Australia’s Notifiable Data Breaches scheme kicks into gear
Australia's Notifiable Data Breaches scheme reported 242 breaches this quarter. It's important for entities to maintain strong security & privacy protocols.
New data from the Office of the Information Commissioner (OAIC) has revealed that a total of 242 data breaches were reported in the second quarter of 2018 (April to June 2018), under the Notifiable Data Breaches (NDB) scheme.
The NDB scheme commenced on 22 February 2018, and requires entities subject to obligations under the Privacy Act 1988 (Cth) to report eligible data breaches. This includes Australian Government agencies, businesses and not-for profit organisations with an annual turnover of more than $3 million, as well as private sector health service providers and credit providers.
The number of reported data breaches increased every month in the period, suggesting that more data breaches are being reported as organisations become more familiar with the requirements of the NDB scheme.
Scale and types of reported data breaches
More than half of the reported data breaches (61%) involved the personal information of 100 individuals or fewer, while 38% of the reported data breaches impacted between 1 and 10 individuals.
The most common types of personal information involved in the reported data breaches were contact information such as individuals’ home address, phone number or email address (involved in 89% of data breaches), followed by financial details such as bank account and credit card information (involved in 42% of data breaches) and identity information such as driver’s licence numbers and other government identifiers (involved in 39% of data breaches).
Causes of reported data breaches
The OAIC has identified malicious or criminal attacks as the largest cause of data breaches this quarter, accounting for 59% of the reported data breaches. Such attacks included phishing, malware, ransomware, brute-force attacks and the use of stolen credentials. Theft of paperwork and storage devices, for example USBs, was a significant source of malicious or criminal attacks.
Human error was the second largest cause of data breaches (accounting for more than a third of the reported data breaches) with the OAIC noting that many of the cyber incidents this quarter appear to have exploited vulnerabilities involving a human factor (such as opening phishing emails). Other examples of human error included sending personal information to the wrong recipient and unintended release or publication of personal information. Interestingly, data breaches involving human error tended to impact a larger number of people – for example, human error incidents involving the loss of storage devices affected an average of 1199 individuals per data breach, while failing to use the ‘blind carbon copy’ (BCC) function when sending group emails impacted an average of 571 individuals per data breach.
System faults only accounted for 5% of reported data breaches.
These figures show the continued importance for organisations of maintaining strong information security and privacy protocols and training staff to practise them, in addition to maintaining technical cyber defence capabilities. This could include organisations ensuring that:
- they take a ‘privacy by design’ approach to new projects such that privacy issues are addressed at every stage
- their Privacy Policy is up to date and
- they have a data breach response plan in place to contain and respond to data breaches quickly.
Need advice on issues related to data breaches?
Contact the Cyber & Data Resilience team.
Keep up to date with our legal insights and events
Sign upRecent articles
Reform to Australia’s merger clearance regime
By Ron Smooker, Shaun Temby, Jacqueline Picone, and Oliver Wahlstrom
A new mandatory, suspensory merger review system conducted by the ACCC comes into effect in Australia on 1 January 2026.
Important changes to the Workplace Injury Rehabilitation and Compensation Act 2013 concerning workers’ compensation in Victoria
By Catherine Dunlop, Jessica Mourney
From 31 March 2024, amendments to the Victorian workers’ compensation scheme took effect
A step closer to mandatory climate-related disclosure
By Ron Smooker, Rosamond Sayer, Samantha Murphy, and Joseph Fox
The Treasurer introduced the Treasury Laws Amendment (Financial Market Infrastructure and Other Measures) Bill 2024.
Gomeroi v Santos: New guidance on good faith negotiation, and the relevance of climate change
By Susanne Rakoczy, and Larissa Svetlov
We explore Gomeroi People v Santos NSW Pty Ltd and Santos NSW (Narrabri Gas) Pty Ltd [2024] FCAFC 26 (Gomeroi Appeal).
Consultant
Sydney