Notifiable Data Breaches Report: July–December 2021

22 February 2022

Snapshot long text description

About this report

The Office of the Australian Information Commissioner (OAIC) periodically publishes statistical information about notifications received under the Notifiable Data Breaches (NDB) scheme to help entities and the public understand the operation of the scheme. This report captures notifications made under the NDB scheme from 1 July to 31 December 2021.

Statistical comparisons are to the previous 6-month period, unless otherwise indicated.

Figures in charts may not add up to a total of 100% due to the rounding up or down of the percentages for each category.

Where data breaches affect multiple entities, the OAIC may receive multiple notifications relating to the same incident. Notifications relating to the same incident are counted as a single notification in this report.

The source of any given breach is based on information provided by the reporting entity. Where more than one source has been identified or is possible, the dominant or most likely source has been selected. Source of breach categories are defined in the glossary at the end of this report.

Notifications made under the My Health Records Act 2012 are not included as they are subject to specific notification requirements set out in that Act.

NDB scheme statistics in this report are current as of 24 January 2022. However, a number of notifications included in these statistics are under assessment and their status and categorisation are subject to change. This may affect statistics for the period July to December 2021 that are published in future reports. Similarly, there may have been adjustments to statistics provided in previous NDB reports because of changes to the status or categorisation of individual notifications after publication. As a result, statistics from before July 2021 in this report may differ from statistics in previous NDB reports.

Executive summary

The NDB scheme was established in February 2018 to improve consumer protection and drive better security standards for protecting personal information. Under the scheme, any organisation or government agency covered by the Privacy Act 1988 must notify individuals affected and the OAIC when a data breach is likely to result in serious harm to an individual whose personal information is involved.

The OAIC publishes twice-yearly reports on notifications received under the NDB scheme to track the leading sources of data breaches and highlight emerging issues and areas for ongoing attention by regulated entities.

Malicious or criminal attack
256
Down 9% from 281
Human error
190
Up 43% from 133
System fault
18
Down 18% from 22

Key findings for the July to December 2021 reporting period:

  • 464 breaches were notified under the scheme, an increase of 6% compared with 436 notifications in January to June 2021.
  • Malicious or criminal attacks remain the leading source of breaches, accounting for 256 notifications (55% of the total), down 9% in number from 281.
  • Data breaches resulting from human error accounted for 190 notifications (41% of the total), up 43% in number from 133.
  • The health sector remains the highest reporting industry sector notifying 18% of all breaches, followed by finance (12%).
  • Contact information remains the most common type of personal information involved in breaches.
  • 96% of breaches affected 5,000 individuals or fewer, while 71% affected 100 people or fewer.
  • 75% of entities notified the OAIC within 30 days of becoming aware of an incident.

Notifications received July to December 2021 – All sectors

The OAIC received 464 notifications this reporting period. This is a 6% increase compared with the previous 6 months.

There was less variation from month to month in the number of notifications received compared with the previous reporting period. The lowest monthly total was 67 notifications in October and the highest was 84 notifications in November.

Table 1 – Notifications received in 2021

Reporting period

Total no. of notifications

January to June 2021

436

July to December 2021

464

2021

900

Chart 1 – Notifications received by month from January 2020 to December 2021

Chart 1 long text description

Chart 2 – Notifications received by month showing the sources of breaches

Chart 2 long text description

Number of individuals affected by breaches

Consistent with previous reports, most data breaches (96%) involved the personal information of 5,000 individuals or fewer. Breaches affecting 100 individuals or fewer comprised 71% of notifications and breaches affecting between 1 and 10 individuals accounted for 52% of notifications.

Chart 3 – Number of individuals affected by breaches

Note: These figures reflect the number of individuals worldwide whose personal information was compromised in these data breaches, as estimated by the notifying entities.

Chart 3 long text description

Kinds of personal information involved in breaches

Contact information, identity information and financial details continue to be the most common types of personal information involved in data breaches.

Most breaches (85%) involved contact information, such as an individual’s name, home address, phone number or email address.

This is distinct from identity information, which was exposed in 40% of data breaches and includes an individual’s date of birth, passport details and driver licence details. Financial details, such as bank account and credit card numbers, were involved in 39% of breaches.

