We share our insights from the latest Notifiable Data Breaches Report (Report) released by the Office of the Australian Information Commissioner (OAIC). Our analysis uncovers key statistics shaping the data breach landscape.

Twice per year the OAIC reports on statistics and key learnings gathered from the eligible data breach notifications received under the Commonwealth Notifiable Data Breach Scheme (Scheme) during the previous 6 month period. The Report assists agencies and organisations (APP entities) which are subject to the Scheme to better understand current trends and privacy risks across the data breach landscape.

The latest Report covers notifications made to the OAIC from July 2023 – December 2023.

We summarise the key statistics identified in the latest Report, as well as some key takeaways for APP entities.

Key statistics

  1. Key sectors affected: The top 5 sectors to notify data breaches were health service providers, finance, insurance, retail and Australian Government.
  2. Number of notifications received: The OAIC received 483 eligible data breach notifications. This is a 19% increase from the January 2023 – June 2023 reporting period.
  3. Source of breaches: The sources of the reported breaches include:
    1. malicious or criminal attack (67%)
    2. human error (39%)
    3. system fault (3%) In contrast with the other ‘top 5’ sectors, Australian Government agencies notified more data breaches caused by human error than those caused by malicious or criminal attacks.
  4. Cyber security incidents: 44% of all data breaches resulted from cyber security incidents such as phishing, compromised or stolen credentials, ransomware, hacking, malware and brute force attacks.
  5. Number of individuals affected: The majority of breaches (65%) affected 100 or fewer individuals. Breaches affecting between 1 and 10 individuals accounted for 44% of all notifications, similar to previous reporting periods. Cyber incidents were the leading cause of incidents which impacted a large number of individuals (i.e. breaches impacting more than 5,000 individuals).

Key issues

Some of the key privacy issues identified in the Report are extracted below.

Key takeaways

While the Report identifies health service providers, finance, insurance, retail, and the Australian Government as the sectors which are reporting the highest number of breaches currently, the Report has broad relevance for all APP entities.

The latest Report also contains important learnings for government agencies and universities in NSW which, since November 2023, have been subject to an equivalent NSW specific scheme and mandatory reporting obligations.

Key Tips:

  • the OAIC expects APP entities to have established processes in place, to enable compliance with the requirements of the Scheme.
  • APP entities must have an established data breach response plan in place to enable effective and timely assessment and notification in accordance with their regulatory obligations.
  • Finally, an individual who has been impacted by a breach should always be ‘front and centre’ of the response. Prompt notification enables individuals to take action and ultimately minimise risk of harm.

In our experience, good data hygiene practices will always lie at the core of best practice when it comes to data breach readiness and response.

Compliance ‘basics’, such as developing and operationalising policies and procedures for data handling, implementing and testing your data breach response plan, and supplementing these steps with regular staff training can be fundamental to success in the event of a breach.