Another Day, Another Breach: The Relentless Pace of Cyber Incidents

Sixteen Days In: A Sobering Start to the Year

When an Insicon Cyber team member shared news of the Victorian Department of Education breach with the subject line "Another Day; Another Breach," it struck a chord. Even those of us who work in cybersecurity can feel the weight of the unrelenting pace of cyber incidents. We're only sixteen days into 2026, and the scale of breaches already demands our attention.

The Victorian breach, disclosed on 14 January 2026, affected all 1,700 government schools across the state. Unauthorised actors accessed a database containing the names, email addresses, encrypted passwords, and year levels of current and former students across Victoria's 665,000+ government school students. While more sensitive data such as birth dates and home addresses weren't compromised, the incident required immediate system shutdowns and mass password resets just weeks before students return for the 2026 school year.

This wasn't an isolated incident. It's part of an alarming pattern emerging across Australia and New Zealand.

The Trans-Tasman Reality: We're All Targets

Just days earlier, New Zealand experienced its own significant breach. Manage My Health, the country's largest patient portal with 1.8 million registered users, discovered unauthorised access to its "My Health Documents" module on 30 December 2025. The breach, disclosed throughout early January 2026, affected approximately 125,000 patients (6-7% of users), exposing medical documents including clinical discharge summaries, referral records, and other sensitive health information.

The attackers, operating under the alias "Kazu," demanded a ransom of US$60,000. Manage My Health secured High Court injunction orders to prevent data publication and has been working with New Zealand Police, the Privacy Commissioner, and Health New Zealand to manage the incident.

These two incidents alone demonstrate the breadth of the problem. Education. Healthcare. Public sector. Private sector. No industry is immune, and both sides of the Tasman are experiencing the same relentless pressure.

The Global Context: It's Not Just Us

While Australia and New Zealand grapple with these incidents, the global picture is equally concerning. In the first two weeks of 2026, we've seen:

Instagram Data Leak (10 January 2026): A massive breach compromised 17.5 million Instagram users globally, with a threat actor called "Solonik" posting the data on dark web forums. The dataset included email addresses, phone numbers, names, usernames, and geographic data, harvested through an API leak in late 2024. Unlike simple credential dumps, this breach provides cybercriminals with comprehensive profiles for sophisticated social engineering attacks.

Ledger Third-Party Breach (5 January 2026): Cryptocurrency hardware wallet maker Ledger disclosed that customer order data was exposed through a breach at e-commerce partner Global-e. The data broker ShinyHunters claimed possession of over 200 million records affecting multiple brands using Global-e's services.

Ransomware Surge: The first two weeks of 2026 saw multiple ransomware attacks across healthcare, professional services, retail, and infrastructure. Threat actors including INC_RANSOM, Akira, Qilin, and others claimed numerous victims globally, with many attacks specifically targeting organisations in data-rich sectors.

The Numbers Tell a Story

The 2026 incidents need context from recent trends across Australia and New Zealand:

New Zealand (2024/25 Financial Year):

• 5,995 total incident reports recorded (compared to 7,112 in 2023/24)
• 331 incidents triaged as potential national significance (compared to 343 in 2023/24)
• 137 incidents linked to criminal or financially motivated actors (more than double the 65 from the previous year)
• 88 ransomware reports (compared to 63 the year before)
• $26.9 million in direct financial losses (up from $21.6 million in 2023/24)
• 53% of SMEs experienced a cyber threat between January and June 2025 (up from 36% in 2024)

Australia (FY2024-25):

• 138 ransomware incidents responded to by ASD's ACSC
• 595 data breach notifications received by OAIC between July and December 2024 (15% increase from previous period)
• 2024 marked the highest number of breach notifications in a year since the scheme commenced in 2018
• Significant increase in breaches caused by social engineering and impersonation

Why the Pace Matters: From Incident Fatigue to Strategic Response

The "Another Day; Another Breach" sentiment reflects something deeper than frustration. It signals incident fatigue, a dangerous state where organisations become desensitised to cyber risk. When breaches become routine background noise, strategic response can give way to reactive firefighting.

For boards and executives across Australia and New Zealand, this pace creates several critical challenges:

Aggregation Exposure:

The Victorian education breach demonstrates how a single compromise of centralised systems can affect data relating to large cohorts across multiple institutions. This creates significant aggregation exposure for insurers and highlights systemic vulnerabilities in shared infrastructure.

Cascade Effects:

Initial access brokers now operate a mature underground marketplace. Cyble Research documented 92 instances of compromised access sales affecting ANZ organisations in 2025, with retail accounting for 34% of activity. These access sales often precede larger ransomware or data exfiltration attacks.

Operational Disruption:

Beyond data loss, organisations face extended operational disruption. The Victorian breach required system shutdowns and password resets for 665,000+ students just before the school year. Manage My Health had to coordinate with hundreds of GP practices while managing patient notifications and court proceedings.

