Notifiable Data Breaches Report: January–June 2020

31 July 2020

Download the print version

About this report

The Office of the Australian Information Commissioner (OAIC) publishes periodic statistical information about notifications received under the Notifiable Data Breaches (NDB) scheme to assist entities and the public to understand the operation of the scheme. This report captures notifications made under the NDB scheme for the period from 1 January 2020 to 30 June 2020.

Where data breaches affect multiple entities, the OAIC may receive multiple notifications relating to the same data breach. Notifications relating to the same data breach incident are counted as a single notification in this report.

The source of any given breach is based on information provided by the reporting entity. Where more than one source has been identified or is possible, the dominant or most likely source has been selected for statistical purposes. Source of breach categories are defined in the glossary at the end of this report.

Consistent with previous NDB statistical reports, notifications made under the My Health Records Act 2012 are not included as they are subject to specific notification requirements set out in that Act.

NDB notification statistics contained within this report relate to a specific point in time. Some recent notifications covered by the period of this report are under assessment and the status and categorisation of these notifications may change prior to the finalisation of their assessment. Similarly, there may have been adjustments to statistics from previous reports as a result of changes to the status or categorisation of individual notifications. As a result, references to historical data appearing in this report may differ from the information appearing in previous reports covering the relevant period.

Note: This report also contains a correction to data in the July–December 2019 NDB Scheme report published in February 2020. This report stated there was a 19% increase in the number of notifications received when compared to the previous six months. The correct figure was 17%.

Executive summary

The Notifiable Data Breaches (NDB) scheme was established in February 2018 to improve consumer protection and drive better security standards for protecting personal information. It applies to agencies and organisations who are covered by the Privacy Act 1988 and are required to take reasonable steps to secure personal information.

The OAIC publishes twice-yearly reports on notifications received under the NDB scheme to track the leading causes and sources of data breaches, and to highlight emerging issues and areas for ongoing attention by regulated entities.

There was a 3% decrease in the number of data breaches reported to the Office of the Australian Information Commissioner (OAIC) between January and June 2020, compared to the period from July to December 2019.

Notifications
518
Down 3%
Malicious or criminal attack
61%
Down 7% to 317
Human error
34%
Up 7% to 176
System fault
5%
Down 7% to 25

Comparisons are to July to December 2019

Key findings for the January to June 2020 reporting period:

  • 518 breaches were notified under the scheme. This figure is down 3% from 532 in the previous six months, but up 16% on the 447 notifications received during the period January-June 2019.
  • Malicious or criminal attacks (including cyber incidents) remain the leading cause of data breaches, accounting for 61% of all notifications
  • Data breaches resulting from human error account for 34% of all breaches
  • The health sector is again the highest reporting sector, notifying 22% of all breaches
  • Finance is the second highest reporting sector, notifying 14% of all breaches
  • Most data breaches affected less than 100 individuals, in line with previous reporting periods
  • Contact information remains the most common type of personal information involved in a data breach.

Chart 1 — Data breach notifications under the NDB scheme

Link to long text description follows.

Notifications received January–June 2020

The number of NDBs reported to the OAIC between 1 January and 30 June 2020 decreased by 3% compared to the previous six months. The 518 notifications received during this reporting period marks an increase of 16% on the 447 notifications made under the NDB scheme during the same period in 2019.

The number of notifications fluctuated monthly, from 63 notifications in January to 124 notifications in May, the most reported in any calendar month since the scheme began in February 2018.

Although a larger proportion of notifications received in May were attributed to human error (39%) than for the overall reporting period (34%), the OAIC has not identified a specific cause for the increase. The OAIC is also not aware of any evidence to suggest the increase is related to changed business practices resulting from COVID-19, given that notifications across the period are otherwise broadly consistent with longer term trends.

Table 1 — Number of breaches reported under the NDB scheme
 Total number of notifications
Total received January to June 2020 518
Total received July to December 2019 532
Total received 2019/20 Financial Year 1050

Top industry sectors to notify breaches

Health service providers[1] has consistently reported the most data breaches compared to other industry sectors since the start of the NDB scheme.

