About this report
The Office of the Australian Information Commissioner (OAIC) periodically publishes statistical information about notifications received under the Notifiable Data Breaches (NDB) scheme to assist entities and the public to understand the operation of the scheme. This report captures notifications made under the NDB scheme for the period from 1 July to 31 December 2020.
Where data breaches affect multiple entities, the OAIC may receive multiple notifications relating to the same breach. Notifications relating to the same incident are counted as a single notification in this report.
The source of any given breach is based on information provided by the reporting entity. Where more than one source has been identified or is possible, the dominant or most likely source has been selected. Source of breach categories are defined in the glossary at the end of this report.
As with previous reports, notifications made under the My Health Records Act 2012 are not included as they are subject to specific notification requirements set out in that Act.
NDB scheme statistics in this report are current as of 8 January 2021. However, a number of notifications included in these statistics are still under assessment and their status and categorisation are subject to change. This may affect statistics for the period July to December 2020 that are published in future reports. Similarly, there may have been adjustments to statistics in previous NDB reports because of changes to the status or categorisation of individual notifications after publication. As a result, references to statistics from before July 2020 in this report may differ from references in earlier published reports.
Executive summary
The NDB scheme was established in February 2018 to improve consumer protection and drive better security standards for protecting personal information. Under the scheme, any organisation or government agency covered by the Privacy Act 1988 must notify individuals affected and the OAIC when a data breach is likely to result in serious harm to an individual whose personal information is involved.
The OAIC publishes twice-yearly reports on notifications received under the NDB scheme to track the leading sources of data breaches, and to highlight emerging issues and areas for ongoing attention by regulated entities.
Comparisons are to the period from 1 January to 30 June 2020.
These figures do not add up to a total of 100% due to the rounding up or down of the percentages for each category.
Key findings for the July to December 2020 reporting period:
- 539 breaches were notified under the scheme, an increase of 5% from the 512 notifications received from January to June 2020.
- Malicious or criminal attacks (including cyber incidents) remain the leading source of data breaches, accounting for 58% of notifications.
- Data breaches resulting from human error accounted for 38% of notifications, up 18% from 173 notifications to 204.
- The health sector remains the highest reporting industry sector, notifying 23% of all breaches, followed by finance, which notified 15% of all breaches.
- The Australian Government entered the top 5 industry sectors to notify data breaches for the first time, notifying 6% of all breaches.
- 68% of data breaches affected 100 individuals or fewer.
- 78% of entities notified the OAIC within 30 days of becoming aware of an incident that was subsequently assessed to be an eligible data breach.
Chart 1 - Data breach notifications under the NDB scheme
Notifications received July to December 2020
The OAIC received 539 notifications this reporting period. This is a 5% increase compared to the previous 6 months and a 2% increase compared to the same period in 2019.
There was significant variation in the number of notifications received each month of the reporting period. The OAIC received 62 notifications in November – the second lowest monthly total since the NDB scheme commenced in February 2018 – but more than 100 notifications in July, August and September.
This reporting period saw continuation of the trend towards a greater proportion of data breaches attributed to human error. Data breaches resulting from human error accounted for 38% of all notifications, compared to 34% the previous 6 months and 32% in the same period in 2019.
Table 1 – Notifications received in 2020 under the NDB scheme
Reporting period | Total no. of notifications |
|---|---|
July to December 2020 | 539 |
January to June 2020 | 512 |
Total no. of notifications received in 2020 | 1,051 |
Top industry sectors to notify breaches
Health service providers[1] have consistently reported the most data breaches compared to other industry sectors since the NDB scheme began. The Australian Government[2] entered the top reporting industry sectors for the first time, replacing the insurance sector.
Table 2 – Top 5 industry sectors by notifications
Industry sector | Total no. of notifications |
|---|---|
Health service providers | 123 |
Finance (incl. superannuation)[3] | 80 |
Education[4] | 40 |
Legal, accounting & management services | 38 |
Australian Government | 33 |
Chart 2 – Number of breaches reported under the NDB scheme – All sectors
The impact of remote working arrangements resulting from COVID-19 restrictions
In early 2020, businesses across Australia introduced remote working arrangements in response to the COVID-19 pandemic. The OAIC has highlighted the privacy risks arising from these arrangements, recommending that entities consider undertaking privacy impact assessments to screen for unexpected privacy issues and to help mitigate any privacy risks associated with remote working arrangements.
Across the reporting period, the OAIC has closely monitored trends in NDB scheme notifications for any indications that remote working arrangements have either increased the risk of data breaches or impacted the capacity of notifying entities to meet their obligations under the Privacy Act.
Considering the public reporting on the increase in both COVID-19-themed fraud and the vulnerability of entities with remote working arrangements to cyber security incidents, it is noteworthy that there has only been a modest increase of 5% in the total number of notifications compared to the previous reporting period.
However, it is also notable that data breaches resulting from human error have significantly increased, both in terms of the total number received – up 18% – and proportionally – up from 34% to 38% of all notifications. While it is possible that this increase is linked to changed business and information handling practices resulting from remote working arrangements, the OAIC is yet to identify any information or incidents that conclusively prove a link.
Data breaches attributed to malicious or criminal attacks, including cyber incidents, have decreased both in terms of the total number received and proportionally, albeit only slightly. Breaches attributed to cyber security incidents decreased from 218 last reporting period to 212. This represents a decrease of 3%, roughly in line with the previous 6-monthly comparison.
This downward trend, particularly in relation to data breaches arising from cyber incidents, followed the Australian Cyber Security Centre’s 2019-20 Annual Cyber Threat Report highlighting an increase in reported spear phishing campaigns and COVID-19-themed malicious cyber activity during the pandemic. However, not all cyber security incidents reported to the Australian Cyber Security Centre constitute eligible data breaches under the NDB scheme.
