Publication date: 28 February 2020

Download the print version

About this report

The Office of the Australian Information Commissioner (OAIC) publishes periodic statistical information about notifications received under the Notifiable Data Breaches (NDB) scheme to assist entities and the public to understand the operation of the scheme. This report captures notifications made under the NDB scheme for the period from 1 July 2019 to 31 December 2019.

Where data breaches affect multiple entities, the OAIC may receive multiple notifications relating to the same data breach. Notifications relating to the same data breach incident are counted as a single notification in this report.

The source of any given breach is based on information provided by the reporting entity. Where more than one source has been identified or is possible, the dominant or most likely source has been selected for statistical purposes. Source of breach categories are defined in the glossary at the end of this report.

Consistent with previous NDB statistical reports, notifications made under the My Health Records Act 2012 are not included as they are subject to specific notification requirements set out in that Act.

Executive summary

The Notifiable Data Breaches (NDB) scheme was established in February 2018 to improve consumer protection and drive better security standards for protecting personal information. It applies to agencies and organisations who are covered by the Privacy Act 1988 and are required to take reasonable steps to secure personal information.

This is the first statistical report on the NDB scheme to cover a six-month period. It shows a 19 per cent increase in the number of data breaches reported to the Office of the Australian Information Commissioner (OAIC) between July and December 2019, compared to the first half of the year.

Initially, the OAIC published statistical reports every quarter to help identify any trends and improve awareness and understanding of data breach risks and prevention. The OAIC also published a Notifiable Data Breaches Scheme 12-month Insights Report in May 2019 which examined these trends and highlighted best practice approaches to preventing and responding to data breaches.

Now that the scheme is well established as an effective reporting mechanism, this six-monthly report will continue to track the leading causes and sources of data breaches. It will also highlight emerging issues and areas for ongoing attention by entities entrusted with protecting personal information.

Notifications
537
Up 19%
Malicious or criminal attack
64%
Up 2%
Human error
32%
Down 2%
System fault
4%
No change

Comparisons are to January to July 2019

Key findings for the July to December 2019 reporting period:

  • 537 breaches were notified under the scheme, up from 460 in the previous six months
  • Malicious or criminal attacks (including cyber incidents) remain the leading cause of data breaches, accounting for 64 per cent of all notifications
  • Data breaches resulting from human error account for 32 percent of all breaches, down from 34 per cent in the last reporting period
  • The health sector is again the highest reporting sector, notifying 22 per cent of all breaches
  • Human error caused 43 per cent of data breaches in the health sector, compared to an average of 32 per cent across all notifications
  • Finance is the second highest reporting sector, notifying 14 per cent of all breaches
  • Most data breaches affected less than 100 individuals, in line with previous reporting periods
  • Contact information remains the most common type of personal information involved in a data breach.

What is an eligible data breach?

Under the NDB scheme, a data breach is an ‘eligible data breach’ where:

  • there is unauthorised access to or unauthorised disclosure of personal information (or the information is lost in circumstances where unauthorised access to, or unauthorised disclosure of, the information is likely to occur)
  • a reasonable person would conclude it is likely to result in serious harm to any of the individuals whose personal information was involved in the data breach, and
  • the entity has not been able to prevent the likelihood of serious harm through remedial action.

If an entity suspects that an eligible data breach has occurred, they must undertake an assessment into the relevant circumstances.

If an entity is aware that there are reasonable grounds to believe that there has been an eligible data breach, they must notify affected individuals and the OAIC as soon as practicable.

Chart 1 — Data breach notifications under the NDB scheme

Link to long text description follows.

Chart 1: Long text description

Notifications received July–December 2019

The number of NDBs reported to the OAIC between 1 July and 31 December 2019 increased by 19 per cent compared to the previous six months. The highest number of reported data breaches occurred in November 2019, with 106 notifications ― the most reported in any calendar month since the scheme began in February 2018.

Table 1 — Number of breaches reported under the NDB scheme
  Total number of notifications
Total received July to December 2019 537
Total received January to June 2019 460
Total received (2019) 997

Top industry sectors to notify breaches

Health service providers[1] (the health sector) reported 117 data breaches during the reporting period. This sector has consistently reported the most data breaches compared to other industry sectors since the start of the NDB scheme.

