Skip to main content
Skip to secondary navigation
Menu
Australian Government - Office of the Australian Information Commissioner - Home

Notifiable Data Breaches for October – December 2018

The latest quarterly report from the Office of the Australian Information Commissioner (OAIC) shows 262 data breaches involving personal information were notified between October and December 2018.

Under the Notifiable Data Breaches scheme, organisations and agencies regulated under the Privacy Act must notify individuals and the OAIC when data breaches are likely to result in serious harm.

The leading cause of notifiable data breaches in the December quarter was malicious or criminal attack (168 notifications), followed by human error (85 notifications) and system error (9 notifications).

Most data breaches resulting from a malicious or criminal attack involved cyber incidents stemming from compromised credentials (usernames and passwords), such as phishing and brute-force attacks.

Australian Information Commissioner and Privacy Commissioner Angelene Falk reinforced the need for organisations and individuals to secure personal information by safeguarding credentials.

“Preventing data breaches and improving cyber security must be a primary concern for any organisation entrusted with people’s personal information,” Ms Falk said.

“Employees need to be made aware of the common tricks used by cyber criminals to steal usernames and passwords.

“The OAIC works with the Australian Cyber Security Centre to provide prevention strategies for organisations, including regularly resetting and not reusing passwords.

“If a data breach occurs, early notification can help anyone who is affected take action to prevent harm.

“By changing passwords, checking your credit report, and looking out for scams using your personal information, you can help minimise the harm that can result from a data breach.”

Ms Falk said the OAIC continues to work with entities to promote compliance with the scheme, and can take regulatory action in cases of non-compliance with notification obligations.

The OAIC website has advice for individuals affected by a data breach, and prevention strategies for organisations developed with the Australian Cyber Security Centre.

The December quarter Notifiable Data Breaches report is available at oaic.gov.au/ndbreport

Key statistics

The Notifiable Data Breaches October - December 2018 report shows:

  • 262 data breaches were notified to affected individuals and the Office of the Australian Information Commissioner, compared to 245 the previous quarter:
    • 64% were attributed to malicious or criminal attacks, compared to 57% the previous quarter
    • 33% were attributed to human error, compared to 37% the previous quarter
    • 3% were attributed to system faults, compared to 6% the previous quarter
  • 60% involved the personal information of 100 or fewer individuals, compared to 63% the previous quarter
  • The top five sectors to report breaches were:
    • Private health service providers: 54
    • Finance: 40
    • Legal, accounting and management services: 23
    • Private education providers: 21
    • Mining and manufacturing: 12

Background

The Notifiable Data Breaches (NDB) scheme requires regulated entities to notify affected individuals and the Australian Information Commissioner about ‘eligible data breaches’. These are breaches where:

  • there is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that an entity holds
  • it is likely to result in serious harm to one or more individuals
  • the entity has not been able to prevent the likely risk of serious harm with remedial action.

The scheme commenced on 22 February 2018. The OAIC publishes statistical information about notifications received under the scheme to raise awareness of the causes of data breaches, and to help business and government take proactive steps to avoid them.

The OAIC has produced a Data breach preparation and response guide for agencies and private sector organisations with obligations under the Privacy Act.