Publication date: 10 July 2018

Download the print version

The OAIC publishes quarterly statistical information about notifications received under the Notifiable Data Breaches scheme, to assist entities and the public to understand the operation of the scheme.

Number of breaches reported under the Notifiable Data Breaches scheme

Bar chart shows number of breaches reported under the NDB scheme for January, February and March 2018. January had zero, as the scheme commenced on 22 February 2018. February had 8 and March had 55. There were 63 in total for the quarter and year to date.

As the NDB scheme commenced on 22 February 2018, data is only available for part of the quarter.

Top 5 industry sectors that reported breaches
in the quarter

Top 5 industry sectorsNDBs received
Health service providers15
Legal, Accounting & Management services10
Finance (incl. superannuation)8
Education6
Charities4

The NDB scheme applies to entities with existing obligations to secure information under the Privacy Act 1988. During the first quarter of 2018, the largest proportion of eligible data breaches reported to the OAIC was from health service providers, at 24 per cent. A health service provider includes any organisation that provides a health service and holds health information.

The second largest proportion was from the legal, accounting and management services sector, at 16 per cent. This was followed by the finance sector (13 per cent), private education sector (10 per cent), and charities (6 per cent).

Kinds of personal information involved in breaches reported in the quarter

Kinds of personal information% of NDBs received
Contact information78%
Financial details30%
Health information33%
Identity information24%
Other sensitive information2%
TFN14%

An eligible data breach may involve one or more kinds of personal information. The majority of data breaches reported to the OAIC involved ‘contact information’, such as an individual’s name, email address, home address or phone number. This is distinct from ‘identity information’, which refers to information that is used to confirm an individual’s identity, such as driver licence numbers and passport numbers.

Entities also reported data breaches that involved individuals’ tax file numbers, financial details, such as bank account or credit card numbers, as well as health information. ‘Other sensitive information’ refers to categories of sensitive information, other than health information, as defined in section 6 of the Privacy Act.

Source of the breaches reported in the quarter

Pie chart shows the source of the breaches reported in the quarter. From largest to smallest, 32 were human error, 28 were malicious or criminal attack, 2 were system fault and 1 was other.

Human error was the cause of the largest number of eligible data breaches reported to the OAIC. Human error may include inadvertent disclosures, such as by sending a document containing personal information to the incorrect recipient.

This was closely followed by malicious or criminal attacks as the source of the data breach. Malicious or criminal attacks usually involve the theft of personal information, or cyber security incidents resulting from unauthorised access to an entity’s systems.

Number of people affected in breaches reported in the quarter

Bar chart shows number of people affected in breaches. From largest to smallest, 20 breaches affected one person, 17 breaches affected two to nine people, 11 breaches affected 100 to 999 people, 9 breaches affected 10 to 99 people, 3 breaches affected 1000 to 9999 people and 3 breaches affected 10,000 to 99,999 people.

73 per cent of eligible data breaches reported involved the personal information of under 100 individuals, with just over half of the notifications involving the personal information of between 1 and 9 individuals. 27 per cent of notifications under the NDB scheme involved more than 100 individuals.