Table 2 — Top industry sectors by notifications
Top five industry sectorsNDBs received January–June 2020
Health service providers 115
Finance (incl. superannuation)[2] 75
Education[3] 44
Insurance 35
Legal, accounting & management services 26

Chart 2 — Number of breaches reported under the NDB scheme — All sectors

Link to long text description follows.

Assessing a data breach

Between January and June 2020, the OAIC received a number of notifications where it was not clear whether the notifying entity had either undertaken an appropriate assessment of the data breach, or had determined the nature and extent of the breach.

Under the NDB scheme, a data breach is an ’eligible data breach’ where:

  • there is unauthorised access to or unauthorised disclosure of personal information (or the information is lost in circumstances where unauthorised access to, or unauthorised disclosure of, the information is likely to occur)
  • a reasonable person would conclude it is likely to result in serious harm to any of the individuals whose personal information was involved in the data breach, and
  • the entity has not been able to prevent the likelihood of serious harm through remedial action.

If an entity suspects that an eligible data breach has occurred, they must undertake an assessment into the relevant circumstances. This should include whether the breach posed a risk of serious harm to affected individuals, the cause or source of the breach, the type of personal information that was accessed or disclosed, and the number of individuals who were at risk of serious harm as a result of the breach.

If an entity is aware that there are reasonable grounds to believe that there has been an eligible data breach, they must notify affected individuals and the OAIC as soon as practicable. The OAIC’s data breach response flowchart illustrates the steps that should be taken in assessing and responding to an eligible data breach.

Understanding the nature and extent of the breach

The capacity to conduct a timely and thorough assessment and investigation of a suspected data breach can be constrained when an entity does not comprehensively understand its own information environment.

Notifying entities who did not have audit or activity logging enabled on their network or email servers/accounts, or could not undertake retrospective traffic analysis of their internet gateway, had difficulty determining whether a malicious actor who had gained access to their network in a cyber attack had accessed or exported (exfiltrated) personal information.

All entities covered by the Privacy Act should be aware of the personal information they retain within their information and communications technology (ICT) environment and where it is located. Effective ICT security requires protecting both hardware and software from misuse, interference, loss, unauthorised access, modification and disclosure.

If an entity does not have a clear understanding of the types of information it retains and where it stores it, not only will the entity find it difficult to meet its obligations under the NDB scheme if a data breach occurs, it may also be in breach of the requirements of Australian Privacy Principles 1 and 11 (APPs).

Number of individuals affected by breaches — All sectors

Most NDBs in the period involved the personal information of 100 individuals or fewer (64% of notified breaches). Breaches affecting between 1 and 10 individuals comprised 46% of notifications.

Chart 3 — Number of individuals affected by breaches — All sectors

Link to long text description follows.

Note: Where bands are not shown (for example, 100,001 to 250,000), there were nil reports in the period. ‘Unknown’ includes notifications by entities with ongoing investigations at the time of this report.

For the bands 1,000,001 to 10,000,000 and 10,000,001 or more, these figures reflect the number of individuals worldwide whose personal information was compromised in these data breaches, not only individuals in Australia, as estimated by the notifying entities.

Notifying individuals affected by a breach

There have been multiple instances of incomplete notifications of data breaches where entities may not have fully met their obligations with regard to the content of the notification to individuals affected by a data breach.

For example, while entities notified affected individuals that their email addresses were involved in a data breach, on some occasions they did not advise that other personal information was also involved. This included personal information contained as attachments to emails received and sent from the compromised account, or in the cloud storage associated with the account.

Multiple notifications failed to include recommendations about the steps that individuals should take in response to the breach.

In these cases, the OAIC required the entity to re-issue the notification to include all the kinds of personal information that was involved, and provide the practical advice required to help individuals reduce the risk of harm.

Example of best notification practice

Entities reporting a data breach are required to provide practical guidance to affected individuals. As a best practice example, an organisation which experienced a data breach involving the financial, contact, identity details and Tax File Numbers (TFNs) of over 1000 people issued a detailed notification that provided:

  • a comprehensive summary of the data breach and what the entity had done to contain and remediate the breach
  • an itemised summary of all the types of personal information that had been exposed in the data breach
  • a number of practical steps that those affected should take in response to the breach, including:
    • guidance on best practice in relation to the use of email and cyber security practices tailored to reflect the heightened risk of targeted spear phishing or fraudulent approaches to individuals affected by the breach
    • specific advice on steps individuals could take to reduce the risk of unauthorised access to bank accounts, credit cards and superannuation accounts
    • recommendations on options for placing credit bans on credit files
    • advice on how to contact Australian Government agencies about breaches of identity information such as Medicare number and TFN.