Regulatory Pressure:

The Australian Government introduced mandatory ransomware reporting for businesses with annual turnovers of $3 million+ in May 2025. The OAIC's Notifiable Data Breaches statistics show organisations face increasing compliance obligations alongside the operational challenges of breach response.

The ANZ Context: Unique Challenges, Shared Solutions

Australia and New Zealand face distinctive challenges within this global threat landscape:

Critical Infrastructure Targeting: Fortinet analysis shows approximately three-quarters of malicious cyber activity hitting New Zealand and Australia is now organised crime rather than nation-state operations. Cybercriminals increasingly target critical infrastructure like manufacturing, healthcare, and utilities, blending data theft, operational disruption, and extortion.

Regulatory Evolution: Both countries are strengthening cybersecurity frameworks. Australia's Essential Eight, SOCI Act requirements, and APRA's focus on geopolitical cyber risks create evolving compliance landscapes. New Zealand's NZISM and Privacy Act 2020 similarly demand robust security postures.

SME Vulnerability: Research indicates 53% of New Zealand's SMEs experienced cyber threats in early 2025, yet many understand cyber security is important but remain complacent about implementing critical security practices. This gap between awareness and action creates systemic vulnerability.

Moving Beyond Incident Fatigue: What Boards Should Ask

The relentless pace of breaches in 2026 demands more than resignation. It requires strategic response. Directors and executives should be asking:

1. Could we operate tomorrow if ransomware hit our critical systems? The Victorian Department of Education had to disable systems immediately. Do you have tested continuity plans that don't depend on paying ransoms?
2. Do we truly understand our data holdings and dependencies? Manage My Health discovered the breach affected a specific module. Do you have comprehensive visibility into where sensitive data resides, including in third-party systems and shadow IT?
3. Are our crisis management processes genuinely tested? Both the Victorian and Manage My Health incidents required coordination across multiple stakeholders, legal proceedings, public communications, and regulatory notifications. Have you tested these processes under realistic conditions?
4. How do we compare against Essential Eight and NZISM benchmarks? The NCSC determined that a lack of MFA on an important service enabled threat actors to compromise a New Zealand health sector organisation in May 2025. Are foundational controls actually implemented, not just documented?
5. What's our approach to third-party risk? The Ledger breach occurred through e-commerce partner Global-e. The Victorian breach entered through a school's network to access the central database. How well do you understand your supply chain exposure?

The Insicon Cyber Perspective: Integrated Protection for an Accelerating Threat Landscape

At Insicon Cyber, we're not immune to the "Another Day; Another Breach" feeling. But our response is to recognise that the threat landscape demands more than traditional advisory or point-in-point solutions.

Organisations across Australia and New Zealand need comprehensive cybersecurity partnerships that integrate strategic advisory with continuous operational protection. This means:

Adaptive Security Operations: Intelligence-driven protection that evolves with the threat landscape, combining 24/7 monitoring with strategic threat intelligence specific to ANZ organisations.

Proactive Risk Management: Moving beyond reactive incident response to proactive identification of vulnerabilities, third-party risks, and control gaps before they're exploited.

Integrated Compliance: Streamlined pathways to meeting Essential Eight, SOCI Act, NZISM, and ISO 27001 requirements, reducing complexity while strengthening security posture.

Tested Resilience: Regular testing of incident response, crisis management, and business continuity plans, ensuring organisations can genuinely operate under attack conditions.

Board-Ready Reporting: Translating technical security operations into strategic insights that enable informed board decision-making about cyber risk.

The Reality for 2026: Preparation Over Panic

Sixteen days into 2026, we've already seen major breaches affecting education, healthcare, social media, and critical services across Australia, New Zealand, and globally. The pace won't slow. Cybercriminals are leveraging AI to scale attacks, ransomware remains lucrative, and the commercialisation of cybercrime continues to lower barriers to entry for threat actors.

But "Another Day; Another Breach" doesn't have to mean resignation. It can mean recognition. Recognition that cyber security is not a project with an end date, but an ongoing operational and strategic imperative. Recognition that the threat landscape demands partnerships that span from boardroom strategy to 24/7 security operations.

For organisations across the Tasman, the question isn't whether you'll face a cyber incident. It's whether you'll be prepared when you do.

Take Action

If you're concerned about your organisation's preparedness for the current threat landscape, Insicon Cyber can help. Our comprehensive cybersecurity partnerships combine strategic advisory with continuous operational protection, tailored to the unique regulatory and threat environment across Australia and New Zealand.

Contact us to discuss how integrated cybersecurity can strengthen your resilience against the relentless pace of cyber incidents.

About Insicon Cyber

Insicon Cyber is the ANZ region's trusted cybersecurity partner, delivering comprehensive solutions from executive advisory to managed security services. We bridge the gap between boardroom strategy and operational excellence, enabling Australian and New Zealand businesses to stay compliant, resilient, and future-ready in an evolving threat landscape.