also raised concerns about businesses requiring customers to create accounts and provide personal information to complete online transactions where there is no clear operational need. As data breaches have become a regular feature of the operating environment, such practices can increase the volume of stored data that may later be involved in an incident. “For people, a data leak means their personal information is forever on the internet. It’s not a one-time threat that disappears after a user changes their compromised email address and password. It becomes a constant security risk as hackers reuse leaked data, package it into ‘combo lists,’ combine it with new leaks, and resell it repeatedly. So even after 10 or 20 years, leaked data is still valuable and can be used against a user to commit fraud, gain access to more data, and steal money,” he said.
Regulatory reporting in Australia shows that local entities continue to lodge a substantial number of notifications under the Notifiable Data Breaches (NDB) scheme, despite a recent decrease from record levels. The Office of the Australian Information Commissioner (OAIC) received 532 notifications between January and June 2025, a 10% reduction from the previous six‑month period. The OAIC has noted that notifications remain high overall and that, since the scheme began, more incidents tend to be reported in the second half of each calendar year.
Malicious or criminal attacks were the leading cause of incidents in the first half of 2025, accounting for 59% of notifications (308 breaches). Cyber security incidents were the predominant type within this category. On average, each cyber incident affected just over 10,000 individuals, indicating the scale at which data can be exposed once systems are compromised. By sector, health organisations reported 18% of all breaches, the highest share. The finance sector – including insurers and other financial institutions – accounted for 14%, and Australian government agencies represented 13%.
Human error was also a significant factor. The OAIC reported that 37% of notified breaches (193 incidents) in the period were attributed to human error, up from 29% in the previous reporting period. The regulator has pointed to this trend as evidence that staff actions and processes remain a key component of personal information security, alongside technical controls. IBM has estimated that the average cost of a data breach to a business was $4.26 million in 2024, indicating the scale of potential financial impact from a single incident when direct and indirect costs are considered.
Following new data showing Australia logged 1.1 million leaked accounts and ranked 15th worldwide for exposed credentials, Robyn Adcock, national placement manager cyber & technology at Gallagher, told Insurance Business that the fundamentals of risk advisory have remained consistent even as expectations on cyber advisors have intensified. “The threat environment has evolved, and with it, the way organisations must think about cyber risk. At Gallagher, our role has expanded beyond insurance placement to actively connect technology risk with financial outcomes – helping clients understand how cyber events affect not just systems, but balance sheets,” Adcock said.
Adcock said the gap between perceived and actual cyber risk is narrowing, with conversations maturing from pure risk transfer and coverage into operational resilience. “Gallagher spends significant time working with clients to not only identify risks to critical data and systems, but evaluate impacts to revenue, cash flow and profitability when those systems are disrupted,” she said. One of the most noticeable shifts, she noted, has been in underwriting dynamics. “The market is no longer uniform. Some insurers continue to apply rigorous technical assessment and control requirements, while others are moving toward faster, lower-friction entry points. In this environment, access to capacity requires more than simply completing a proposal form. Outcomes around coverage breadth, pricing stability, and claims certainty depend heavily on how well a risk is understood, articulated, and presented,” Adcock said.
Adcock also highlighted that small and mid-sized enterprises (SMEs) are feeling the sharpest effects of rising cyber risk. While large, high-profile breaches dominate headlines, Australia’s SMEs “face the most immediate and sustained exposure,” often with fewer internal resources to respond. She pointed to a recent ransomware incident affecting a 12‑staff business during its peak trading period. Because the policy had been structured with business interruption front of mind – rather than focusing solely on data recovery – the claim response protected hundreds of thousands of dollars in lost income. “This is where proactive advice materially changes outcomes. Without that tailored approach, the business may not exist today. Ultimately, our role is to provide informed confidence,” Adcock said. Complex risks, she added, require clear and transparent solutions. “Our objective is to ensure that when cyber incidents occur – and they increasingly will – clients are not only insured, but prepared to respond, recover, and continue operating,” she said.