Table 2 — Top industry sectors by notifications
Top five industry sectors NDBs received Jul–Dec 2019
Health service providers 117
Finance (incl. superannuation)[2] 77
Education[3] 49
Legal, accounting & management services 40
Personal services[4] 23

Chart 2 — Number of breaches reported under the NDB scheme — All sectors

Link to long text description follows.

Chart 2: Long text description

Number of individuals affected by breaches — All sectors

Most NDBs in the period involved the personal information of 100 individuals or fewer (60 per cent of notified breaches). Breaches impacting between 1 and 10 individuals comprised 40 per cent of notifications.

Chart 3 — Number of individuals affected by breaches — All sectors

Link to long text description follows.

Note: Where bands are not shown (for example, 100,001 to 1,000,000), there were nil reports in the period. ‘Unknown’ includes notifications by entities whose investigations were ongoing at the time of this report.

For the bands 1,000,001 to 10,000,000 and 10,000,001 or more, these figures reflect the number of individuals worldwide whose personal information was compromised in these data breaches, not only individuals in Australia, as estimated by the notifying entities

Chart 3: Long text description

Notifying individuals affected by a breach

A key requirement of the NDB scheme is that entities experiencing an eligible data breach must provide affected individuals with a description of the data breach and the kind of information involved, along with recommendations about the steps that individuals should take in response to the breach.

The specific recommendations will depend on the entity’s functions and activities, the circumstances of the breach, and the kind of information that was involved. Recommendations should include practical steps that are easy for the individuals to take.

For example, where breaches involve sensitive personal information such as banking details or identity documents such as passports, driver licences or Medicare cards, appropriate recommendations may include requesting a new identity document or asking that an alert be placed on an account.

Across the reporting period, most entities reporting a data breach provided practical guidance to affected individuals, as required by the Privacy Act.

However, there have been instances where an initial notification did not meet the requirements of the NDB scheme because it did not include the details of the types of personal information that were compromised or provide practical steps that people could take in response.

In these cases, the OAIC asked the entity to re-issue the notification to include the practical advice required to help individuals reduce the risk of harm.

Kinds of personal information involved in breaches — All sectors

The majority of data breaches (77 per cent) notified under the scheme between July and December 2019 involved ‘contact information’, such as an individual’s home address, phone number or email address. This is distinct from ‘identity information’, which refers to information that is used to confirm an individual’s identity, such as passport number, driver licence number or other government identifiers. Almost a third of data breaches notified between July and December 2019 involved identity information.

Data breaches notified during the reporting period also involved individuals’ tax file numbers (TFNs) (15 per cent); financial details, such as bank account or credit card numbers (37 per cent); and health information (23 per cent). ‘Other sensitive information’ (7 per cent) refers to categories of sensitive information as set out in section 6 of the Privacy Act, other than health information as defined in section 6FA.

Chart 4 — Kinds of personal information involved in breaches — All sectors

Link to long text description follows.

Note: NDBs may involve one or more kinds of personal information.

Chart 4: Long text description

Source of breaches — All sectors

Malicious or criminal attacks were the largest source of data breaches notified to the OAIC between July and December 2019, accounting for 343 breaches. Malicious or criminal attacks are defined as attacks that are deliberately crafted to exploit known vulnerabilities for financial or other gain.

Attacks included cyber incidents such as phishing and malware, data breaches caused by social engineering or impersonation, theft of paperwork or storage devices, and actions taken by a rogue employee or insider threat.

Human error remained a major source of breaches, accounting for 170 breaches, while system faults accounted for the remaining 24 breaches notified between July and December 2019.

Chart 5 — Source of data breaches — All sectors

Link to long text description follows.

Chart 5: Long text description

Malicious or criminal attack breaches — All sectors

Cyber incidents were the largest source of malicious and criminal attacks from July to December 2019. The OAIC received 230 notifications under this category, with phishing, malware, ransomware, brute-force attack and compromised or stolen credentials the main source of the data breaches.

