Data breach notifications continue to rise in Australia

06 September 2018

Cyber risk in Asia Pacific is of growing relevance. This year has seen a sharp rise in data breach notifications in Australia, as well as a large cyber attack in Singapore.

Data breach notifications in Australia have spiked since the country introduced the Notifiable Data Breaches (NDB) scheme on 22 February this year, which requires organisations to report breaches of personal data to the regulator and in some instances to data owners.

According to the latest figures from the Office of the Australian Information Commissioner (OAIC), there were 242 total data breaches reported in the quarter (April to June 2018)– a marked increase from the 63 data breaches reported in the first quarter, which covered the first six weeks of the NDB. This brings the total number of data breaches reported to 305, according to the OAIC’s second Quarterly Statistics Report.

The number of breaches notified under the NDB has steadily increased each and every month since the scheme commenced. There were 90 notifications in June alone, up on 87 in May and 65 in April. The majority of notifications in the quarter covered breaches affecting between one and 5,000 individuals (61% of data breaches affected fewer than 100 individuals), although one reach compromised the details of over one million individuals.

Almost half (49%) of the breaches notified in the quarter were related to the private health sector, followed by finance (36%), and professional services (20%). Malicious attacks made up 59% of the notifications, while human error was the cause of 36%, and systems error caused 5%.


Australia is not the only country in Asia Pacific facing data breaches. In July, details emerged of a massive cyber attack in Singapore, in what is believed to be the largest data breach in the country to date. Hackers reportedly stole the personal details and prescription records of some 1.5 million patients stored on the government health database, SingHealth.

The attack follows a massive data breach in 2017 that exposed 46 million personal records stolen from 12 Malaysian telecommunications companies. In March this year, Thai telecoms company True Corp revealed that a cyber attack had compromised the personal data of over 11,000 of its customers.

According to cyber security provider Trend Micro, Asia Pacific is the world’s top target for cyber criminals, who take advantage of out-dated systems.

For example, the region experienced more ransomware attacks and online banking malware detections in the first six months of 2017 than any other region, Trend Micro says. Cyber security firm FireEye recently warned that Chinese state-sponsored hackers are likely to target companies and state agencies in Malaysia, after the country announced that it will review several major projects linked to China’s Belt and Road Initiative.

Subscribe to our  Latest Cyber Decoder newsletter


With 2017’s record-high number of cyber security complaints in Asia, businesses in the region are increasingly looking for cyber cover in the insurance market. Asian businesses are still comparatively slow in taking up cyber insurance. Compared to 66% of companies in the United States, only about 20% of companies in Asia are insured against cyber-attacks. Coming off this relatively low base, experts expect to see explosive annual growth in the region, with total premiums estimated to be valued at USD 50 million today and forecast to grow 10- fold by 2025 to USD 500 million.

Findings from a recent JLT Asia regional survey back up this trend. Last year, JLT Asia experienced a 95% growth in cyber insurance policies and 80% increase in premium. Over the past three years, the number of JLT clients purchasing cyber insurance protection has more than doubled and average limits have increased by 5% to circa USD 5 million. Average policy limits among the top five clients in Singapore alone have increased from USD 5 million to USD 15 million.

JLT Asia expects cyber uptake to increase further in 2018, as new regulatory changes in the region, specifically in Singapore, China and the Philippines, plus the extra territorial reach of the EU GDPR, increase the liability risk landscape companies operate in; while business interruption risks only continue to grow.

Data protection regimes in Asia are generally less stringent than Europe and the US. However, several countries have added tougher cyber security and data protection requirements. Australia, South Korea, Taiwan, Indonesia and the Philippines all now have data breach notification requirements; while Japan and China are moving in a similar direction.

Download Cyber Decoder

For further information, please contact Sarah Stephens, Head of Cyber, Content and New Technology Risks on