28 January 2026
As we mark World Data Privacy Day 2026, organisations across Australia and New Zealand face a sobering reality: the data that threat actors target has evolved far beyond traditional databases and email servers. Today's cybercriminals are exploiting newer, non-traditional forms of data that many businesses don't even realise they're generating, let alone protecting.
According to New Zealand's National Cyber Security Centre (NCSC), 2024 marked the highest number of data breach notifications since the Notifiable Data Breaches scheme commenced in 2018. Meanwhile, Australia's Office of the Australian Information Commissioner (OAIC) reported 595 data breach notifications between July and December 2024, a 15% increase from the previous six months. (https://www.ncsc.govt.nz and https://www.cyber.gov.au)
At Insicon Cyber, we're seeing firsthand how threat actors are shifting their focus to these emerging data types. Here's what trans-Tasman organisations need to understand about the hidden data now in the crosshairs.
The proliferation of Internet of Things (IoT) devices has created a massive, often unmonitored data surface. From smart building systems to industrial sensors and wearable devices, IoT endpoints now exceed 21 billion globally, and this figure is projected to continue rising.
OpenAI's November 2025 disclosure revealed how attackers breached their third-party analytics vendor Mixpanel, exposing customer names, emails and metadata. This wasn't a flaw in OpenAI's code but in the telemetry infrastructure around it.
Biometric authentication has become ubiquitous, from facial recognition on smartphones to fingerprint scanners at office buildings. While convenient, biometric data presents unique privacy challenges because, unlike passwords, you can't change your fingerprints or iris patterns if they're compromised.
Global privacy regulations around biometric data are tightening significantly in 2026. The EU's GDPR, India's DPDP Act and the expansion of Illinois' Biometric Information Privacy Act (BIPA) demonstrate how governments are ramping up enforcement.
A particularly insidious form of biometric data exploitation has emerged through AI voice cloning technology. While these tools were initially developed to create personal AI avatars for legitimate purposes, they can easily be weaponised to create convincing voice clones from any source material, whether it's a video recording, podcast, social media post or even a brief phone call.
The technology has become remarkably sophisticated and accessible. Modern AI voice cloning software can generate a convincing replica of someone's voice from just a few seconds of audio. Once created, these voice clones can be used to bypass voice authentication systems, conduct social engineering attacks or create deepfake audio for fraud and disinformation campaigns.
Unlike traditional biometric theft, voice cloning doesn't require a data breach to acquire the source material. Every video conference, podcast appearance, media interview or public presentation creates potential training data for malicious actors. The ubiquity of video content online means most executives, board members and key personnel have already inadvertently provided sufficient audio samples for their voices to be cloned.
Metadata describes the characteristics, context and ownership of other data. While often overlooked, metadata can be extraordinarily revealing. The 2024 AT&T breach exposed call and message metadata for 110 million customers, demonstrating that metadata alone constitutes a massive privacy violation.
Italy's June 2025 GDPR fine established a 21-day email metadata retention benchmark, formally treating metadata as personal data requiring the same protections as content itself.
The rapid adoption of artificial intelligence has created an insatiable demand for training data. Major technology companies are increasingly harvesting user information to fuel AI systems, often without explicit consent.
Meta announced in 2025 that it would use personal data from across its platforms to train AI systems. An noyb (the European Center for Digital Rights (styled as "noyb", from "none of your business")) survey found only 7% of users want Meta to use their data for AI training, yet the company proceeded by relying on 'legitimate interests' rather than explicit consent.
Australian research confirmed that adversaries are already poisoning AI training data, with approximately 25% of organisations reporting they had been victims of AI data poisoning in 2025.
The New Zealand NCSC noted that although high-profile data breaches of NZ organisations were limited in the past year, New Zealand customers were impacted by breaches of other organisations, including Qantas where thousands of records were stolen. Activity similar to the Scattered Spider group has been observed targeting IT helpdesks in New Zealand using social engineering techniques.
The 2025 Verizon Data Breach Investigations Report found that nearly 30% of breaches involved a third party, up sharply from the prior year. A SecurityScorecard survey revealed over 70% of organisations reported at least one third-party cybersecurity incident in the past year.
Information stealer malware has become one of the most prevalent threats facing Australian organisations. ASD's Australian Cyber Security Centre expanded its credential exposure notification process through the Cyber Hygiene Improvement Programs, sending 9,587 credential exposure events to approximately 220 organisations between November 2024 and June 2025.
These malware variants extract browser cookies, saved passwords, cryptocurrency wallets, session tokens and authentication credentials. Once harvested, this data is sold on dark web markets, where it can be purchased repeatedly by multiple threat actors for years.
The shift towards non-traditional data exploitation requires organisations across Australia and New Zealand to expand their security posture beyond conventional databases and file servers. Regulatory frameworks in both countries are evolving to address these emerging threats.
Australian organisations must navigate the Security of Critical Infrastructure (SOCI) Act, APRA CPS 234, Essential Eight Maturity Model and Australian Privacy Act requirements. New Zealand entities face similar obligations under the NZ Privacy Act 2020, NZ Information Security Manual and GCSB guidance.
World Data Privacy Day serves as an important reminder that data privacy is not a one-day consideration but a continuous commitment. The threat landscape has evolved dramatically, and organisations that fail to recognise and protect non-traditional data types leave themselves vulnerable to sophisticated attacks.
At Insicon Cyber, we provide comprehensive cybersecurity partnerships across Australia and New Zealand, from strategic advisory to 24/7 managed security operations. Our intelligence-driven, adaptive approach ensures your organisation stays protected against both current and emerging threats, including the exploitation of non-traditional data.
As the theme for Data Privacy Week 2026 reminds us: Take Control of Your Data. Understanding what data you generate, where it resides and how threat actors might exploit it is the first step towards meaningful protection.
Contact Insicon Cyber to discuss how our trans-Tasman expertise and comprehensive security solutions can help protect your traditional and non-traditional data assets against today's evolving threat landscape.
Our Board and Executive Tabletop exercises can incorporate Open Source Intelligence (OSINT) elements to reveal the digital footprint that your executives and VIPs have inadvertently created online. These paid consultancy sessions help organisations understand their exposure to voice cloning, deepfake and social engineering attacks by demonstrating exactly what threat actors can discover and exploit. Understanding your digital exposure is the first step towards meaningful protection.