The OAIC’s website includes practical guidance about steps individuals can take to reduce their risk of harm. When applicable, these steps should be included in notifications to affected individuals.

Kinds of personal information involved in breaches — All sectors

The majority of data breaches (84%) notified under the NDB scheme from January to June 2020 involved ‘contact information’, such as an individual’s home address, phone number or email address. This is distinct from ‘identity information’, which refers to information that is used to confirm an individual’s identity, such as passport number, driver licence number or other government identifiers. Over a third of data breaches notified during the period involved identity information.

Data breaches notified in this period also involved TFNs (17%), financial details, such as bank account or credit card numbers (37%) and health information (26%). ‘Other sensitive information’ (11%) refers to categories of sensitive information as set out in section 6 of the Privacy Act, other than health information as defined in section 6FA.

Chart 4 — Kinds of personal information involved in breaches — All sectors

Link to long text description follows.

Note: NDBs may involve one or more kinds of personal information.

* For breaches listed against this category, the notifying entity was still conducting its assessment of the breach at the time it notified the OAIC and had not finalised its review of what categories of personal information had been disclosed or accessed.

Source of breaches — All sectors

Malicious or criminal attacks were the largest source of data breaches notified to the OAIC between January and June 2020, accounting for 317 breaches. Malicious or criminal attacks are defined as attacks that are deliberately crafted to exploit known vulnerabilities for financial or other gain.

Attacks included cyber incidents such as phishing and malware, data breaches caused by social engineering or impersonation, theft of paperwork or storage devices, and actions taken by a rogue employee or insider threat.

Human error remained a major source of breaches, accounting for 176 breaches, while system faults accounted for the remaining 25 breaches notified.

Chart 5 — Source of data breaches — All sectors

Link to long text description follows.

Malicious or criminal attack breaches — All sectors

Cyber incidents were the largest source of malicious and criminal attacks from January to June 2020. The OAIC received 218 notifications under this category, with phishing, malware, ransomware, brute-force attack and compromised or stolen credentials the main source of the data breaches.

Many cyber incidents in this reporting period appear to have exploited vulnerabilities involving a human factor, such as clicking on a phishing email or disclosing passwords.

There was a slight decrease in the number of data breaches attributed to malicious or criminal attacks during the reporting period compared to the previous six months.

The number of data breaches resulting from social engineering or impersonation has increased by 47% during the reporting period to 50 notifications. Actions taken by a rogue employee or insider threat accounted for 25 notifications. Theft of paperwork or storage devices resulted in 24 notifications.

Chart 6 — Breaches resulting from malicious or criminal attacks — All sectors

Link to long text description follows.

Chart 7 — Malicious or criminal attacks — All sectors

Link to long text description follows.

Cyber incident breaches — All sectors

The majority of cyber incidents during the reporting period were linked to malicious actors gaining access to accounts either through phishing attacks or by using compromised account details (compromised credentials, 133 notifications), ransomware attack (33 notifications) and hacking (29 notifications).

As with previous reporting periods, in a significant number of cyber incidents (55 notifications) the entity experiencing the breach was unable to identify how the malicious actor obtained the compromised credentials. The most common method of obtaining compromised credentials by malicious actors was through phishing (78 notifications).

Chart 8 — Cyber incident breakdown — All sectors

Link to long text description follows.

Growing risks arising from ransomware attacks

From January to June 2020, the number of data breach notifications attributed to ransomware attacks increased by more than 150% compared to the previous six months — increasing from 13 to 33.

Ransomware is a strain of malicious software which encrypts the data stored on the affected system, rendering the data either unusable or inaccessible. The malicious actor behind the attack then demands a sum of money be paid for the decryption key. The decryption key may or may not be provided after the ransom is paid.

Ransomware can be installed on a system through a malicious email attachment, a fraudulent software download or by visiting a malicious webpage. Ransomware attackers can also gain access to a system through unsecured public-facing servers or a remote port.