Chart 4 – Kinds of personal information involved in breaches

Note: Data breaches may involve more than one kind of personal information.
* The notifying entity was still conducting its assessment of the breach, including the kinds of personal information involved, at the time it notified the OAIC.

Chart 4 long text description

Time taken to identify breaches

As part of complying with Australian Privacy Principle 11, entities should take reasonable steps to ensure they detect data breaches in a timely manner.

The figures in this section relate to the time between an incident occurring and the entity becoming aware of it. They do not relate to the time taken by the entity to assess whether an incident qualified as an eligible data breach. [1]

In the reporting period, 80% of breaches were identified by the entity within 30 days of it occurring, compared with 81% in January to June 2021.

Chart 5 – Days taken to identify breaches 

Note: For notifications in the ‘Unknown’ category, the notifying entity was unable to identify the date the breach occurred.

Chart 5 long text description

The time it takes entities to identify data breaches has tended to vary significantly depending on the source of the breach. There was less variation this reporting period, however a notable proportion of entities that experienced system faults (11%) did not become aware of the incident for over a year.

Chart 6 – Days taken to identify breaches by source of breach

Note: For notifications in the ‘Unknown’ category, the notifying entity was unable to identify the date the breach occurred.

Chart 6 long text description

Time taken to notify the OAIC of breaches

A key objective of the NDB scheme is to ensure that an entity that experiences a data breach provides timely notification to individuals at risk of serious harm from the breach. Delays in assessment and notification reduce the opportunity for an individual to take steps to prevent harm.

The figures in this section relate to the time between when an entity became aware of an incident and when they notified the OAIC. They do not relate to the time between when the entity determined the incident to be an eligible data breach and when they notified the OAIC.

In the reporting period, 72% of entities notified the OAIC within 30 days of becoming aware of an incident that was subsequently assessed to be an eligible data breach, compared to 78% in the previous period. Twenty-seven entities took longer than 120 days from when they became aware of an incident to notify the OAIC.

In a number of instances, individuals were notified at the same time as or shortly after the OAIC. However, in others, there was a delay between when the entity notified the OAIC and when they notified individuals.

Chart 7 – Days taken to notify the OAIC of breaches

Note: For notifications in the ‘Unknown’ category, the notifying entity was unable to advise the OAIC the date it became aware of the incident.

Chart 7 long text description

There was some variance by source of breach in the time taken to notify the OAIC after an incident was identified. For system fault breaches, 89% of entities notified the OAIC within 30 days compared with 78% for human error breaches and 71% for breaches caused by malicious or criminal attacks.

Chart 8 – Days taken to notify the OAIC of breaches by source of breach

Note: For notifications in the ‘Unknown’ category, the notifying entity was unable to advise the OAIC the date it became aware of the incident.

Chart 8 long text description

Delayed and partial notifications

The Privacy Act is clear that an entity responding to a data breach should:

  • take all reasonable steps to complete its assessment of whether an incident amounts to an eligible data breach within 30 calendar days
  • notify the OAIC and affected individuals as soon as practicable after confirming there are reasonable grounds to believe an eligible data breach occurred.

As the risk of serious harm to individuals often increases with time, the OAIC expects that, where possible, entities treat the 30 days as a maximum time limit and try to complete the assessment in a much shorter timeframe.

Where an entity has taken over 30 days to complete its assessment, the entity should be able to provide an explanation to the OAIC for the delay.

The NDB scheme does not require entities to notify the OAIC of a data breach incident on a preliminary basis. Notifying the OAIC on a preliminary basis without having undertaken an appropriate assessment does not discharge an entity’s obligation to take steps to ensure the assessment is completed within 30 days.

The scheme provides 3 options for notification to individuals. An entity may:

  • notify each individual whose personal information has been involved in the eligible data breach
  • notify only individuals who are at risk of serious harm
  • if neither of these options are practicable, publish a statement on the eligible data breach on its website and publicise the statement.

Notifications must contain recommendations about steps individuals should take in response to the breach. The entity can tailor the recommended steps in its notification to individuals or provide general recommendations that apply to all individuals. The OAIC does not consider that tailoring notifications justifies delay in notifying affected individuals.

Scenario

An entity experienced a phishing attack and an employee’s email account was compromised.