The OAIC considers that more data and analysis are required before a view can be developed on the impact of remote working arrangements on the capacity of entities to securely manage personal information.
Number of individuals affected by breaches – All sectors
As with previous reporting periods, the majority of eligible data breaches (68%) involved the personal information of 100 individuals or fewer. Breaches affecting 10 individuals or fewer comprised 47% of notifications.
Chart 3 – Number of individuals affected by breaches – All sectors
Chart 3: Long text description
Note: ‘Unknown’ includes notifications by entities with ongoing investigations at the time of this report.
These figures reflect the number of individuals worldwide whose personal information was compromised in these data breaches, as estimated by the notifying entities.
Data breaches involving managed service providers
The OAIC received a number of notifications during the reporting period that involved a managed service provider (MSP) hosting or holding data on behalf of one or more other entities.
As outlined in the OAIC’s Data breach preparation and response guide, the NDB scheme recognises that entities often hold[5] personal information jointly. An entity may collect personal information and retain legal control or ownership of the information, while an MSP may physically possess the information.
In these circumstances, an eligible data breach of one entity is considered an eligible data breach of other entities that hold the affected information. All have obligations under the NDB scheme.[6] In general, compliance by one entity will be taken as compliance by each of the entities that hold the information. As such, only one entity needs to take the steps required by the NDB scheme. The NDB scheme leaves it up to the entities to decide which of them should do so.
The OAIC has seen different responses by entities involved in multi-party breaches. In several instances, the MSP managed all aspects of the data breach response in consultation with its clients and coordinated the notification to the OAIC and individuals affected by the data breach.
In some other cases, MSPs notified their clients of the data breach but otherwise left to them the responsibility for meeting the assessment and notification requirements of the NDB scheme. This approach broadly corresponds with OAIC guidance that suggests the entity with the most direct relationship with the individuals affected by the data breach should generally carry out the notification. However, it is not without risk and may result in entities falling short of their obligations under the NDB scheme.
For example, the OAIC received notifications from multiple entities that experienced a data breach resulting from a single compromise of an MSP they all used. However, the OAIC had grounds to believe the compromise had also affected several other entities that did not notify the OAIC of the data breach. Here, both the MSP and the MSP’s clients that did not notify the OAIC may have failed to meet their obligations under the Privacy Act.
A failure by both the MSP and its clients to notify the OAIC and individuals at risk of serious harm from a data breach will represent a breach of the provisions of Part IIIC of the Privacy Act, and will likely constitute an interference with privacy by all.
Kinds of personal information involved in breaches – All sectors
Most data breaches (91%) notified under the NDB scheme from July to December 2020 involved ‘contact information’, such as an individual’s home address, phone number or email address. This is distinct from ‘identity information’, which refers to information that is used to confirm an individual’s identity, such as a passport number or driver’s licence number. Identity information was exposed in 45% of data breaches notified during the period.
Data breaches notified in the period also involved financial details, such as bank account or credit card numbers (40%), health information (26%) and tax file numbers (18%). ‘Other sensitive information’ (9%) refers to categories of sensitive information as set out in section 6 of the Privacy Act, other than health information as defined in section 6FA.
Chart 4 – Kinds of personal information involved in breaches – All sectors
Chart 4: Long text description
Note: Eligible data breaches may involve more than one kind of personal information.
* For breaches listed against this category, the notifying entity was still conducting its assessment of the breach, including which categories of personal information had been disclosed or accessed, at the time it notified the OAIC.
The importance of timely assessment and notification
The OAIC has seen significant variation in the time taken by entities to identify, assess and investigate breaches and then notify affected individuals.
Most entities took all reasonable steps to conduct an assessment of the incident suspected to be an eligible data breach within 30 days – as required by section 26WH of the Privacy Act – and then moved promptly to notify both the OAIC and affected individuals. An example of good practice is provided later in this report.
However, increasingly the OAIC is seeing instances of organisations taking much longer than 30 days to complete their assessments, with further significant delays before they notify affected individuals. Additional time taken to assess a breach must be reasonable and justified in the circumstances, with notification to individuals to occur as soon as practicable.
Some data breaches are complex and may affect entire networks or enterprise environments. In certain instances, it may take the affected entity a significant amount of time to identify the extent of the data breach and all affected individuals.
The Privacy Act is clear that an entity responding to a data breach should not only take all reasonable steps to complete its assessment of whether an incident constituted an eligible data breach within 30 days, but also notify the OAIC and affected individuals as soon as practicable after confirming that there are reasonable grounds to believe an eligible data breach occurred.
Section 26WL(2) of the Privacy Act provides 3 ways by which individuals affected by a data breach may be notified. An entity may notify each individual whose personal information has been involved in the eligible data breach, or notify only individuals who are at risk of serious harm. If neither of these options are practicable, an entity may publish a statement on the eligible data breach on its website and publicise the statement.
In determining the appropriate course, entities should have regard to the need to conduct a thorough assessment, the need to provide information that assists individuals to mitigate harm and the need to provide timely notification to affected individuals.
Unnecessarily delayed notifications undermine the NDB scheme by denying affected individuals the ability to take timely steps to protect themselves from harm.
Time taken to identify breaches – All sectors
As part of complying with Australian Privacy Principle 11, entities should take reasonable steps to ensure that data breaches can be detected in a timely manner.
The figures in this section relate to the time between an incident occurring and the entity becoming aware of it. They do not relate to the time taken by the entity to assess whether an incident qualified as an eligible data breach.[7]
For 75% of notifications, entities identified that an incident that may constitute an eligible data breach had occurred within 30 days of it taking place.
