Learning from others: Notifiable data breach – latest quarterly figures

Since the commencement of the Notifiable Data Breach (NBD) scheme under the Privacy Act 1988 (Cth) in February 2018, the Office of the Australian Information Commissioner (OAIC) has been publishing reports on quarterly statistics relating to notifiable data breaches. We outlined last quarter’s NBD statistics report in Data at Risk? Latest Quarterly Figures from the Office of the Information Commissioner.

Types of NDB

The latest quarterly figures depict that there is an increase of NDBs from 245 in July to September 2018 to 262 in October to December 2018.1

By type, NDBs caused by human error has decreased from 37% to 33%, malicious or criminal attacks rose from 57% to 64% and systems faults have decreased from 6% to 3%.2

Of the malicious or criminal attacks, 68% of these related to cyber incidents.3 Phishing, once again, was the highest type of cyber incident breach this quarter, comprising 43% of all cyber incidents notified.4

Although NDBs caused by human error decreased compared to last quarter, within this category, the average number of individuals affected per breach, for unintended release or publication of personal information, rose significantly from an average of 633 persons affected per notification to 17,746 persons affected per notification.5

Conversely, whilst the number of notifications for failure to use blind carbon copy increased this quarter from 6 to 9, the average number of affected individuals per notification decreased from 494 to 234.6

As with the last quarter, unintended release or publication was the highest of the types of system faults.7

By industry sector

The top four sectors that reported NBDs remained the same this quarter, being, in order:

  1. Health service providers;
  2. Finance;
  3. Legal, accounting and management services; and
  4. Education.8

Mining and manufacturing took fifth place over personal services from last quarter.9 Notably, within the finance sector, malicious and criminal attacks increased from 46% to 70% of all notifications in this sector.10 Although not the largest contributor in health services (which is still human error at 54% of all NDBs within the sector), malicious and criminal attacks have increased from 42% to 46% this quarter.11


It is important for organisations to learn from the notifications of the NDBs that took place this quarter and recognise potential risk areas that may need to be addressed. An organisation should turn its mind to the potential loss of market share, profitability and other losses that may result from any notifiable or other data breach.

Organisations should also consider, amongst other things, further training for users and staff, implementing cyber specific system software to protect their systems and data, and consider obtaining cyber insurance as a last means of resort to reduce and manage potential risk.


1 Office of the Australian Information Commissioner, Notifiable Data Breaches Quarterly Statistics Report 1 July – 30 September 2018 (Report, 30 October 2018) 4 (‘July – September Quarterly Report’); Office of the Australian Information Commissioner, Notifiable Data Breaches Quarterly Statistics Report 1 October – 31 December 2018 (Report, 7 February 2019) 4 (‘October – December Quarterly Report’).
2 July – September Quarterly Report (n 1) 3; October – December Quarterly Report (n 1) 3.
3 October – December Quarterly Report (n 1) 10.
4 Ibid 11.
5 July – September Quarterly Report (n 1) 9; October – December Quarterly Report (n 1) 9.
6 July – September Quarterly Report (n 1) 9; October – December Quarterly Report (n 1) 9.
7 July – September Quarterly Report (n 1) 12; October – December Quarterly Report (n 1) 12.
8 July – September Quarterly Report (n 1)13; October – December Quarterly Report (n 1) 13.
9 July – September Quarterly Report (n 1) 13; October – December Quarterly Report (n 1) 13.
10 July – September Quarterly Report (n 1) 23; October – December Quarterly Report (n 1) 23.
11 July – September Quarterly Report (n 1) 27; October – December Quarterly Report (n 1) 27.

Related News

What happens if you, as an insurer, have not yet concluded whether or not to indemnify an insured, and a third party commences Court proceedings against your insured (with the indemnity decision still pending)?

When these types of claims arise, an insurer (and its panel firm) can continue to act for an insured on a “reservation of rights” basis.

Read More

Can you sue if a “registered” company is “in liquidation”, “under administration” or has become “deregistered”? 

It is common to see Court proceedings commenced in the name of an individual or against an individual.   But sometimes, Court proceedings are commenced by

Read More

The Briginshaw-test

Did you know that the Briginshaw-test requires a higher standard of evidence in civil matters where serious allegations are made, such as fraud. This principle

Read More

Get in touch

Contact our team today

Stay informed

Keep up-to-date with our regular news and insights

This field is for validation purposes and should be left unchanged.
William Roberts Lawyers


Level 22
66 Goulburn Street


Level 21
535 Bourke Street


Level 8
300 Ann Street


Level 19
Singapore Land Tower
50 Raffles Place