It is possible that the increase in ransomware notifications to the OAIC is the result of entities undertaking more rigorous assessments of ransomware incidents on their networks, resulting in more instances where entities confirm that personal information had been either accessed or copied by the attacker. However, media reporting during the reporting period has highlighted an increase in ransomware attacks that resulted in the copying or exfiltration of data as well as the encryption of the data on the target network. Many of these attacks appear to be linked to a specific ransomware variant.

If data exfiltration, in addition to encryption, becomes the default function of ransomware attacks, this will have significant implications for how entities respond to ransomware attacks. Previously, entities responding to ransomware attacks would look for evidence of access to, or the export of, data before suspecting that an eligible data breach had occurred. Now, given growing evidence that data exfiltration tends to occur when certain ransomware variants are deployed, entities may have grounds to suspect that a ransomware attack constituted an eligible data breach at the time they become aware of the attack.

Ransomware attacks are inherently difficult to assess and investigate because the target entity can no longer access its own network. It can be difficult, time consuming and expensive for an entity to investigate the extent of malicious actor access to its data. The entity will often have to rebuild or recreate its network to understand the extent of the compromise.

It is critical that entities who collect and retain personal information — including the information of clients, customers, business partners, employees and contractors — fully understand how and where this information is stored on their network. They should also consider network segmentation, additional access controls and encryption to reduce the risk of personal or commercial information being exposed by a ransomware attack.

There is increasing public awareness of the threat of ransomware attacks to Australian business, and growing evidence that these attacks often result in the exfiltration and release of information by the attacker. Entities are expected to be aware of their obligations under the NDB scheme and under APP 11.

Human error breaches — All sectors

The second largest source of data breaches was human error (34% of all data breaches). Examples include sending personal information to the wrong recipient via email (39% of data breaches resulting from human error), unintended release or publication of personal information (16%) and sending personal information to the wrong recipient via post (12%).

Certain kinds of breaches can affect larger numbers of people. Failure to use the ‘blind carbon copy’ (BCC) function when sending group emails affected the largest numbers of people in this data breach category, with an average of 486 affected individuals per breach. Insecure disposal of personal information impacted an average of 250 people per breach.

Chart 9 — Human error breakdown — All sectors

Link to long text description follows.

Table 3 — Human error breakdown by average number of affected individuals — All sectors
Kinds of personal informationNo. of NDBs received Jan–Jun 2020Average no. of affected individuals
PI sent to wrong recipient (email) 68 68
Unauthorised disclosure (unintended release or publication) 29 17
PI sent to wrong recipient (post) 21 53
Loss of paperwork/data storage device 14 131
Failure to use BCC when sending email 12 486
Unauthorised disclosure (verbal) 11 2
PI sent to wrong recipient (other) 9 1
Unauthorised disclosure (failure to redact) 8 1
PI sent to wrong recipient (fax) 2 1
Insecure disposal 1 250

System fault breaches — All sectors

System faults accounted for 5% of data breaches this reporting period. Unintended release or publication of personal information as a result of a system fault caused 16 data breaches, while unintended access to personal information as a result of a system fault caused nine data breaches.

System fault breaches include data breaches that occur as a result of a business or technology process error.

Chart 10 — System fault breakdown — All sectors

Link to long text description follows.

Timelines for assessment and notification following a data breach

One of the key objectives of the NDB scheme is to ensure that individuals who are at risk of serious harm as a result of a data breach are notified of the breach and can take steps to reduce the risk of harm.

Two factors affect the timeliness of notification: the time it takes for the entity to identify that the breach has occurred; and the time it takes the entity to complete its assessment of the breach and notify the OAIC and affected individuals.

Across the reporting period approximately 77% of notifying entities were able to identify a breach within 30 days of it occurring.

However, in 47 instances the entity took between 61 and 365 days to become aware that a data breach had occurred, while 14 entities took more than a year.

Almost three-quarters (74%) of notifying entities were able to complete their assessment of the data breach and report it to the OAIC within 30 days of becoming aware that a data breach had potentially occurred. In 63 instances (12% of all notifications) the entity took longer than 60 days to complete their assessment and notify the OAIC, and in 25 instances (5%) took more than 121 days.

