Australian notifications remain at elevated levels

05 December 2018

Data breaches notified to the Office of the Australian Information Commissioner (OAIC) remain at elevated levels, with hundreds of breaches reported since the country’s Notifiable Data Breaches (NDB) scheme went live on 22 February 2018.

The latest statistics from the OAIC show that Australian organisations reported 245 data breaches between July and September this year, compared with 242 in the prior three months. Combined with the 63 data breaches notified in February and March, the OAIC has had to deal with a total of 550 breaches under the NDB scheme.

Some 57% of the breaches in the last three months were from malicious data or criminal attacks, while 37% were the result of human error (20% of data breaches over the quarter occurred when personal information was sent to the wrong recipient). Most data breaches (63%) in the period involved the personal information of 100 individuals or fewer. 85% of the breaches involved contact details, while 45% contained financial information.

Of the 139 data breaches from a malicious or criminal attack, 69% involved cyber incidents, while many involved the exploitation of vulnerabilities involving a human factor – over half involved a phishing email - as well as incidents involving malware, ransomware and hacking by other means.

The OAIC annual report, released shortly before the quarterly figures, showed the contrast of notifications under the mandatory scheme versus the previous voluntary arrangement. The regulator received 305 reports under the NDB scheme between February and June 2018, compared to 114 voluntary reports in 2016–17.


Data breach laws, including notification and reporting requirements, continue to tighten around the world. Canada became the latest country to introduce a mandatory breach notification scheme on 1 November, following wide ranging data protection and notification requirements in the EU under the GDPR, which was implemented in May 2018.

In the US a number of states, including Arizona, Vermont and Colorado, have bolstered their existing data breach notification requirements. In 2017, Weight states expanded their data breach notification laws. On 1 September 2018, Colorado enacted some of the most rigorous data breach notification laws yet, broadening the definition of “personally identifiable information”. It also imposed a 30-day breach notification deadline.

In June, California passed laws that would introduce data privacy rights, similar to those found in the GDPR. Following a number of large data breaches in recent years, calls for a federal privacy law have also increased. Republican Will Hurd, the chairman of the Information Technology Subcommittee of the House’s Committee on Oversight and Government Reform, said recently that a US version of GDPR was a possibility. In November, Senator Ron Wyden said he will introduce a bill to introduce tougher privacy rules to curb the misuse of consumer data. 

The Consumer Data Protection Act would give the Federal Trade Commission the authority to fine companies up to 4% of revenue and jail executives who mishandle consumer data. 

Download cyber decoder

For further information, please contact Sarah Stephens, Head of Cyber, Content and New Technology Risks on