Chart 5 – Days taken to identify breaches – All sectors
Chart 5: Long text description
Note: For notifications in the ‘Unknown’ category, the notifying entity was unable to identify the date the breach occurred.
The time taken to identify a data breach varied significantly depending on the source of the breach. For human error breaches, 84% of entities identified the incident within 30 days of it occurring. However, only 56% of entities identified an incident resulting from a system fault within 30 days.
Chart 6 – Days taken to identify breaches by source of breach – All sectors
Chart 6: Long text description
Note: These figures do not add up to a total of 100% due to the rounding up or down of the percentages for each category.
For notifications in the ‘Unknown’ category, the notifying entity was unable to identify the date the breach occurred.
Time taken to notify the OAIC of breaches – All sectors
A key objective of the NDB scheme is to ensure that an entity that experiences a data breach provides timely notification to individuals at risk of serious harm from the breach. Delays in assessment and notification reduce the opportunities that individuals have to take steps to prevent harm resulting from a data breach.
The figures in this section relate to the time between when an entity became aware of an incident and when they notified the OAIC. They do not relate to the time between when the entity determined the incident to be an eligible data breach and when they notified the OAIC.[8]
From July to December 2020, 78% of entities notified the OAIC within 30 days of becoming aware of an incident that was subsequently assessed to be an eligible data breach. However, 23 entities took longer than 120 days after they became aware of an incident to notify the OAIC. In a number of instances, individuals were notified at the same time as or shortly after the OAIC. However, in others, individuals were notified some time after the OAIC.
Chart 7 – Days taken to notify the OAIC of breaches – All sectors
Chart 7: Long text description
Note: These figures do not add up to a total of 100% due to the rounding up or down of the percentages for each category.
For notifications in the ‘Unknown’ category, the notifying entity was unable to identify the date the breach occurred.
The source of the breach influenced the time entities took to notify the OAIC after the incident was identified. In the case of human error breaches, 86% of entities notified the OAIC within 30 days of identifying the breach.
However, this figure dropped to 74% for data breaches that resulted from malicious or criminal attacks, and 64% for breaches that resulted from system faults.
Chart 8 – Days taken to notify the OAIC of breaches by source of breach – All sectors
Chart 8: Long text description
Note: These figures do not add up to a total of 100% due to the rounding up or down of the percentages for each category.
For notifications in the ‘Unknown’ category, the notifying entity was unable to identify the date the breach occurred.
Requirements for notifications to individuals
During the reporting period, there were multiple instances where entities’ notifications to individuals were deficient. In these instances, the OAIC required that the notifications be revised and reissued.
Entities must provide the following information to the OAIC as soon as practicable after becoming aware that there are reasonable grounds to believe there has been an eligible data breach:
- the identity of the entity and their contact details
- a description of the eligible data breach
- the kind or kinds of information involved in the data breach
- recommendations about the steps that individuals should take in response.
The entity must also provide a notification to individuals affected by the breach that reflects the content of the statement provided to the OAIC, and it must do so as soon as practicable. These requirements ensure individuals affected by a data breach can make informed decisions about how to best mitigate harm.
The OAIC has identified instances where entities have provided individuals affected by a data breach with relatively generic advice that their ‘personal details’ may have been exposed. In these instances, the entities did not clarify the kind or kinds of information involved in the data breaches, which included bank account details, credit card details, tax file numbers, Medicare numbers and identity numbers.
The OAIC required these entities to send an updated notification to the affected individuals that:
- specified all the kinds of personal information involved in the data breach
- included corresponding recommendations about the steps individuals should take in response to the breach.
In other instances, notifying entities did not provide affected individuals with sufficient information regarding the data breach to understand the risk arising from it.
For example, an entity notified the OAIC of a data breach caused by social engineering where a staff member of the entity was deceived by a malicious actor into disclosing personal information about other individuals. However, the entity only advised individuals affected by the data breach that it involved a disclosure of their personal information to an ‘unintended recipient’. In response to the OAIC’s inquiries, the entity acknowledged that it had incorrectly paraphrased the description of the eligible data breach and reissued the notification to clarify that it involved a malicious actor.
Examples such as these may not only fall short of reporting obligations but also adversely affect an individual’s ability to make an informed decision about how to best mitigate harm.
Entities’ data breach notifications must balance timeliness and thoroughness to meet the requirements of the Privacy Act.
Source of breaches – All sectors
Malicious or criminal attacks were the largest source of data breaches notified to the OAIC from July to December 2020, accounting for 310 breaches. Malicious or criminal attacks are defined as attacks that are deliberately crafted to exploit known vulnerabilities for financial or other gain.
Attacks included cyber incidents such as phishing and malware, data breaches caused by social engineering or impersonation, theft of paperwork or storage devices, and actions taken by a rogue employee or insider threat.
Human error remained a major source of breaches, accounting for 204 notifications. This was a notable increase from the 173 notifications attributed to human error in the previous period. System faults accounted for the remaining 25 breaches notified.
Chart 9 – Source of data breaches – All sectors
Chart 9: Long text description
Note: These figures do not add up to a total of 100% due to the rounding up or down of the percentages for each category.
Malicious or criminal attack breaches – All sectors
Malicious or criminal attacks remain the leading source of data breaches, accounting for 58% of notifications. However, the number of these breaches is holding steady – down only 1% from 312 notifications last reporting period to 310.
The majority of breaches (68%) in the malicious or criminal attack category involved cyber incidents. The OAIC received 212 notifications of cyber incidents, a slight decrease from the 218 notifications received during the previous period. Cyber incidents were responsible for 39% of all data breaches, with phishing, compromised or stolen credentials, and ransomware the main sources of the data breaches in this category.