Many cyber incidents in this reporting period appear to have exploited vulnerabilities involving a human factor (such as clicking on a phishing email or disclosing passwords).

There was a substantial increase in the number of data breaches attributed to malicious or criminal attacks during the reporting period compared to the previous six months, including a rise in breaches attributed to cyber incidents from 192 to 230.

Theft of paperwork or storage devices was also a significant source of malicious or criminal attacks (40 notifications). Other sources included social engineering or impersonation (33 notifications) and actions taken by a rogue employee or insider threat (40 notifications).

Chart 6 — Breaches resulting from malicious or criminal attacks — All sectors

Link to long text description follows.

Chart 6: Long text description

Chart 7 — Malicious or criminal attacks — All sectors

Link to long text description follows.

Chart 7: Long text description

Cyber incident breaches — All sectors

The majority of cyber incidents during the reporting period were linked to the compromise of credentials through phishing (83 notifications), malware (24 notifications) and brute-force attack (14 notifications). In many of these incidents the malicious actor gained access to personal information stored in email accounts.

However, in a significant number of cyber incidents (74 notifications) the entity experiencing the breach was unable to identify how the malicious actor obtained the compromised credentials.

Nevertheless, many breaches resulting from cyber incidents still included a human element, given the malicious actor often required their target to do something, such as respond to a password request that claimed to be from a legitimate source or service provider.

Chart 8 — Cyber incident breakdown —All sectors

Link to long text description follows.

Chart 8: Long text description

Use of email inboxes for primary storage of information

The compromise of account credentials via phishing emails remains one of the most common causes of data breaches across the reporting period, accounting for 15 per cent of all breaches. A further 14 per cent of all data breaches were attributed to compromised or stolen credentials, which often provided a malicious actor with direct access to personal information stored in the compromised email account.

In a number of these instances the malicious actor gained access to thousands ― and in some cases tens of thousands ― of stored emails. These frequently contained a significant amount of personal information from a large number of individuals, including sensitive information such as financial and bank account details, tax file numbers and health information.

The malicious actors were then able to exploit this access in two ways:

  • using the compromised email account to conduct further phishing campaigns or targeted business email compromise attacks against other individuals or businesses, including individuals whose contact details were stored within the email account
  • exploiting the personal information contained within the account for targeted spear phishing attacks against specific individuals or to carry out identity fraud.

In this context, the use of email applications and services for the primary storage of significant quantities of personal information makes it easier for malicious actors to gain access to sensitive personal information that can be exploited for criminal gain.

In these instances, further access to an entity’s network or servers is not needed because sensitive personal information is directly accessible from the email account. This can also make it difficult for a forensic investigation of the breach to determine the full extent of the information that was compromised where the email account lacks audit and access logging.

Human error breaches — All sectors

The second largest source of data breaches was human error (32 per cent of all data breaches), with examples including sending personal information to the wrong recipient via email (29 per cent of data breaches resulting from human error), unintended release or publication of personal information (24 per cent) and the loss of paperwork or data storage device (11 per cent).

However, certain kinds of breaches can affect larger numbers of people. For example, in this reporting period personal information being sent by email to incorrect recipients impacted the largest numbers of people in this data breach category, with an average of 340 affected individuals per breach. Failure to use the ‘blind carbon copy’ (BCC) function when sending group emails impacted an average of 303 people per breach.

Chart 9 — Human error breakdown — All sectors

Link to long text description follows.

Chart 9: Long text description

Table 3 — Human error breakdown by average number of affected individuals — All sectors
Kinds of personal information No. of NDBs received Jul―Dec 2019 Average no. of affected individuals
Loss of paperwork/data storage device 18 57
Failure to use BCC when sending email 11 303
Unauthorised disclosure (failure to redact) 10 8
Unauthorised disclosure (unintended release or publication) 40 831
Unauthorised disclosure (verbal) 10 1
Insecure disposal 4 1,574
PI sent to wrong recipient (email) 49 340
PI sent to wrong recipient (mail) 12 1
PI sent to wrong recipient (other) 12 14
PI sent to wrong recipient (fax) 4 5

System fault breaches — All sectors

System faults accounted for four per cent of data breaches this reporting period. Unintended access to personal information as a result of a system fault caused 11 data breaches, while unintended release or publication of personal information as a result of a system fault caused 13 data breaches.

