Employees Cause Majority of Notifiable Data Breaches

Employees Cause Over 50% of Data Breaches Reported to the OAIC

The Office of the Australian Information Commissioner has revealed it has received 63 reports of data breaches since the Notifiable Data Breaches Scheme commenced just over 6 weeks ago on 22 February 2018.  The figure was released as part of the OAIC’s first quarterly report into the NDB Scheme.

Importantly, the report highlights the need for organisations to ensure all employees are properly trained about appropriate data security and safety practices, with just over half of reported notifiable data breaches (NDBs) during the quarter the result of human error.

Human error was closely followed by malicious or criminal attacks as the source of the data breach.   Malicious criminal attacks usually involve the theft of personal information, or cyber security incidents resulting from unauthorised access to an entity’s system. This comes as no surprise following several reports of Australian businesses targeted by Russian-backed cyber-attacks earlier this month.  Only 3% of eligible data breaches were as the result of system faults.

Topping the list of sectors that notified the OAIC of eligible data breaches was Health Service Providers, making up 24% of the notifications during the quarter.  Not far behind, was Legal and Management Services, which reported 16% of the data breaches during the quarter.  Other sectors that provided notifications of eligible data breaches to the OAIC included Finance (13%), Private Education (10%) and Charities (6%).

The scale of reported NDBs was relatively small; with 73% of reported NDBs involving the personal information of fewer than 100 individuals.  Just over half of the reported NDBs effected between 1 and 9 individuals.  Of the reported NDBs, 9.5% effected over 1,000 individuals, and just under 5% effected between 10,000-99,999 individuals.

The majority of data breaches (78%) involved individuals’ ‘contact information’, such as name, email address, home address or phone number. Just under a quarter (24%) of reported NDBs involved ‘identity information’ or information used to confirm an individual’s identity, such as driver licence numbers and passport numbers. Of the reported NDBs, 33% involved health information, 30% involved financial details, and 14% involved TFNs.


The Notifiable Data Breaches Quarterly Statics Report: January 2018 – March 2018 can be accessed here.