Data breaches resulting from social engineering or impersonation accounted for 34 notifications. This represented a decrease from the 48 notifications received in the previous period. Actions taken by a rogue employee or insider threat accounted for 35 notifications, up from 23. Theft of paperwork or storage devices resulted in 29 notifications.
Chart 10 – Breaches resulting from malicious or criminal attacks – All sectors
Chart 11 – Malicious or criminal attacks – All sectors
Chart 11: Long text description
Note: These figures do not add up to a total of 100% due to the rounding up or down of the percentages for each category.
Cyber incident breaches – All sectors
More than half of all cyber incidents – and 23% of all notifications – during the reporting period involved malicious actors gaining access to accounts using compromised or stolen credentials.
The most common method used by malicious actors to obtain compromised credentials was email-based phishing (54 notifications). This confirms that email-based vulnerability is one of the greatest risks to information security facing organisations. The human factor is an important element in an organisation’s overall information and cyber security posture, given these attacks rely on a person clicking on a phishing link.
Chart 12 – Cyber incident breakdown – All sectors
Chart 12: Long text description
Note: These figures do not add up to a total of 100% due to the rounding up or down of the percentages for each category.
Human error breaches – All sectors
The second largest source of data breaches was human error. The number of breaches attributed to human error has increased overall – up 18% from 173 notifications last reporting period to 204 – and proportionally – up from 34% of all data breaches to 38%.
Common examples of human error breaches include sending personal information to the wrong recipient via email (45% of human error breaches), unintended release or publication of personal information (16%), and failure to use the ‘blind carbon copy’ (BCC) function when sending group emails.
Certain human error breaches affect larger numbers of individuals. Unauthorised disclosure (unintended release or publication) affected the largest number of individuals per breach in this category, with an average of 20,117 individuals affected per breach. Failure to use the BCC function when sending group emails affected an average of 19,163 individuals per breach.
Table 3 – Human error breakdown by average number of affected individuals – All sectors
Source of breach | No. of notifications received | Average no. of affected individuals |
|---|---|---|
PI sent to wrong recipient (email) | 92 | 29 |
Unauthorised disclosure (unintended release or publication) | 33 | 20,117 |
Failure to use BCC when sending email | 18 | 19,163 |
PI sent to wrong recipient (mail) | 16 | 1 |
PI sent to wrong recipient (other) | 12 | 5 |
Unauthorised disclosure (failure to redact) | 12 | 2 |
Loss of paperwork/data storage device | 11 | 24 |
Unauthorised disclosure (verbal) | 7 | 1 |
PI sent to wrong recipient (fax) | 2 | 1 |
Insecure disposal | 1 | 185 |
System fault breaches – All sectors
System faults accounted for 5% of data breaches – the same proportion as the last reporting period. System fault breaches include data breaches that occur due to a business or technology process error.
Unintended release or publication of personal information due to a system fault caused 17 data breaches, while unintended access to personal information as a result of a system fault caused 8 data breaches.
Good data breach response and assessment
Across the reporting period, the OAIC saw several examples of good data breach response and assessment practices.
A notable example involved a business email compromise attack, where an entity’s staff member received several suspicious emails requesting payment of falsified invoices.
- The entity immediately locked down the affected staff member’s email account and commenced an internal investigation.
- Within 2 days, the entity commissioned an external IT security incident response company to conduct a forensic investigation of its network.
- Eight days after the original suspicious email was identified, the entity received preliminary findings from the IT security incident response company and concluded that an eligible data breach had occurred. Investigations identified over 1,000 employees whose personal information had been exposed and around 100 external individuals who were potentially at risk of serious harm.
- By day 10, the entity notified all staff of the breach, providing them with guidance on IT security best practice and the details of potentially compromised personal information.
- The entity continued its forensic investigation into the incident. Through this process, it confirmed the extent of access obtained by the malicious actor, clarified the data that had been viewed or exfiltrated from its network, and continued its assessment of the serious harm caused to each individual (internal and external) whose personal information had potentially been exposed.
- As part of its assessment process, the entity categorised exposed personal information into 6 categories, against which it weighed the risk of serious harm.
- The entity commissioned a third party to provide support to affected individuals.
- By day 35, the entity had concluded its forensic investigation and provided a final, tailored notification to the OAIC, and to all internal and external individuals it had identified as at risk of serious harm from the breach.
- Given the breach resulted in the exposure of Australian Government identifiers such as tax file numbers and Medicare numbers, the entity also contacted the relevant agencies regarding the breach.
Comparison of top 5 industry sectors
This section compares notifications made under the NDB scheme by the 5 industry sectors that made the most notifications in the reporting period.
From July to December 2020, health service providers reported 123 data breaches, or 23% of the total.
The second largest source of notifications was the finance sector (15%), followed by education (7%), legal, accounting and management services (7%), and the Australian Government (6%). This is the first report where the Australian Government has been among the top 5 industry sectors to notify data breaches.
Time taken to identify breaches – Top 5 industry sectors
The time taken by entities to identify incidents that were subsequently assessed to be eligible data breaches varied by industry sector.[9]
In the reporting period, 88% of health service providers and 87% of entities in the legal, accounting and management services sector identified the incident within 30 days of it occurring. This figure was 68% for the finance sector and 61% for Australian Government entities.
Chart 15 – Days taken to identify breaches – Top 5 industry sectors
Chart 15: Long text description
Note: These figures do not add up to a total of 100% due to the rounding up or down of the percentages for each category.
For notifications in the ‘Unknown’ category, the notifying entity was unable to identify the date the breach occurred.