System fault breaches included data breaches that occurred as a result of a business or technology process error. During the reporting period, system fault data breaches were predominantly due to either coding errors in web-facing applications which resulted in the unintended release or publication of personal information, or a failure to securely configure web-facing applications which potentially exposed personal information on the internet.

Chart 10 — System fault breakdown — All sectors

Link to long text description follows.

Chart 10: Long text description

Comparison of top five industry sectors

This section compares notifications made under the NDB scheme by the five industry sectors that made the most notifications in the reporting period (top five industry sectors).

From July to December 2019, health service providers reported 117 data breaches, or 22 per cent of all data breaches in the period. A health service provider generally includes any private sector entity that provides a health service within the meaning of s 6FB of the Privacy Act, regardless of annual turnover. State or territory public hospitals and health services are generally not covered — they are bound by state and territory privacy laws, as applicable.

The second largest source of NDBs was the finance sector (14 per cent), followed by education (9 per cent), legal, accounting and management services (7 per cent), and personal services (4 per cent). Personal services include employment, training and recruitment agencies, childcare centres, vets and community services.

Source of breaches — Top five industry sectors

Malicious or criminal attacks caused 54 per cent of data breaches reported by the health sector (63 notifications), while 43 per cent resulted from human error (51 notifications).

Notifications from the finance sector indicated that 52 per cent of data breaches resulted from malicious or criminal attacks (40 notifications), and 40 per cent from human error (30 notifications). The proportion of data breaches resulting from human error in both the health and finance sectors was higher than the average across all notifications (32%). Four of the top five sectors notified at least one breach resulting from a system fault.

Chart 11 — Source of data breaches — Top five industry sectors

Link to long text description follows.

Chart 11: Long text description

Transmission of personal information

From July to December 2019, almost a third of all data breaches reported related to breaches caused by human error (170 notifications). This included 49 incidents where personal information was emailed to the wrong recipient, and 18 involving the loss of paperwork or data storage devices such as phones, laptops and USB drives.

Email is an important method of communication between individuals and businesses. However, given that nearly 10 per cent of all data breaches reported to the OAIC from July to December 2019 resulted from personal information being emailed to the wrong person, the use of email for the transmission of personal information carries risks.

This is particularly the case when email is used for the transmission of sensitive personal information such as bank account or credit card details, identifying documents (passport or driver licence details), tax file numbers, health and medical information, or other information which could lead to a risk of serious harm if disclosed to the wrong individual.

All entities who handle, store, or transmit sensitive personal information should consider how to protect personal information during every stage of its life cycle, including by considering whether it is necessary to transmit personal information in order to carry out their functions or activities.

Entities are also responsible for planning how to handle personal information by embedding privacy protections into the design of information handling practices. This may include:

  • automated ‘warnings’ requiring the author of an email to confirm the address of the recipient before a message is sent
  • deleting emails containing personal or sensitive information from both the inbox and sent box and storing relevant documents in a secure document management system
  • password protecting or encrypting documents containing sensitive information which are sent via email.

Some entities use postal or courier services to send sensitive information to individuals, including material stored on portable media such as USB drives. Given the risk of loss in transit or incorrect delivery, entities using postal or courier services should also consider additional security protections, such as encrypted or password-protected portable media storage.

Malicious or criminal attack breaches — Top five industry sectors

Chart 12 — Malicious or criminal attacks breakdown — Top five industry sectors

Link to long text description follows.

Chart 12: Long text description

Cyber incident breaches — Top five industry sectors

Similar to the overall trend, a majority of cyber incidents reported by the top five industry sectors between July and December 2019 were linked to phishing or compromised credentials. This trend was strongest in the finance sector where these attacks accounted for 94 per cent of all data breaches attributed to cyber incidents.

Chart 13 — Cyber incident breakdown — Top five industry sectors

Link to long text description follows.