The entity’s preliminary review of the contents of the compromised email account indicated that the account contained a large quantity of personal information, ranging from contact information to clients’ bank account details and picture copies of their driver licences and/or passports.

As the mailbox contained a large amount of documents, the entity determined it would take over 5 months to conduct a manual review of all documents contained in the mailbox to identify and tailor notifications to each individual at risk of serious harm.

On this basis, rather than taking additional time to tailor its notifications, the entity proceeded to promptly notify all affected individuals, providing general recommendations that applied to everyone whose personal information was contained in the mailbox.

Source of breaches

Consistent with previous reports, malicious or criminal attacks were the largest source of data breaches notified to the OAIC, accounting for 256 breaches.

Human error remained a major source of breaches, accounting for 190 notifications, up from 133 notifications in the previous period.

System faults accounted for the remaining 18 breaches, down from 22.

Chart 9 – Source of data breaches

Chart 9 long text description

Malicious or criminal attack breaches

The number of breaches attributed to a malicious or criminal attack decreased by 9% from 281 notifications to 256, while the proportion of total breaches caused by malicious or criminal attack decreased from 64% to 55%.

The majority of breaches (68%) in this category involved cyber incidents (173 notifications). The remaining 32% of breaches resulted from social engineering or impersonation (30 notifications), theft of paperwork or data storage device (27 notifications) and actions taken by a rogue employee or insider threat (26 notifications).

Chart 10 – Breaches resulting from malicious or criminal attacks

Chart 10 long text description

Chart 11 – Breaches resulting from malicious or criminal attacks

Chart 11 long text description

Assessing the risk of serious harm

The question of whether ‘serious harm’ has occurred is central to the NDB scheme.

There is no strict definition of serious harm, however the Privacy Act outlines a range of factors to consider in assessing whether an incident is likely to result in serious harm.

Serious harm may include serious physical, psychological, emotional, financial or reputational harm.

Entities must assess the risk of serious harm holistically and take into account the likelihood of the harm occurring for individuals whose personal information was part of the data breach, as well as the range of factors outlined in section 26WG, including the nature of the harm.

Scenario

A malicious actor gained access to an email account of an organisation after an employee inadvertently entered their login credentials into a fraudulent website.

On investigation, the organisation discovered the malicious actor had used the employee’s email account in order to send invoices with fraudulent bank account details to the organisation’s clients. This resulted in one client making a payment to a fraudulent bank account.

The organisation’s review of the contents of the compromised email account indicated it contained clients’ bank account details and picture copies of driver licences and/or passports.

Through undertaking a holistic assessment, the organisation concluded that the data breach would be likely to result in serious harm to an individual whose personal information was contained in the email account, not only the client who made the payment or the clients who received fraudulent invoices, based on:

  • the malicious nature of the attack
  • the personal information contained in the email account and risk of identity theft or fraud to clients
  • the financial impact to at least one of its clients and the likelihood of further financial harm to other clients.

Cyber incident breaches

In this reporting period, 37% of all breaches (173 notifications) resulted from cyber security incidents.

The top sources of cyber incidents were phishing (55 notifications), compromised or stolen credentials (method unknown) (48 notifications) and ransomware (40 notifications).

Almost two-thirds (65%) of cyber incidents involved malicious actors gaining access to accounts using compromised or stolen credentials.

Ransomware incidents accounted for 40 notifications, down 11% from 45.

Chart 12 – Cyber incident breakdown

Chart 12 long text description

Human error breaches

The reporting period saw a significant increase in human error breaches both in terms of the total number of notifications received – up 43% from 133 to 190 – and proportionally – up from 31% to 41%.

Common examples of human error breaches include emailing personal information to the wrong recipient (43% of human error breaches), unintended release or publication of personal information (21%) and loss of paperwork or data storage device (8%).

Chart 13 – Human error breakdown

Chart 13 long text description

Certain human error breaches affect larger numbers of individuals. This reporting period, unintended release or publication affected an average 745 people per breach, while verbal disclosure affected one person on average per breach.