Time taken to notify the OAIC of data breaches – Top 5 industry sectors
The time taken by entities to notify the OAIC of a data breach[10] varied by industry sector.
Eighty-seven per cent of notifications from the legal, accounting and management services sector, and 83% of notifications from the health and education sectors, were made within 30 days of the entity becoming aware of the incident.
Sixty-five per cent of notifications from the finance sector and 58% of notifications from the Australian Government were made to the OAIC within 30 days of the entity becoming aware of the incident.
Chart 16 – Days taken to notify the OAIC of data breaches – Top 5 industry sectors
Chart 16: Long text description
Note: These figures do not add up to a total of 100% due to the rounding up or down of the percentages for each category.
Source of breaches – Top 5 industry sectors
Consistent with previous reports, human error remained the most common source of data breaches within the health sector, accounting for 57% of data breaches reported by the sector. Malicious or criminal attacks caused 41% of data breaches reported by the health sector.
In comparison, malicious or criminal attacks were the most common source of data breaches within the finance sector, comprising 66% of data breaches reported by the sector. Human error was the source of 28% of data breaches within the finance sector.
Malicious or criminal attack breaches – Top 5 industry sectors
Chart 18 – Malicious or criminal attacks breakdown – Top 5 industry sectors
 |  |
 |  |
 |  |
Cyber incident breaches – Top 5 industry sectors
Chart 19 – Cyber incident breakdown – Top 5 industry sectors
 |  |
 |  |
 |  |
 |  |
Chart 19: Long text description
Note: Cyber incidents categorised as ‘Other’ are included in the total.
Human error breaches – Top 5 industry sectors
System fault breaches – Top 5 industry sectors
Four of the top 5 industry sectors notified breaches resulting from a system fault.
The majority of system fault breaches reported by the top 5 industry sectors involved the unintended release or publication of personal information (9 notifications). Of the top 5 industry sectors, the finance sector reported the most data breaches resulting from system faults.
Chart 21 – System fault breakdown – Top 5 industry sectors
Chart 21: Long text description
Note: The legal, accounting and management services sector did not report any breaches caused by a system fault.
Glossary
Breach categories
Term | Definition |
|---|---|
Human error | An unintended action by an individual directly resulting in a data breach, for example inadvertent disclosure caused by sending a document containing personal information to the incorrect recipient |
PI sent to wrong recipient (email) | Personal information sent to the wrong recipient via email, for example, as a result of a misaddressed email or having a wrong address on file |
PI sent to wrong recipient (fax) | Personal information sent to the wrong recipient via facsimile machine, for example, as a result of an incorrectly entered fax number or having a wrong fax number on file |
PI sent to wrong recipient (mail) | Personal information sent to the wrong recipient via postal mail, for example, as a result of a transcribing error or having a wrong address on file |
PI sent to wrong recipient (other) | Personal information sent to the wrong recipient via channels other than email, fax or mail, for example, delivery by hand or uploading to web portal |
Failure to use BCC when sending email | Sending an email to a group by including all recipient emails addresses in the ‘To’ field, thereby disclosing all recipient email address to all recipients |
Insecure disposal | Disposing of personal information in a manner that could lead to its unauthorised disclosure, for example, using a public rubbish bin to dispose of customer records instead of a secure document disposal bin |
Loss of paperwork/data storage device | Loss of a physical asset containing personal information, for example, leaving a folder or a laptop on a bus |
Unauthorised disclosure (failure to redact) | Failure to effectively remove or de-identify personal information from a record before disclosing it |
Unauthorised disclosure (verbal) | Disclosing personal information verbally without authorisation, for example, calling it out in a waiting room |
Unauthorised disclosure (unintended release or publication) | Unauthorised disclosure of personal information in a written format, including paper documents or online |
Malicious or criminal attack | A malicious or criminal attack deliberately crafted to exploit known vulnerabilities for financial or other gain |
Theft of paperwork or data storage device | Theft of paperwork or data storage device |
Social engineering/impersonation | An attack that relies heavily on human interaction to manipulate people into breaking normal security procedures and best practices in order to gain access to systems, networks or physical locations |
Rogue employee/insider threat | An attack by an employee or insider acting against the interests of their employer or other entity |
Cyber incident | A cyber incident targets computer information systems, infrastructures, computer networks or personal computer devices |
Malware | Software that is specifically designed to disrupt, damage, or gain unauthorised access to a computer system |
Ransomware | A type of malicious software designed to block access to data or a computer system until a sum of money is paid or other conditions are met |
Phishing (compromised credentials) | An attack in which the target is contacted by email or text message by someone posing as a legitimate institution to lure individuals into providing personal information, sensitive information or passwords |
Brute-force attack (compromised credentials) | Automated software is used to generate a large number of consecutive guesses as to the value of the desired data, for example passwords |
Compromised or stolen credentials (method unknown) | Credentials are compromised or stolen by methods unknown |
Hacking (other means) | Exploiting a software or security weakness to gain access to a system or network, other than by way of phishing, brute-force attack or malware |
Business email compromise | Business email compromise is a scam where a criminal sends an email message that appears to come from a known source making legitimate request, such as request for payment of invoice or bank transfer |
System fault | A business or technology process error not caused by direct human error |
Other terminology used in this report and in the NDB Form[11]
Term | Definition/ examples |
|---|---|
Personal information (PI) | Information or an opinion about an identified individual, or an individual who is reasonably identifiable |
Financial details | Information relating to an individual’s finances, for example, bank account or credit card numbers |
Tax file number (TFN) | An individual’s personal reference number in the tax and superannuation systems, issued by the Australian Taxation Office |
Identity information | Information that is used to confirm an individual’s identity, such as a passport number, driver’s licence number or other government identifier |
Contact information | Information that is used to contact an individual, for example, a home address, phone number or email address |
Health information | As defined in section 6 of the Privacy Act |
Other sensitive information | Sensitive information, other than health information, as defined in section 6 of the Privacy Act. For example, sexual orientation, political or religious views |
APP entity | An agency or organisation that is subject to the Privacy Act |
Managed service provider (MSP) | A managed service provider (MSP) is a business that delivers services relating to IT infrastructure or end user systems to customers |
Long text descriptions
Chart 1 – Data breach notifications under the NDB scheme
Chart 1 is a line graph showing the number of notifications by month, from July 2018 to December 2020.