Chart 13: Long text description

Human error breaches — Top five industry sectors

Chart 14 — Human error breakdown — Top five industry sectors

Link to long text description follows.

Chart 14: Long text description

System fault breaches

This chart breaks down the kinds of breaches identified as ‘system fault’ breaches by the top five industry sectors in the reporting period.

Chart 15 — System fault breakdown — Top five industry sectors

Link to long text description follows.

Chart 15: Long text description

Glossary

Breach categories

TermDefinition
Human error An unintended action by an individual directly resulting in a data breach, for example inadvertent disclosure caused by sending a document containing personal information to the incorrect recipient.
PI sent to wrong recipient (email) Personal information sent to the wrong recipient via email, for example, as a result of misaddressed email or incorrect address on file.
PI sent to wrong recipient (fax) Personal information sent to the wrong recipient via facsimile machine, for example, as a result of fax number incorrectly entered or wrong fax number on file.
PI sent to wrong recipient (mail) Personal information sent to the wrong recipient via postal mail, for example, as a result of a transcribing error or wrong address on files.
PI sent to wrong recipient (other) Personal information sent to the wrong recipient via channels other than email, fax or mail, for example, delivery by hand or uploading to web portal.
Failure to use BCC when sending email Sending an email to a group by including all recipient emails addresses in the ‘To’ field, thereby disclosing all recipient email address to all recipients.
Insecure disposal Disposing of personal information in a manner that could lead to its unauthorised disclosure, for example, using a public rubbish bin to dispose of customer records instead of a secure document disposal bin.
Loss of paperwork/data storage device Loss of a physical asset containing personal information, for example, leaving a folder or a laptop on a bus.
Unauthorised disclosure (failure to redact) Failure to effectively remove or de-identify personal information from a record before disclosing it.
Unauthorised disclosure (verbal) Disclosing personal information verbally without authorisation, for example, calling it out in a waiting room.
Unauthorised disclosure (unintended release or publication) Unauthorised disclosure of personal information in a written format, including paper documents or online.
Malicious or criminal attack A malicious or criminal attack deliberately crafted to exploit known vulnerabilities for financial or other gain.
Theft of paperwork or data storage device Theft of paperwork or data storage device
Social engineering/impersonation An attack that relies heavily on human interaction to manipulate people into breaking normal security procedures and best practices in order to gain access to systems, networks or physical locations.
Rogue employee/insider threat An attack by an employee or insider acting against the interests of their employer or other entity.
Cyber incident A cyber incident targets computer information systems, infrastructures, computer networks or personal computer devices.
Malware Software which is specifically designed to disrupt, damage, or gain unauthorised access to a computer system.
Ransomware A type of malicious software designed to block access to data or a computer system until a sum of money is paid or other conditions are met.
Phishing (compromised credentials) An attack in which the target is contacted by email or text message by someone posing as a legitimate institution to lure individuals into providing personal information, sensitive information or passwords.
Brute-force attack (compromised credentials) Automated software is used to generate a large number of consecutive guesses as to the value of the desired data, for example passwords.
Compromised or stolen credentials (method unknown) Credentials are compromised or stolen by methods unknown.
Hacking (other means) Exploiting a software or security weakness to gain access to a system or network, other than by way of phishing, brute-force attack or malware.
System fault A business or technology process error not caused by direct human error.

Other terminology used in this report and in the NDB Form[5]

Term Definition/ examples
Financial details Information relating to an individual’s finances, for example, bank account or credit card numbers.
Tax File Number (TFN) An individual’s personal reference number in the tax and superannuation systems, issued by the Australian Taxation Office.
Identity information Information that is used to confirm an individual’s identity, such as a passport number, driver’s licence number or other government identifier.
Contact information Information that is used to contact an individual, for example, home address, phone number or email address.
Health information As defined in section 6 of the Privacy Act. 
Other sensitive information Sensitive information, other than health information, as defined in section 6 of the Privacy Act. For example, sexual orientation, political or religious views.

Long text descriptions

Chart 1 — Data breach notifications under the NDB scheme

Chart 1 is a line graph showing the number of notifications by month, from March 2018 to December 2019.

