In just six weeks, there were 63 data breach notifications to the Office of the Australian Information Commissioner since the Notifiable Data Breaches scheme came into force in February this year.
The OAIC’s first NDB report, published today, also included 114 earlier breaches from the 2016-17 financial year that were voluntarily provided.
The OAIC’s acting Australian Information Commissioner and acting Privacy Commissioner, Angelene Falk, said the reports will, over time, support improved understanding of the trends in data breaches (where eligible for reporting) and promote proactive approach to addressing security risks.
“A data breach notification provides individuals with the chance to take steps that reduce their risk of experiencing harm, such as changing relevant passwords for online accounts. This can reduce the overall impact of a breach. More broadly, the transparency provided by the NDB scheme reinforces Australian Government agencies’ and businesses’ accountability for personal information protection and encourages a higher standard of security.
“Just over half of the eligible data breach notifications we received in the first quarter indicated that the cause of the breach was human error. In the 2016–2017 financial year 46 per cent of the data breach notifications received by the OAIC voluntarily were also reported to be the result of human error.
“This highlights the importance of implementing robust privacy governance alongside a high-standard of security. The risk of a data breach can be greatly reduced by implementing practices such as Privacy Impact Assessments, information security risk assessments, and training for any staff responsible for handling personal information.”
Key statistics from the first quarterly report include:
- Top five sectors that notified the OAIC of eligible data breaches included health service providers (24% of notifications), legal, accounting and management services (16%), finance (13%), private education (10%), and charities (6%).
- 78% of eligible data breaches were reported to involve individual’s contact information. 33% were reported to involve health information and 30% to involve financial details.
- 51% of the eligible data breach notifications received indicated that the cause of the breach was human error. 44% of breaches were reported to be the result of malicious or criminal attack, and 3% the result of system faults.
- 59% of data breach notifications reported that the personal information of between one and nine individuals was affected. 90% of data breach notifications related to breaches involving the personal information of less than 1000 individuals.