Month | Number of notifications |
|---|---|
July 2018 | 78 |
August 2018 | 86 |
September 2018 | 73 |
October 2018 | 91 |
November 2018 | 83 |
December 2018 | 81 |
January 2019 | 61 |
February 2019 | 67 |
March 2019 | 77 |
April 2019 | 79 |
May 2019 | 83 |
June 2019 | 80 |
July 2019 | 87 |
August 2019 | 90 |
September 2019 | 70 |
October 2019 | 93 |
November 2019 | 106 |
December 2019 | 83 |
January 2020 | 63 |
February 2020 | 84 |
March 2020 | 88 |
April 2020 | 82 |
May 2020 | 120 |
June 2020 | 75 |
July 2020 | 103 |
August 2020 | 108 |
September 2020 | 106 |
October 2020 | 78 |
November 2020 | 62 |
December 2020 | 82 |
Chart 2 – Number of breaches reported under the NDB scheme – All sectors
Chart 2 is a stacked column chart showing the number of notifications by month, from July to December 2020. Each column is broken down by malicious or criminal attack, human error and system fault, but figures are not specified for each category.
Month | Number of notifications |
|---|---|
July 2020 | 103 |
August 2020 | 108 |
September 2020 | 106 |
October 2020 | 78 |
November 2020 | 62 |
December 2020 | 82 |
Chart 3 – Number of individuals affected by breaches – All sectors
Chart 3 is a column chart showing the number of individuals worldwide whose personal information was compromised in data breaches, as estimated by the notifying entities.
The table is displayed from smallest to largest number of affected individuals.
‘Unknown’ includes notifications by entities with ongoing investigations at the time of this report.
Number of affected individuals | Number of notifications |
|---|---|
1 | 164 |
2 to 10 | 92 |
11 to 100 | 110 |
101 to 1,000 | 86 |
1,001 to 5,000 | 40 |
5,001 to 10,000 | 7 |
10,001 to 25,000 | 6 |
25,001 to 50,000 | 8 |
50,001 to 100,000 | 2 |
100,001 to 250,000 | 2 |
250,001 to 500,000 | 3 |
500,001 to 1,000,000 | 2 |
1,000,001 to 10,000,000 | 3 |
10,000,001 or more | 1 |
Unknown | 9 |
Chart 4 – Kinds of personal information involved in breaches – All sectors
Chart 4 is a column chart showing the number of notifications for each kind of personal information involved in date breaches.
Eligible data breaches may involve more than one kind of personal information.
The table is displayed from most to least notifications.
For breaches listed against the ‘Under review’ category, the notifying entity was still conducting its assessment of the breach, including which categories of personal information had been disclosed or accessed, at the time it notified the OAIC.
Kind of personal information | Number of notifications |
|---|---|
Contact information | 492 |
Identity information | 241 |
Financial details | 218 |
Health information | 138 |
Tax file number | 96 |
Other sensitive information | 51 |
Under review | 6 |
Chart 5 – Days taken to identify breaches – All sectors
Chart 5 is a doughnut chart showing the time taken by entities to identify breaches.
For notifications in the ‘Unknown’ category, the notifying entity was unable to identify the date the breach occurred.
Days taken to identify breaches | Percentage |
|---|---|
<30 | 75% |
31–60 | 8% |
61–120 | 6% |
121–365 | 7% |
>365 | 3% |
Unknown | 1% |
Chart 6 – Days taken to identify breaches by source of breach – All sectors
Chart 6 is a stacked column chart showing the time taken by entities to identify breaches by source of breach.
These figures do not add up to a total of 100% due to the rounding up or down of the percentages for each category.
For notifications in the ‘Unknown’ category, the notifying entity was unable to identify the date the breach occurred.
Days taken to identify breaches | Malicious or criminal attack | Human error | System fault |
|---|---|---|---|
<30 | 70% | 84% | 56% |
31–60 | 11% | 4% | 8% |
61–120 | 9% | 3% | 8% |
121–365 | 7% | 5% | 12% |
>365 | 2% | 3% | 8% |
Unknown | 1% | 0% | 8% |
Chart 7 – Days taken to notify the OAIC of breaches – All sectors
Chart 7 is a doughnut chart showing the time taken by entities to notify the OAIC of breaches after becoming aware of the breach.
For notifications in the ‘Unknown’ category, the notifying entity was unable to identify the date the breach occurred.
Days taken to notify the OAIC of breaches | Percentage |
|---|---|
<30 | 78% |
31–60 | 13% |
61–120 | 5% |
121–365 | 4% |
>365 | 1% |
Unknown | <1% |
Chart 8 – Days taken to notify the OAIC of breaches by source of breach – All sectors
Chart 8 is a stacked column chart showing the time taken by entities to notify the OAIC of breaches after becoming aware of the breach, by source of breach.
These figures do not add up to a total of 100% due to the rounding up or down of the percentages for each category.
For notifications in the ‘Unknown’ category, the notifying entity was unable to identify the date the breach occurred.
