59% of Q2 breaches in Australia were malicious or criminal attacks

The OAIC (Office of the Australian Information Commissioner) has released its Notifiable Data Breaches Quarterly Statistics Report for Q2 (1 April – 30 June 2018), which examines the current state of data breaches in Australia under the NDB (Notifiable Data Breaches) scheme.

What is the NDB scheme?

The NDB scheme has placed a considerable responsibility on Australian organisations that process personal data.

Data subjects must be informed of incidents in which unauthorised access to, or loss or disclosure of, their personal information is likely to result in serious harm to them that cannot be prevented with remedial action. The Australian Information Commissioner must also be informed.

Find out more about the NDB scheme >>

Key findings of the report

The OAIC has received a total of 305 notifications since the scheme commenced on 22 February 2018, including 242 during Q2.

Most of the breaches involved contact information (89%), such as email address or phone number, and financial details (42%), such as bank account or credit card numbers.

Of those:

  • 59% were malicious or criminal attacks;
  • 36% were the result of human error; and
  • 5% were system faults.

The majority of malicious or criminal breaches were linked to the compromise of usernames and passwords.

Sending emails containing personal information to the wrong recipient was the most common human error.

The largest source of data breaches came from private health service providers (20%), followed by finance (15%), legal, accounting and management services (8%) and the private education sector (8%).

Read the report >>

The OAIC’s acting Australian Information Commissioner and acting Privacy Commissioner, Angelene Falk, said: “Notifications this quarter show that one of the key aims of the scheme – ensuring individuals are made aware when the security of their personal data is compromised – is being met.

“Data breach notification to individuals by the entities experiencing the data breach can equip individuals with the information they need to take steps to reduce their risk of experiencing harm, which can reduce the overall impact of a breach.

“Notification to the OAIC also increases transparency and accountability. The report provides important information on the causes of data breaches so all entities can learn lessons and put in place prevention strategies.”

Strategies to prevent data breaches

ISO 27001 is the international standard that describes best practice for an ISMS (information security management system), a system of processes, documents, technology and people that helps an organisation manage, monitor and improve its information security.

Implementing an ISO 27001-compliant ISMS ensures organisations have strategies in place to help protect themselves from the growing threat of cyber attacks.

ISO 27001 not only protects an organisation’s information and intellectual property rights but also safeguards its reputation and helps it avoid financial penalties. For example, failure to comply with the NDB scheme could result in fines of up to $2.1 million.

If you are new to the Standard, download a free copy of our green paper Information Security & ISO 27001: An introduction >>

Conducting staff awareness training is vital to reduce risks

The OAIC also said: “The risks of these types of data breaches can be greatly reduced by ensuring that staff responsible for handling personal information receive regular training.”

A significant element of an ISO 27001-compliant ISMS is conducting staff awareness training to ensure employees have a good understanding of information security risks and compliance requirements to reduce the organisation’s exposure to security threats.

IT Governance’s Information Security & ISO27001 Staff Awareness E-learning Course is a quick, affordable and effective way to deliver staff awareness training across an organisation.


Reduce the risk of staff-related information security incidents with staff awareness training.