On 31 July 2018, the Office of the Australian Information Commissioner (OAIC) released its Quarterly Statistics Report (Report) on notifiable data breaches from 1 April to 30 June 2018. This report captures notifications received by the OAIC under the Mandatory Data Breach Notification Scheme (MDBN), which came into effect on 22 February 2018. For further information on the scheme, please see our February edition of LegalBytes.

The Report reveals OAIC received 242 notifications last quarter. The largest segment of breaches (59%) were caused by malicious or criminal attacks, which includes breaches caused through phishing software, malware, ransomware, brute-force attack, compromised or stolen credentials and hacking by other means. It also includes theft of paperwork or storage devices. The second largest segment was human error at 36%. Notably, many malicious or criminal breaches originated via exploiting human factors (i.e., individuals clicking on phishing emails or disclosing their passwords to criminals, presumably accidentally). Only 5% of breaches were caused by system faults.

Of all industry sectors, health service providers experienced the highest number of data breaches at 49 incidents. However, the report notes that notifications made under the My Health Records Act 2012 were not included in the report as they are subject to specific notification requirements, so health-related data breaches may in fact be even higher than shown in the Report. The financial sector received the second largest number of data breaches, at 36 breaches.

Total notifications under the MDBN is now at 305.

A copy of the Report is available here.