There was considerable variation across industries in the time taken to notify the OAIC of an eligible data breach, with 87% of notifications from the health sector and 82% of notifications from the education sector made within 30 days. Only 65% of notifications from the finance sector and 66% of notifications from the insurance sector were made to the OAIC within 30 days of the notifying entity becoming aware of the breach.

The Privacy Act requires entities to carry out an assessment of a data breach within 30 days of becoming aware of reasonable grounds to suspect that there may have been an eligible data breach, and to notify the OAIC and affected individuals as soon as practicable after it confirms that an eligible data breach has occurred.

Where the assessment is not completed within 30 days, the entity must provide the OAIC with an explanation for the delay.

Explanations provided to the OAIC for delays in assessment and notification of data breaches include references to the complexity of an enterprise IT environment, or the significant number of emails and documents stored in a compromised email account.

However, in some instances, these explanations highlighted issues with regard to the entity’s information handling and security practices, which in turn raised questions about broader compliance with APPs 1 and 11 regarding the security of personal information.

Comparison of top five industry sectors

This section compares notifications made under the NDB scheme by the five industry sectors that made the most notifications in the reporting period (top five industry sectors).

From January to June 2020, health service providers reported 115 data breaches, or 22% of the total.

The second largest source of NDBs was the finance sector (15%), followed by education (8%), insurance (7%) and legal, accounting and management services (5%).

Source of breaches — Top five industry sectors

Malicious or criminal attacks caused 40% of data breaches reported by the health sector (46 notifications), while 57% resulted from human error (65 notifications).

Notifications from the finance sector indicated that 59% of data breaches resulted from malicious or criminal attacks (44 notifications), and 33% from human error (25 notifications). Three of the top five sectors notified breaches resulting from a system fault.

Chart 11 — Source of data breaches — Top five industry sectors

Link to long text description follows.

The threat of phishing and email account compromise

Data breaches resulting from phishing continue to be the leading source of malicious attacks.

Where entities used email applications and services for the primary storage of personal information, and the entity experienced a phishing attack, malicious actors either used the compromised email account to carry out further phishing campaigns, or accessed and exploited the personal information held in the inbox.

A number of entities applied additional security measures after experiencing a phishing attack, including:

  • training staff in identifying and responding to phishing emails
  • implementing multi-factor authentication on email accounts
  • resetting credentials on the compromised email accounts and/or the wider network
  • reviewing and upgrading existing security measures to include ongoing monitoring and antivirus and malware detection.

Entities should consider reviewing their practices and processes on an ongoing basis, without being prompted by a phishing attack, as part of their obligations under APP 11.

This may include regular staff training on data breaches and privacy obligations, reviewing access security protocols and password policies, and implementing measures to detect and contain unauthorised access to the entity’s personal information holdings.

Entities should also review the types of information that they collect, and how this information is received, stored, secured, and then destroyed or de-identified as required by APP 11.

The OAIC has continued to receive notifications where entities are storing sensitive personal information such as bank account details, superannuation account numbers and TFNs within email accounts. Entities should consider additional security controls when emailing sensitive personal information, such as password-protected or encrypted files. This personal information should then be stored in a secure document management system and the emails deleted from both the inbox and sent box. More information about the steps entities can take to comply with APP 11 can be found in the OAIC’s Guide to securing personal information.

Malicious or criminal attack breaches — Top five industry sectors

Chart 12 — Malicious or criminal attacks breakdown — Top five industry sectors

Link to long text description follows.

Cyber incident breaches — Top five industry sectors

Chart 13 — Cyber incident breakdown — Top five industry sectors

Link to long text description follows.

Human error breaches — Top five industry sectors

Chart 14 — Human error breakdown — Top five industry sectors

Link to long text description follows.

System fault breaches

This chart breaks down the breaches identified as ‘system fault’ breaches by the top five industry sectors in the reporting period.

Chart 15 — System fault breakdown — Top five industry sectors

Link to long text description follows.