Month Number of notifications
March 2018 55
April 2018 65
May 2018 87
May 2018 87
June 2018 90
July 2018 81
August 2018 88
September 2018 76
October 2018 91
November 2018 88
December 2018 83
January 2019 62
February 2019 67
March 2019 86
April 2019 78
May 2019 83
June 2019 84
July 2019 87
August 2019 90
September 2019 70
October 2019 97
November 2019 106
December 2019 87

Back to Chart 1

Chart 2 — Number of breaches reported under the NDB scheme — All sectors

Chart 2 is a stacked column chart showing number of notifications by month, from July 2019 to December 2019. Each column is broken down by malicious or criminal attack, human error or system fault, but figures are not specified for the breakdown.

Month Number of notifications
July 87
August 90
September 70
October 97
November 106
December 87

Back to Chart 2

Chart 3 — Number of individuals affected by breaches — All sectors

Chart 3 is a column chart showing the number of affected individuals. Where bands are not shown (for example, 250,001 to 1,000,000), there were nil reports in the period. ‘Unknown’ includes notifications by entities whose investigations were ongoing at the time of this report.

For the bands 1,000,001 to 10,000,000 and 10,000,001 or more, these figures reflect the number of individuals worldwide whose personal information was compromised in these data breaches, not only individuals in Australia, as estimated by the notifying entities.

Table is displayed from smallest to biggest number of affected individuals.

Number of affected individuals Number of notifications
1 132
2 to 10 85
11 to 100   103
101 to 1,000 121
1,001 to 5,000 41
5,001 to 10,000  11
10,001 to 25,000 12
25,001 to 50,000  5
50,001 to 100,000 4
100,001 to 250,000 2
1,000,001 to 10,000,000 2
10,000,001 or more   1
Unknown 18

Back to Chart 3

Chart 4 — Kinds of personal information involved in breaches — All sectors

Chart 4 is a column chart showing the number of notifications of each kind of personal information involved in breaches. Table is displayed from most to least notifications.

Personal information type Number of notificationsPercentage
Contact information 411 77%
Financial details 198 37%
Identity Information 162 30%
Health information 125 23%
TFN 83 15%
Other sensitive information 38 7%

Back to Chart 4

Chart 5 — Source of data breaches — All sectors

Chart 5 is a doughnut chart showing the source of data breaches, displayed from most to least notifications.

Source of data breachPercentage
Malicious or criminal attack 64%
Human error 32%
System fault 4%

Back to Chart 5

Chart 6 — Breaches resulting from malicious or criminal attacks — All sectors

Chart 6 is a line graph comparing cyber attacks against malicious or criminal attacks (including cyber) over the first half and second half of 2019.

Reporting period Malicious or criminal attacks (including cyber) Cyber attacks
January–June 2019 282 192
July–December 2019 343 230

Back to Chart 6

Chart 7 — Malicious or criminal attacks — All sectors

Chart 7 is a doughnut chart showing the percentage of notifications of of each kind of malicious or criminal attack.

Malicious or criminal attack typePercentage
Cyber incident 67%
Rogue employee / insider threat 12%
Social engineering / impersonation 9%
Theft of paperwork or data storage device 12%

Back to Chart 7

Chart 8 — Cyber incident breakdown —All sectors

Chart 8 is a doughnut chart showing the percentage of notifications of each type of cyber incident, displayed from most to least notifications.

Cyber incident typePercentage
Phishing (compromised credentials) 36%
Compromised or stolen credentials (method unknown) 32%
Malware 10%
Ransomware 6%
Brute-force attack (compromised credentials) 6%
Hacking 6%
Other 4%

Back to Chart 8

Chart 9 — Human error breakdown — All sectors

Chart 9 is a column chart showing the number of notifications of each type of human error, displayed from most to least notifications.

