A dozen organisations each week are coming forward to admit they've exposed customers' personal information, official statistics show.
At least 34,000 Australians were affected by 63 data breaches since it became mandatory in late February for most organisations to inform the privacy watchdog about breaches that could likely result in serious harm.
The Office of the Australian Information Commissioner said health service providers made up a quarter of all admissions while a significant proportion came from companies in legal, accounting, management and financial services.
Most of the exposed information related to contact information, such as names, addresses and phone numbers.
Three-in-ten cases involved financial details such as credit card or bank account numbers, while a quarter of cases involved data used to confirm identities such as driver licence and passport numbers.
Human error was to blame in half of all cases while malicious or criminal attacks were the cause 28 times.
University of Sydney IT network and security lecturer Ralph Holz said organisations need to think about who has access to information and whether they understood basic ways scammers try to get them to reveal customers' information.
Playing on people's desire not to be unhelpful or clueless, social engineering attacks can trick staff into handing information to the wrong person.
"Organisations should first have a very clear understanding of which staff should be able to access information and then ensure those people receive extra training," Dr Holz said.
"In the same way people know they shouldn't exchange money in a dark alleyway behind some building, they should also know that certain ways exist to get information out of them."
Most data breaches reported to the OAIC affected fewer than ten people but three incidents each affected between 10,000 and 99,999 people, the office said.
The latest report relates to notifications received between February 22 and March 31.
Under the old, voluntary scheme, just 114 breaches were reported in the year to June 2017.