Glossary

Breach categories

TermDefinition
Human error An unintended action by an individual directly resulting in a data breach, for example inadvertent disclosure caused by sending a document containing personal information to the incorrect recipient.
PI sent to wrong recipient (email) Personal information sent to the wrong recipient via email, for example, as a result of misaddressed email or incorrect address on file.
PI sent to wrong recipient (fax) Personal information sent to the wrong recipient via facsimile machine, for example, as a result of fax number incorrectly entered or wrong fax number on file.
PI sent to wrong recipient (mail) Personal information sent to the wrong recipient via postal mail, for example, as a result of a transcribing error or wrong address on files.
PI sent to wrong recipient (other) Personal information sent to the wrong recipient via channels other than email, fax or mail, for example, delivery by hand or uploading to web portal.
Failure to use BCC when sending email Sending an email to a group by including all recipient emails addresses in the ‘To’ field, thereby disclosing all recipient email address to all recipients.
Insecure disposal Disposing of personal information in a manner that could lead to its unauthorised disclosure, for example, using a public rubbish bin to dispose of customer records instead of a secure document disposal bin.
Loss of paperwork/data storage device Loss of a physical asset containing personal information, for example, leaving a folder or a laptop on a bus.
Unauthorised disclosure (failure to redact) Failure to effectively remove or de-identify personal information from a record before disclosing it.
Unauthorised disclosure (verbal) Disclosing personal information verbally without authorisation, for example, calling it out in a waiting room.
Unauthorised disclosure (unintended release or publication) Unauthorised disclosure of personal information in a written format, including paper documents or online.
Malicious or criminal attack A malicious or criminal attack deliberately crafted to exploit known vulnerabilities for financial or other gain.
Theft of paperwork or data storage device Theft of paperwork or data storage device
Social engineering/impersonation An attack that relies heavily on human interaction to manipulate people into breaking normal security procedures and best practices in order to gain access to systems, networks or physical locations.
Rogue employee/insider threat An attack by an employee or insider acting against the interests of their employer or other entity.
Cyber incident A cyber incident targets computer information systems, infrastructures, computer networks or personal computer devices.
Malware Software which is specifically designed to disrupt, damage, or gain unauthorised access to a computer system.
Ransomware A type of malicious software designed to block access to data or a computer system until a sum of money is paid or other conditions are met.
Phishing (compromised credentials) An attack in which the target is contacted by email or text message by someone posing as a legitimate institution to lure individuals into providing personal information, sensitive information or passwords.
Brute-force attack (compromised credentials) Automated software is used to generate a large number of consecutive guesses as to the value of the desired data, for example passwords.
Compromised or stolen credentials (method unknown) Credentials are compromised or stolen by methods unknown.
Hacking (other means) Exploiting a software or security weakness to gain access to a system or network, other than by way of phishing, brute-force attack or malware.
System fault A business or technology process error not caused by direct human error.

Other terminology used in this report and in the NDB Form[4]

TermDefinition/ examples
Financial details Information relating to an individual’s finances, for example, bank account or credit card numbers.
Tax File Number (TFN) An individual’s personal reference number in the tax and superannuation systems, issued by the Australian Taxation Office.
Identity information Information that is used to confirm an individual’s identity, such as a passport number, driver’s licence number or other government identifier.
Contact information Information that is used to contact an individual, for example, home address, phone number or email address.
Health information As defined in section 6 of the Privacy Act. 
Other sensitive information Sensitive information, other than health information, as defined in section 6 of the Privacy Act. For example, sexual orientation, political or religious views.

Footnotes

[1] A health service provider generally includes any private sector entity that provides a health service within the meaning of s 6FB of the Privacy Act, regardless of annual turnover. State or Territory public hospitals and health services are generally not covered — they are bound by State and Territory privacy laws, as applicable.

[2] This sector includes banks, wealth managers, financial advisors, superannuation funds and consumer credit providers (regardless of annual turnover).

[3] This sector includes private education providers only, as APP entities. Public sector education providers are bound by State and Territory privacy laws, as applicable.

[4] OAIC’s Notifiable Data Breach Form

Long text descriptions

Chart 1 — Data breach notifications under the NDB scheme

Chart 1 is a line graph showing the number of notifications by month, from July 2018 to June 2020.

Table of chart data available soon.

Back to Chart 1

Chart 2 — Number of breaches reported under the NDB scheme — All sectors

Chart 2 is a stacked column chart showing number of notifications by month, from January to June 2020. Each column is broken down by malicious or criminal attack, human error or system fault, but figures are not specified for the breakdown.