Days taken to notify the OAIC of breaches | Malicious or criminal attack | Human error | System fault |
|---|---|---|---|
<30 | 74% | 86% | 64% |
31–60 | 15% | 8% | 24% |
61–120 | 5% | 4% | 4% |
121–365 | 5% | 1% | 8% |
>365 | <1% | 1% | 0% |
Unknown | <1% | 0% | 0% |
Chart 9 – Source of data breaches – All sectors
Chart 9 is a doughnut chart showing the source of data breaches.
The table is displayed from most to least notifications.
These figures do not add up to a total of 100% due to the rounding up or down of the percentages for each category.
Source of data breach | Percentage |
|---|---|
Malicious or criminal attack | 58% |
Human error | 38% |
System fault | 5% |
Chart 10 – Breaches resulting from malicious or criminal attacks – All sectors
Chart 10 is a clustered column chart showing the breakdown of breaches resulting from malicious or criminal attacks for the periods January to June 2020 and July to December 2020.
The table is displayed from most to least notifications.
Malicious or criminal attack type | January to June 2020 | July to December 2020 |
|---|---|---|
Cyber incident | 218 | 212 |
Social engineering/ impersonation | 48 | 34 |
Rogue employee/ insider threat | 23 | 35 |
Theft of paperwork or data storage device | 23 | 29 |
Chart 11 – Malicious or criminal attacks – All sectors
Chart 11 is a doughnut chart showing the breakdown of breaches resulting from malicious or criminal attacks.
The table is displayed from most to least notifications.
These figures do not add up to a total of 100% due to the rounding up or down of the percentages for each category.
Malicious or criminal attack type | Percentage |
|---|---|
Cyber incident | 68% |
Rogue employee/ insider threat | 11% |
Social engineering/ impersonation | 11% |
Theft of paperwork or data storage device | 9% |
Chart 12 – Cyber incident breakdown – All sectors
Chart 12 is a doughnut chart showing the breakdown of cyber incidents.
The table is displayed from most to least notifications.
These figures do not add up to a total of 100% due to the rounding up or down of the percentages for each category.
Cyber incident type | Percentage |
|---|---|
Phishing (compromised credentials) | 25% |
Compromised or stolen credentials (method unknown) | 25% |
Ransomware | 17% |
Hacking | 14% |
Brute-force attack (compromised credentials) | 8% |
Malware | 7% |
Other | 3% |
Chart 13 – Human error breakdown – All sectors
Chart 13 is a clustered column chart showing the breakdown of breaches resulting from human error for the periods January to June 2020 and July to December 2020.
The table is displayed from most to least notifications.
Human error type | January to June 2020 | July to December 2020 |
|---|---|---|
PI sent to wrong recipient (email) | 68 | 92 |
Unauthorised disclosure (unintended release or publication) | 27 | 33 |
PI sent to wrong recipient (mail) | 21 | 16 |
Loss of paperwork/data storage device | 14 | 11 |
Failure to use BCC when sending email | 12 | 18 |
Unauthorised disclosure (verbal) | 11 | 7 |
PI sent to wrong recipient (other) | 9 | 12 |
Unauthorised disclosure (failure to redact) | 8 | 12 |
PI sent to wrong recipient (fax) | 2 | 2 |
Insecure disposal | 1 | 1 |
Chart 14 – System fault breakdown – All sectors
Chart 14 is a clustered column chart showing the breakdown of breaches resulting from system faults for the periods January to June 2020 and July to December 2020.
The table is displayed from most to least notifications.
System fault type | January to June 2020 | July to December 2020 |
|---|---|---|
Unintended release or publication | 17 | 17 |
Unintended access | 8 | 8 |
Chart 15 – Days taken to identify breaches – Top 5 industry sectors
Chart 15 is a stacked column chart showing the time taken by entities in the top 5 industry sectors to identify breaches.
These figures do not add up to a total of 100% due to the rounding up or down of the percentages for each category.
For notifications in the ‘Unknown’ category, the notifying entity was unable to identify the date the breach occurred.
Days taken to identify breaches | Health service providers | Finance | Education | Legal, accounting & management services | Australian Government |
|---|---|---|---|---|---|
<30 | 88% | 68% | 80% | 87% | 61% |
31–60 | 3% | 15% | 8% | 3% | 15% |
61–120 | 2% | 8% | 3% | 11% | 6% |
121–365 | 3% | 6% | 10% | 0% | 15% |
>365 | 2% | 1% | 0% | 0% | 3% |
Unknown | 1% | 3% | 0% | 0% | 0% |
Chart 16 – Days taken to notify the OAIC of data breaches – Top 5 industry sectors
Chart 16 is a stacked column chart showing the time taken by entities in the top 5 industry sectors to notify the OAIC of breaches after becoming aware of the breach.
These figures do not add up to a total of 100% due to the rounding up or down of the percentages for each category.
Days taken to notify the OAIC of breaches | Health service providers | Finance | Education | Legal, accounting & management services | Australian Government |
|---|---|---|---|---|---|
<30 | 83% | 65% | 83% | 87% | 58% |
31–60 | 11% | 16% | 10% | 11% | 18% |
61–120 | 4% | 10% | 3% | 0% | 15% |
121–365 | 2% | 8% | 5% | 3% | 3% |
>365 | 0% | 1% | 0% | 0% | 6% |
Unknown | 0% | 0% | 0% | 0% | 0% |
Chart 17 – Source of data breaches – Top 5 industry sectors
Chart 17 is a clustered column chart showing the source of breaches by industry sector.