Table 2 – Human error breakdown by average number of affected individuals

Source of breach

No. of notifications received

Average no. of affected individuals

Unauthorised disclosure (unintended release or publication)

40

745

Failure to use BCC when sending email

14

492

PI sent to wrong recipient (email)

82

196

Loss of paperwork/data storage device

15

12

PI sent to wrong recipient (mail)

9

6

PI sent to wrong recipient (other)

7

3

Unauthorised disclosure (failure to redact)

14

3

Unauthorised disclosure (verbal)

9

1

System fault breaches

System fault breaches include incidents that occur due to a business or technology process error and accounted for 4% of notifications. The proportion of breaches attributed to system faults has been consistent since the NDB scheme began.

Unintended release or publication of personal information due to a system fault caused 13 breaches, while unintended access to personal information because of a system fault caused 5 breaches.

Chart 14 – System fault breakdown

Chart 14 long text description

Comparison of top industry sectors

Health service providers and the finance industry have consistently reported the most data breaches of all industry sectors since the NDB scheme began.

Health service providers reported 83 data breaches, or 18% of the total. The second largest source of notifications was the finance sector (12%).

This period saw personal services (8%) and education (7%) return to the top industry sectors by notifications.

Table 3 – Top industry sectors by notifications

Industry sector

Total no. of notifications

Health service providers [2]

83

Finance [3]

56

Legal, accounting & management services

51

Personal services [4]

36

Insurance

32

Education [5]

32

This section compares notifications made under the NDB scheme by these sectors, which accounted for 63% of all notifications.

Time taken to identify breaches – Top industry sectors

Consistent with previous reports, there was some variation by industry sector in the time taken by entities to identify incidents.

In the reporting period, 91% of education providers identified the incident within 30 days of it occurring. This figure was 66% for the insurance sector.

Chart 15 – Days taken to identify breaches – Top  industry sectors

Note: For notifications in the ‘Unknown’ category, the notifying entity was unable to identify the date the breach occurred.

Chart 15 long text description

Time taken to notify the OAIC of data breaches – Top industry sectors

There was also some variation by industry sector in the time taken by entities to notify the OAIC of a data breach.

Ninety-one per cent of notifications from education providers were made within 30 days of the entity becoming aware of the incident. This figure was 72% for the insurance sector.

Chart 16 – Days taken to notify the OAIC of data breaches – Top  industry sectors

Note: For notifications in the ‘Unknown’ category, the notifying entity was unable to advise the OAIC the date it became aware of the incident.

Chart 16 long text description

Source of breaches – Top industry sectors

The most common source of data breaches varied for the top industry sectors.

Malicious or criminal attacks were the leading source of breaches for legal, accounting and management services (71%), insurance (53%) and personal services (50%).

Health service providers reported an equal number of breaches resulting from malicious or criminal attack and human error (47% each).

Unlike previous reports, human error was the leading source of breaches for the finance sector (48%). Human error also caused the majority of breaches experienced by education providers (75%).

Chart 17 – Source of data breaches – Top industry sectors

Chart 17 long text description

Malicious or criminal attack breaches – Top  industry sectors

Chart 18 – Malicious or criminal attacks breakdown – Top  industry sectors

Chart 18 long text description

Cyber incident breaches – Top industry sectors

Chart 19 – Cyber incident breakdown – Top industry sectors

Chart 19 long text description

Human error breaches – Top industry sectors

Chart 20 – Human error breakdown – Top industry sectors

Chart 20 long text description

System fault breaches – Top industry sectors

Of the top industry sectors, all except insurance notified data breaches resulting from a system fault.

Most system fault breaches involved the unintended release or publication of personal information, such as automated messages sent to incorrect recipients or online forms or profiles automatically populated with incorrect personal information.

Chart 21 – System fault breakdown – Top industry sectors

Note: Insurance did not report any system faults.

Chart 21 long text description

Glossary

Term

Definition

Personal information (PI)

Information or an opinion about an identified individual, or an individual who is reasonably identifiable

Sensitive information

Sensitive information is personal information that includes information or an opinion about an individual’s:

  • racial or ethnic origin
  • political opinions or associations
  • religious or philosophical beliefs
  • trade union membership or associations
  • sexual orientation or practices
  • criminal record
  • health or genetic information

some aspects of biometric information.

