Skip to main content
Skip to secondary navigation
Australian Government - Office of the Australian Information Commissioner - Home

Preventing data breaches should be business as usual

The Office of the Australian Information Commissioner has been notified of 245 data breaches affecting personal information between July and September 2018, its latest report shows.

The quarterly statistics report on the Notifiable Data Breaches (NDB) scheme indicates 57 per cent of incidents were caused by malicious or criminal attack, and 37 per cent resulted from human error.

Australian Information Commissioner and Privacy Commissioner Angelene Falk said training staff on how to identify and prevent privacy risks needs to be part of business as usual.

“Everyone who handles personal information in their work needs to understand how data breaches can occur so we can work together to prevent them,” Ms Falk said.

“Organisations and agencies need the right cyber security in place, but they also need to make sure work policies and processes support staff to protect personal information every day.

“Our latest report shows 20 per cent of data breaches over the quarter occurred when personal information was sent to the wrong recipient, by email, mail, fax or other means.

“Importantly, we also need to be on the alert for suspicious emails or texts, with 20 per cent of all data breaches in the quarter attributed to phishing.

“Phishing is when an individual is contacted by email or text message by someone posing as a legitimate institution to lure them into providing passwords or personal information.

“This can result in their credentials – their username and password – being compromised and used to gain access to their system or network, if additional protections are not in place.”

The report can be found at

Key statistics

The Notifiable Data Breaches July–September 2018 report shows:

  • 245 data breaches were notified to affected individuals and the Office of the Australian Information Commissioner, compared to 242 the previous quarter
    • 57% were attributed to malicious or criminal attacks, compared to 59% the previous quarter
    • 37% were attributed to human error, compared to 36% the previous quarter
    • 6% were attributed to system faults, compared to 5% the previous quarter
  • 63% involved the personal information of 100 or fewer individuals, compared to 61% the previous quarter
  • The top five industry sectors to report breaches were:
    • Private health service providers: 45
    • Finance: 35
    • Legal, accounting and management services: 34
    • Private education providers: 16
    • Personal services: 13

Media contact: Sarah Harmelink         0407 663 968


The Notifiable Data Breaches (NDB) scheme requires regulated entities to notify affected individuals and the Australian Information Commissioner about ‘eligible data breaches’. These are breaches where:

  • there is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that an entity holds
  • this is likely to result in serious harm to one or more individuals
  • the entity has not been able to prevent the likely risk of serious harm with remedial action.

The scheme commenced on 22 February 2018. The OAIC publishes quarterly statistical information about notifications received under the scheme to help the community, business and government understand its operation and the causes of data breaches.

Notifications to the OAIC from multiple entities relating to the same data breach are counted as a single notification in the report.

The OAIC has produced a Data breach preparation and response guide for agencies and private sector organisations with obligations under the Privacy Act. Guidance for individuals on what to do after a data breach notification is also available on our website at

About the OAIC

The OAIC is an independent statutory agency with a range of regulatory responsibilities and powers under the Privacy Act 1988 and Freedom of Information Act 1982. It is headed by Australian Information Commissioner and Privacy Commissioner, Angelene Falk.