Human error type Number of notifications
PI sent to wrong recipient (email) 49
Unauthorised disclosure (unintended release or publication) 40
Loss of paperwork / data storage device 18
PI sent to wrong recipient (other) 12
PI sent to wrong recipient (mail) 12
Failure to use BCC when sending email 11
Unauthorised disclosure (verbal) 10
Unauthorised disclosure (failure to redact) 10
PI sent to wrong recipient (fax) 4
Insecure disposal 4

Back to Chart 9

Chart 10 — System fault breakdown — All sectors

Chart 10 is a column chart showing the number of notifications of each type of system fault, displayed from most to least notifications.

System fault type Number of notifications
Unintended release or publication 13
Unintended access 11

Back to Chart 10

Chart 11 — Source of data breaches — Top five industry sectors

Chart 11 is a clustered column chart, showing the source of data breaches by the top five industry sectors.

Source of data breach Health service providersFinance Legal, accounting & management servicesEducation Personal services
Malicious or criminal attack 63 40 30 30 14
Human error 51 30 10 16 8
System fault 3 7 0 3 1
Total 117 77 40 49 23

Back to Chart 11

Chart 12 — Malicious or criminal attacks breakdown — Top five industry sectors

Chart 12 is a panel chart showing the type of malicious or criminal attack by top five industry sectors, displayed from most to least total notifications.

Malicious or criminal attack type Health service providersFinanceEducation Legal, accounting & management services Personal services
Cyber incident 37 18 19 26 8
Theft of paperwork or data storage device 12 5 8 2 5
Rogue employee / insider threat 12 11 2 0 1
Social engineering / impersonation 2 6 1 2 0
Total 63 40 30 30 14

Back to Chart 12

Chart 13 — Cyber incident breakdown — Top five industry sectors

Chart 13 is a panel chart showing the type of cyber incident by top five industry sectors, displayed from most to least total notifications.

Cyber incident Health service providers Legal, accounting & management servicesEducationFinance Personal services
Phishing (compromised credentials) 17 8 4 11 5
Compromised or stolen credentials (unknown) 6 10 12 6 0
Malware 5 1 1 1 0
Ransomware 8 3 1 0 0
Hacking 0 2 0 0 2
Brute-force atttack (compromised credentials) 1 1 1 0 1
Total 37 26 19 18 8

Back to Chart 13

Chart 14 — Human error breakdown — Top five industry sectors

Chart 14 is a panel chart showing the type of human error by top five industry sectors, displayed from most to least total notifications.

Human error type Health service providersFinanceEducation Legal, accounting & management services Personal services
Wrong recipient (email) 12 9 4 6 3
Unauthorised disclosure (unintended release) 6 9 5 1 3
Paperwork / device loss 6 2 3 1 0
Wrong recipient (other) 8 1 1 1 0
Email BCC failure 6 1 1 0 1
Unauthorised disclosure (failure to redact) 4 3 1 0 0
Unauthorised disclosure (verbal) 0 5 0 0 1
Wrong recipient (mail) 4 0 0 1 0
Wrong recipient (fax) 4 0 0 0 0
Insecure disposal 1 0 1 0 0
Total 51 30 16 10 8

Back to Chart 14

Chart 15 — System fault breakdown — Top five industry sectors

Chart 15 is a clustered column chart showing the type of system fault by top five industry sectors, displayed from most to least total notifications.

System fault typeFinanceEducation Health service providers Personal services Legal, accounting & management services
Unintended access 4 2 0 0 0
Unintended release or publication 3 1 3 1 0
Total 7 3 3 1 0

Back to Chart 15

Footnotes

[1] A health service provider generally includes any private sector entity that provides a health service within the meaning of s 6FB of the Privacy Act, regardless of annual turnover. State or Territory public hospitals and health services are generally not covered — they are bound by State and Territory privacy laws, as applicable. Notifications made under the My Health Records Act 2012 are not included as they are subject to specific notification requirements set out in that Act.

[2] This sector includes banks, wealth managers, financial advisors, superannuation funds and consumer credit providers (regardless of annual turnover).

[3] This sector includes private education providers only, as APP entities. Public sector education providers are bound by State and Territory privacy laws, as applicable.

[4] This sector includes employment, training and recruitment agencies, childcare centres, vets and community services.

[5] OAIC’s Notifiable Data Breach Form