Source of breach | Health service providers | Finance | Education | Legal, accounting & management services | Australian Government |
|---|---|---|---|---|---|
Malicious or criminal attack | 51 | 53 | 13 | 27 | 2 |
Human error | 70 | 22 | 25 | 11 | 29 |
System fault | 2 | 5 | 2 | 0 | 2 |
Chart 18 – Malicious or criminal attacks breakdown – Top 5 industry sectors
Chart 18 is a panel chart showing the breakdown of breaches resulting from malicious or criminal attacks by top 5 industry sectors.
Malicious or criminal attack type | Health service providers | Finance | Education | Legal, accounting & management services | Australian Government |
|---|---|---|---|---|---|
Cyber incident | 32 | 26 | 9 | 24 | 1 |
Theft of paperwork or data storage device | 8 | 9 | 1 | 3 | 0 |
Social engineering/ impersonation | 1 | 11 | 0 | 0 | 1 |
Rogue employee/ insider threat | 10 | 7 | 3 | 0 | 0 |
Total | 51 | 53 | 13 | 27 | 2 |
Chart 19 – Cyber incident breakdown – Top 5 industry sectors
Chart 19 is a panel chart showing the breakdown of breaches resulting from cyber incidents by top 5 industry sectors.
Cyber incidents categorised as ‘Other’ are included in the total.
Cyber incident type | Health service providers | Finance | Education | Legal, accounting & management services | Australian Government |
|---|---|---|---|---|---|
Phishing | 11 | 7 | 2 | 9 | 0 |
Compromised or stolen credentials | 8 | 7 | 1 | 8 | 0 |
Hacking | 1 | 5 | 4 | 0 | 0 |
Ransomware | 6 | 2 | 0 | 4 | 0 |
Brute-force attack | 1 | 0 | 2 | 1 | 1 |
Malware | 4 | 4 | 0 | 2 | 0 |
Total | 32 | 26 | 9 | 24 | 1 |
Chart 20 – Human error breakdown – Top 5 industry sectors
Chart 20 is a panel chart showing the breakdown of breaches resulting from human error by top 5 industry sectors.
Human error type | Health service providers | Finance | Education | Legal, accounting & management services | Australian Government |
|---|---|---|---|---|---|
PI sent to wrong recipient (email) | 34 | 11 | 14 | 5 | 10 |
PI sent to wrong recipient (fax) | 1 | 0 | 0 | 0 | 0 |
PI sent to wrong recipient (mail) | 7 | 3 | 0 | 0 | 4 |
PI sent to wrong recipient (other) | 5 | 1 | 3 | 3 | 0 |
Failure to use BCC when sending email | 8 | 0 | 2 | 1 | 3 |
Insecure disposal | 1 | 0 | 0 | 0 | 0 |
Loss of paperwork/data storage device | 5 | 0 | 0 | 1 | 2 |
Unauthorised disclosure (failure to redact) | 2 | 0 | 1 | 0 | 5 |
Unauthorised disclosure (unintended release or publication) | 5 | 6 | 5 | 1 | 4 |
Unauthorised disclosure (verbal) | 2 | 1 | 0 | 0 | 1 |
Total | 70 | 22 | 25 | 11 | 29 |
Chart 21 – System fault breakdown – Top 5 industry sectors
Chart 21 is a clustered column chart showing the breakdown of breaches resulting from system faults by the top 5 industry sectors.
The legal, accounting and management services sector did not report any breaches caused by a system fault.
System fault type | Health service providers | Finance | Education | Australian Government |
|---|---|---|---|---|
Unintended access | 1 | 1 | 0 | 0 |
Unintended release or publication | 1 | 4 | 2 | 2 |
Footnotes
[1] A health service provider generally includes any private sector entity that provides a health service within the meaning of section 6FB of the Privacy Act, regardless of annual turnover. State or territory public hospitals and health services are generally not covered – they are bound by state and territory privacy laws, as applicable.
[2] The Privacy Act covers most Australian Government agencies. It does not cover a number of intelligence and national security agencies. The Privacy Act does not cover state and local government agencies, public hospitals and public schools.
[3] This sector includes banks, wealth managers, financial advisors, superannuation funds, and consumer credit providers (regardless of annual turnover).
[4] This sector includes private education providers only, as APP entities. Public sector education providers are bound by state and territory privacy laws, as applicable.
[5] Under section 6(1) of the Privacy Act, an entity is taken to ‘hold’ personal information if it has possession or control of a record that contains personal information. This means that the term ‘hold’ extends beyond physical possession of a record to include a record that an entity has a right or power to deal with, even if it does not physically possess the record or own the medium on which it is stored.
[6] Notifications relating to the same data breach incident are counted as a single notification in this report.
[7] The Privacy Act requires entities to take reasonable steps to conduct a data breach assessment within 30 days of becoming aware that there are grounds to suspect that they may have experienced an eligible data breach. Once the entity forms a reasonable belief that there has been an eligible data breach, they must prepare a statement and provide a copy to the OAIC as soon as practicable.
[8] The Privacy Act requires entities to take reasonable steps to conduct a data breach assessment within 30 days of becoming aware that there are grounds to suspect that they may have experienced an eligible data breach. Once the entity forms a reasonable belief that there has been an eligible data breach, they must prepare a statement and provide a copy to the OAIC as soon as practicable.
[9] The figures in this section relate to the time between an incident occurring and the entity becoming aware of it. They do not relate to the time taken by the entity to assess whether an incident qualified as an eligible data breach.
[10] The figures in this section relate to the time between when an entity became aware of an incident and when they notified the OAIC. They do not relate to the time between when the entity determined the incident to be an eligible data breach and when they notified the OAIC.
[11] OAIC’s Notifiable Data Breach Form