Financial details

Information relating to an individual’s finances, for example, bank account or credit card numbers

Tax file number (TFN)

An individual’s personal reference number in the tax and superannuation systems, issued by the Australian Taxation Office

Identity information

Information that is used to confirm an individual’s identity, such as a passport number, driver’s licence number or other government identifier

Contact information

Information that is used to contact an individual, for example, a home address, phone number or email address

Health information

As defined in section 6 of the Privacy Act

Other sensitive information

Sensitive information, other than health information, as defined in section 6 of the Privacy Act. For example, sexual orientation, political or religious views

APP entity

An agency or organisation that is subject to the Privacy Act

Managed service provider (MSP)

A managed service provider (MSP) is a business that delivers services relating to IT infrastructure or end user systems to customers

Human error

An unintended action by an individual directly resulting in a data breach, for example inadvertent disclosure caused by sending a document containing personal information to the incorrect recipient

PI sent to wrong recipient (email)

Personal information sent to the wrong recipient via email, for example, as a result of a misaddressed email or having a wrong address on file

PI sent to wrong recipient (fax)

Personal information sent to the wrong recipient via facsimile machine, for example, as a result of an incorrectly entered fax number or having a wrong fax number on file

PI sent to wrong recipient (mail)

Personal information sent to the wrong recipient via postal mail, for example, as a result of a transcribing error or having a wrong address on file

PI sent to wrong recipient (other)

Personal information sent to the wrong recipient via channels other than email, fax or mail, for example, delivery by hand or uploading to web portal

Failure to use BCC when sending email

Sending an email to a group by including all recipient emails addresses in the ‘To’ field, thereby disclosing all recipient email address to all recipients

Insecure disposal

Disposing of personal information in a manner that could lead to its unauthorised disclosure, for example, using a public rubbish bin to dispose of customer records instead of a secure document disposal bin

Loss of paperwork/data storage device

Loss of a physical asset containing personal information, for example, leaving a folder or a laptop on a bus

Unauthorised disclosure (failure to redact)

Failure to effectively remove or de-identify personal information from a record before disclosing it

Unauthorised disclosure (verbal)

Disclosing personal information verbally without authorisation, for example, calling it out in a waiting room

Unauthorised disclosure (unintended release or publication)

Unauthorised disclosure of personal information in a written format, including paper documents or online

Malicious or criminal attack

A malicious or criminal attack deliberately crafted to exploit known vulnerabilities for financial or other gain

Theft of paperwork or data storage device

Theft of paperwork or data storage device

Social engineering/impersonation

An attack that relies heavily on human interaction to manipulate people into breaking normal security procedures and best practices in order to gain access to systems, networks or physical locations

Rogue employee/insider threat

An attack by an employee or insider acting against the interests of their employer or other entity

Cyber incident

A cyber incident targets computer information systems, infrastructures, computer networks or personal computer devices

Malware

Short for ‘malicious software’. A software used to gain unauthorised access to computers, steal information and disrupt or disable networks. Types of malware include trojans, viruses and worms

Ransomware

Malicious software that makes data or systems unusable until the victim makes a payment

Phishing (compromised credentials)

Untargeted, mass messages sent to many people asking for information, encouraging them to open a malicious attachment, or visit a fake website that will ask the user to provide information or download malicious content

Brute-force attack (compromised credentials)

A typically unsophisticated and exhaustive process to determine a cryptographic key or password that proceeds by systematically trying all alternatives until it discovers the correct one

Compromised or stolen credentials (method unknown)

Credentials are compromised or stolen by methods unknown

Hacking (other means)

Unauthorised access to a system or network (other than by way of phishing, brute-force attack or malware), often to exploit a system’s data or manipulate its normal behaviour

Business email compromise

A form of cybercrime that uses email fraud to attack business, government and non-profit organisations to achieve a specific outcome that negatively impacts the target organisation

System fault

A business or technology process error not caused by direct human error

Back to About this report

Long text descriptions

Snapshot

The snapshot is an infographic with key statistics for the July to December 2021 reporting period.

The OAIC received 464 notifications, which is up 6%.

There were 76 notifications in July, 74 in August, 80 in September, 67 in October, 84 in November and 83 in December.

The top industry sectors to notify data breaches were:

  • health service providers – 83 notifications
  • finance – 56 notifications
  • legal, accounting and management services – 51 notifications
  • personal services – 36 notifications
  • education – 32 notifications
  • insurance – 32 notifications.
  • Seventy-one per cent of data breaches affected 100 people or fewer.
  • The sources of data breaches were:
  • malicious or criminal attack – 55%
  • system fault – 4%
  • human error – 41%.