Table of chart data available soon.

Back to Chart 2

Chart 3 — Number of individuals affected by breaches — All sectors

Chart 3 is a column chart showing the number of affected individuals. Where bands are not shown (for example, 100,001 to 250,000), there were nil reports in the period. ‘Unknown’ includes notifications by entities with ongoing investigations at the time of this report.

For the bands 1,000,001 to 10,000,000 and 10,000,001 or more, these figures reflect the number of individuals worldwide whose personal information was compromised in these data breaches, not only individuals in Australia, as estimated by the notifying entities.

Table is displayed from smallest to biggest number of affected individuals.

Table of chart data available soon.

Back to Chart 3

Chart 4 — Kinds of personal information involved in breaches — All sectors

Chart 4 is a column chart showing the number of notifications of each kind of personal information involved in breaches.

NDBs may involve one or more kinds of personal information. For breaches listed against this category of ‘Under review’, the notifying entity was still conducting its assessment of the breach at the time it notified the OAIC and had not finalised its review of what categories of personal information had been disclosed or accessed.

Table is displayed from most to least notifications.

Table of chart data available soon.

Back to Chart 4

Chart 5 — Source of data breaches — All sectors

Chart 5 is a doughnut chart showing the source of data breaches, displayed from most to least notifications.

Source of data breachPercentage
Malicious or criminal attack 61%
Human error 34%
System fault 5%

Back to Chart 5

Chart 6 — Breaches resulting from malicious or criminal attacks — All sectors

Chart 6 is a clustered column chart showing types of malicious or criminal attacks. It compares the January to June 2020 period against July to December 2019.

Table of chart data available soon.

Back to Chart 6

Chart 7 — Malicious or criminal attacks — All sectors

Chart 7 is a doughnut chart showing the percentage of notifications of each kind of malicious or criminal attack.

Malicious or criminal attack typePercentage
Cyber incident 69%
Rogue employee / insider threat 8%
Social engineering / impersonation 16%
Theft of paperwork or data storage device 7%

Back to Chart 7

Chart 8 — Cyber incident breakdown —All sectors

Chart 8 is a doughnut chart showing the percentage of notifications of each type of cyber incident, displayed from most to least notifications.

Cyber incident typePercentage
Phishing (compromised credentials) 36%
Compromised or stolen credentials (method unknown) 25%
Ransomware 15%
Hacking 13%
Brute-force attack (compromised credentials) 6%
Malware 4%
Other 1%

Back to Chart 8

Chart 9 — Human error breakdown — All sectors

Chart 9 is a clustered column chart showing the number of notifications of each type of human error, displayed from most to least notifications. It compares the January to June 2020 period against July to December 2019.

Table of chart data available soon.

Back to Chart 9

Chart 10 — System fault breakdown — All sectors

Chart 10 is a clustered column chart showing the number of notifications of each type of system fault, displayed from most to least notifications. It compares the January to June 2020 period against July to December 2019.

Table of chart data available soon.

Back to Chart 10

Chart 11 — Source of data breaches — Top five industry sectors

Chart 11 is a clustered column chart, showing the source of data breaches by the top five industry sectors.

Table of chart data available soon.

Back to Chart 11

Chart 12 — Malicious or criminal attacks breakdown — Top five industry sectors

Chart 12 is a panel chart showing the type of malicious or criminal attack by top five industry sectors.

Table of chart data available soon.

Back to Chart 12

Chart 13 — Cyber incident breakdown — Top five industry sectors

Chart 13 is a panel chart showing the type of cyber incident by top five industry sectors.

Table of chart data available soon.

Back to Chart 13

Chart 14 — Human error breakdown — Top five industry sectors

Chart 14 is a panel chart showing the type of human error by top five industry sectors.

Table of chart data available soon.

Back to Chart 14

Chart 15 — System fault breakdown — Top five industry sectors

Chart 15 is a clustered column chart showing the type of system fault by top five industry sectors.

Table of chart data available soon.

Back to Chart 15

Was this page helpful?

Thank you.

If you would like to provide more feedback, please email us at websitefeedback@oaic.gov.au