Email highlighted as a key risk for data breaches

28 February 2020

Malicious or criminal attacks including cyber incidents remain the leading cause of data breaches involving personal information in Australia, with almost one in three breaches linked to compromised login credentials, a new report shows.

This includes phishing attacks which caused at least 15 per cent of data breaches notified to the Office of the Australian Information Commissioner (OAIC) from July to December 2019.

The OAIC’s latest Notifiable Data Breaches (NDB) Report warns organisations about the risks associated with storing sensitive personal information in email accounts.

Australian Information Commissioner and Privacy Commissioner Angelene Falk also highlighted the risk of harm to individuals whose personal information is emailed to the wrong recipient (9% of all breaches).

“The accidental emailing of personal information to the wrong recipient is the most common cause of human error data breaches,” Commissioner Falk said.

“Email accounts are also being used to store sensitive personal information, where it may be accessed by malicious third parties who breach these accounts.

“Organisations should consider additional security controls when emailing sensitive personal information, such as password-protected or encrypted files.

“This personal information should then be stored in a secure document management system and the emails deleted from both the inbox and sent box.”

Personal information stored in email accounts can include financial information, tax file numbers, identity documents and health information, which can be exploited by malicious actors who gain access to inboxes.

In other key findings of the report:

  • 537 data breaches were notified to the OAIC during the reporting period, a 19 per cent increase on the previous six months
  • Malicious or criminal attacks (including cyber incidents) accounted for 64% of all data breaches
  • Human error remained a key factor in data breaches, causing 32% of NDBs
  • Health service providers remained the leading source of NDBs over the six-month period, notifying 22% of all breaches. The OAIC has jointly developed an action plan to help the health sector contain and manage data breaches and implement continued improvement
  • Finance is the second highest reporting sector, notifying 14% of all breaches
  • Most data breaches affected less than 100 individuals, in line with previous reporting periods.

Commissioner Falk said the NDB scheme is now well established as an effective reporting mechanism.

“There is now increasing focus on organisations taking preventative action to combat data breaches at their source and deliver best practice response strategies,” Commissioner Falk said.

“Where data breaches occur, organisations and agencies must move swiftly to contain the breach and minimise the risk of harm to people whose information has been compromised.”

Read the Notifiable Data Breaches Report for July-December 2019 at

The health sector data breach action plan was developed with the Australian Digital Health Agency, Australian Cyber Security Centre and Services Australia. It can be downloaded at

About the OAIC

The Office of the Australian Information Commissioner (OAIC) is an independent statutory agency established to promote and uphold privacy and information access rights. It has a range of regulatory responsibilities and powers under the Freedom of Information Act 1982, Privacy Act 1988 and Australian Information Commissioner Act 2010.

Media contact:                   Andrew Stokes                    0407 663 968