Thirty-seven per cent of all data breaches (173 notifications) resulted from cyber security incidents.

  • The breakdown of cyber incidents was:
  • phishing (compromised credentials) – 32%
  • compromised or stolen credentials (method unknown) – 28%
  • ransomware – 23%
  • hacking – 8%
  • brute-force attack (compromised credentials – 5%.
  • The top causes of human error breaches were:
  • personal information emailed to wrong recipient – 43%
  • unintended release or publication – 21%
  • loss of paperwork or data storage device – 8%.

Back to Snapshot

Chart 1 — Notifications received by month from January 2020 to December 2021

Chart 1 is a line graph showing the number of notifications by month, from January 2020 to December 2021.

Month

Number of notifications

January 2020

63

February 2020

80

March 2020

85

April 2020

81

May 2020

119

June 2020

74

July 2020

101

August 2020

106

September 2020

103

October 2020

77

November 2020

59

December 2020

82

January 2021

45

February 2021

83

March 2021

102

April 2021

64

May 2021

77

June 2021

65

July 2021

76

August 2021

74

September 2021

80

October 2021

67

November 2021

84

December 2021

83

Back to Chart 1

Chart 2 – Notifications received by month showing the sources of breaches

Chart 2 is a stacked column chart showing the number of notifications by month, from July to December 2021. Each column is broken down by malicious or criminal attack, human error and system fault, but figures are not specified for each category.

Month

Number of notifications

July 2021

76

August 2021

74

September 2021

80

October 2021

67

November 2021

84

December 2021

83

Back to Chart 2

Chart 3 – Number of individuals affected by breaches

Chart 3 is a column chart showing the number of individuals worldwide whose personal information was compromised in data breaches, as estimated by the notifying entities.

The table is displayed from smallest to largest number of affected individuals.

Number of affected individuals

Number of notifications

1

147

2 to 10

95

11 to 100

88

101 to 1,000

87

1,001 to 5,000

27

5,001 to 10,000

8

10,001 to 25,000

7

25,001 to 50,000

2

50,001 to 100,000

2

100,001 to 250,000

0

250,001 to 500,000

0

500,001 to 1,000,000

0

1,000,001 to 10,000,000

1

10,000,001 or more

0

Back to Chart 3

Chart 4 – Kinds of personal information involved in breaches

Chart 4 is a column chart showing the number of notifications for each kind of personal information involved in data breaches.

Data breaches may involve more than one kind of personal information.

The table is displayed from most to least notifications.

For notifications in the ‘Under review’ category, the notifying entity was still conducting its assessment of the breach, including the kinds of personal information involved, at the time it notified the OAIC.

Kind of personal information

Number of notifications

Contact information

396

Identity information

185

Financial details

183

Health information

120

Tax file numbers

82

Other sensitive information

63

Under review

2

Back to Chart 4

Chart 5 – Days taken to identify breaches

Chart 5 is a doughnut chart showing the time taken by entities to identify breaches.

The table is displayed from least to most days taken to identify breaches.

For notifications in the ‘Unknown’ category, the notifying entity was unable to identify the date the breach occurred.

Days taken to identify breaches

Percentage

<30

80%

31–60

5%

61–120

6%

121–365

4%

>365

4%

Unknown

1%

Back to Chart 5

Chart 6 – Days taken to identify breaches by source of breach

Chart 6 is a clustered column chart showing the time taken by entities to identify breaches by source of breach.

The table is displayed from least to most days taken to identify breaches.

For notifications in the ‘Unknown’ category, the notifying entity was unable to identify the date the breach occurred.

Days taken to identify breaches

Malicious or   criminal attack

Human error

System fault

<30

82%

77%

78%

31–60

4%

6%

6%

61–120

6%

7%

0%

121–365

4%

4%

6%

>365

3%

5%

11%

Unknown

1%

1%

0%

Back to Chart 6

Chart 7 – Days taken to notify the OAIC of breaches

Chart 7 is a doughnut chart showing the time taken by entities to notify the OAIC of breaches after becoming aware of the incident.

The table is displayed from least to most days taken to notify the OAIC of breaches.

For notifications in the ‘Unknown’ category, the notifying entity was unable to advise the OAIC the date it became aware of the incident.

Days taken to notify the OAIC of breaches

Percentage

<30

75%

31–60

13%

61–120

6%

121–365

6%

>365

0%

Unknown

0%

Back to Chart 7

Chart 8 – Days taken to notify the OAIC of breaches by source of breach

Chart 8 is a clustered column chart showing the time taken by entities to notify the OAIC of breaches after becoming aware of the incident, by source of breach.

The table is displayed from least to most days taken to notify the OAIC of breaches.

For notifications in the ‘Unknown’ category, the notifying entity was unable to advise the OAIC the date it became aware of the incident.

Days taken to notify the OAIC of breaches

Malicious or   criminal attack

Human error

System fault

<30

71%

78%

89%

31–60

14%

12%

0%

61–120

7%

4%

0%

121–365

6%

5%

11%

>365

0%

1%

0%

Back to Chart 8

Chart 9 – Source of breaches

Chart 9 is a doughnut chart showing the source of data breaches.

The table is displayed from most to least notifications.

Source of data breach

Percentage

Malicious or criminal attack

55%

Human error

41%

System fault

4%

Back to Chart 9

Chart 10 – Malicious or criminal attacks

Chart 10 is a doughnut chart showing the breakdown of breaches resulting from malicious or criminal attacks.

The table is displayed from most to least notifications.

Malicious or criminal attack type

Percentage

Cyber incident

68%

Social engineering/impersonation

12%

Theft of paperwork or data storage device

11%

Rogue employee/insider threat

10%

Back to Chart 10

Chart 11 – Breaches resulting from malicious or criminal attacks

Chart 11 is a clustered column chart showing the breakdown of breaches resulting from malicious or criminal attacks for the periods January to June 2021 and July to December 2021.

Malicious or criminal attack type

January to June 2021

July to December 2021

Cyber incident

188

173

Social engineering/impersonation

35

30

Theft of paperwork or data storage device

31

27

Rogue employee/insider threat

27

26

Back to Chart 11

Chart 12 – Cyber incident breakdown

Chart 12 is a doughnut chart showing the breakdown of cyber incidents.
The table is displayed from most to least notifications.

Cyber incident type

Percentage

Phishing (compromised credentials)

32%

Compromised or stolen credentials (method unknown)

28%

Ransomware

23%

Hacking

8%

Brute-force attack (compromised credentials)

5%

Malware

3%

Other

1%

Back to Chart 12

Chart 13 – Human error breakdown

Chart 13 is a clustered column chart showing the breakdown of breaches resulting from human error for the periods January to June 2021 and July to December 2021.

Human error type

January to June 2021

July to December 2021

PI sent to wrong recipient (email)

55

82

Unauthorised disclosure (unintended release or publication)

31

40

Loss of paperwork/data storage device

8

15

Failure to use BCC when sending email

11

14

Unauthorised disclosure (failure to redact)

8

14

PI sent to wrong recipient (mail)

9

9

Unauthorised disclosure (verbal)

2

9

PI sent to wrong recipient (other)

9

7

Back to Chart 13

Chart 14 – System fault breakdown

Chart 14 is a clustered column chart showing the breakdown of breaches resulting from system faults for the periods January to June 2021 and July to December 2021.

The table is displayed from most to least notifications.

System fault type

January to June 2021

July to December 2021

Unintended release or publication

17

13

Unintended access

5

5

Back to Chart 14

Chart 15 – Days taken to identify breaches – Top industry sectors

Chart 15 is a clustered column chart showing the time taken by entities in the top industry sectors to identify breaches.

The table is displayed from least to most days taken to identify breaches.

Days taken to identify breaches

Health service   providers

Finance

Legal, accounting & management services

Personal services

Education

Insurance

<30

82%

82%

80%

89%

91%

66%

31–60

5%

5%

10%

3%

3%

3%

61–120

4%

5%

8%

3%

3%

16%

121–365

5%

4%

2%

0%

0%

9%

>365

4%

2%

0%

6%

3%

6%

Unknown

1%

2%

0%

0%

0%

0%

Back to Chart 15

Chart 16 – Days taken to notify the OAIC of data breaches – Top industry sectors

Chart 16 is a clustered column chart showing the time taken by entities in the top industry sectors to notify the OAIC of breaches after becoming aware of the breach.

The table is displayed from least to most days taken to notify the OAIC of breaches.

For notifications in the ‘Unknown’ category, the notifying entity was unable to advise the OAIC the date it became aware of the incident.

Days taken to notify the OAIC of breaches

Health service   providers

Finance

Legal, accounting & management services

Personal services

Education

Insurance

<30

82%

79%

76%

81%

91%

72%

31–60

8%

11%

14%

17%

6%

25%

61–120

6%

4%

8%

3%

0%

3%

121–365

2%

7%

2%

0%

3%

0%

Unknown

1%

0%

0%

0%

0%

0%

Back to Chart 16

Chart 17 – Source of data breaches – Top industry sectors

Chart 17 is a clustered column chart showing the source of breaches by industry sector.

Source of breach

Health service providers

Finance  

Legal, accounting & management services

Personal services

Education

Insurance

Malicious or criminal attack

39

24

36

18

7

17

Human error

39

27

14

15

24

15

System fault

5

5

1

3

1

0

Back to Chart 17

Chart 18 – Malicious or criminal attacks breakdown – Top industry sectors

Chart 18 is a panel chart showing the breakdown of breaches resulting from malicious or criminal attacks by top industry sectors.

Malicious or criminal attack type

Health service providers

Finance

Legal, accounting   & management services

Personal services

Education

Insurance

Cyber incident

22

10

31

13

5

3

Social engineering/ impersonation

1

6

0

1

0

13

Rogue employee/   insider threat

9

6

2

1

0

1

Theft of paperwork or data storage device

7

2

3

3

2

0

Total

39

24

36

18

7

17

Back to Chart 18

Chart 19 – Cyber incident breakdown – Top industry sectors

Chart 19 is a panel chart showing the breakdown of breaches resulting from cyber incidents by top industry sectors.

Cyber incident type

Health service providers

Finance

Legal, accounting   & management services

Personal services

Education

Insurance

Phishing

8

3

10

4

2

1

Compromised or   stolen credentials

8

4

6

0

3

1

Ransomware

4

1

9

3

0

0

Hacking

1

1

4

3

0

0

Brute-force attack

1

0

1

2

0

1

Malware

0

1

1

1

0

0

Total

22

10

31

13

5

3

Back to Chart 19

Chart 20 – Human error breakdown – Top industry sectors

Chart 20 is a panel chart showing the breakdown of breaches resulting from human error by top industry sectors.

Human error type

Health service providers

Finance

Legal, accounting   & management services

Personal services

Education

Insurance

PI sent to wrong   recipient (email)

15

12

12

5

13

5

Unauthorised   disclosure (unintended release or publication)

4

3

1

5

7

3

Loss of   paperwork/data storage device

7

3

1

2

2

0

PI sent to wrong recipient (mail)

2

3

0

1

0

2

Unauthorised   disclosure (failure to redact)

3

3

0

0

1

1

Unauthorised   disclosure (verbal)

2

1

0

0

0

4

Failure to use BCC when sending email

4

0

0

2

1

0

PI sent to wrong   recipient (other)

2

2

0

0

0

0

Total

39

27

14

15

24

15

Back to Chart 20

Chart 21 – System fault breakdown – Top industry sectors

Chart 21 is a clustered column chart showing the breakdown of breaches resulting from system faults by the top industry sectors.

Insurance did not report any system faults.

System fault type

Health service providers

Finance

Legal, accounting & management services  

Personal services

Education

Unintended access

2

0

0

1

0

Unintended release or publication

3

5

1

2

1

Back to Chart 21



[1] The Privacy Act requires entities to take reasonable steps to conduct a data breach assessment within 30 days of becoming aware that there are grounds to suspect they may have experienced an eligible data breach. Once the entity forms a reasonable belief that there has been an eligible data breach, they must prepare a statement and provide a copy to the OAIC as soon as practicable.

[2] A health service provider generally includes any private sector entity that provides a health service within the meaning of section 6FB of the Privacy Act, regardless of annual turnover.

[3] This sector includes banks, wealth managers, financial advisors, superannuation funds, and consumer credit providers (regardless of annual turnover).

[4] This sector includes employment, training and recruitment agencies, childcare centres, vets and community services.

[5] This sector includes private education providers only.