OAIC: Australian data breaches rise in last 6 months of 2021

Latest privacy commission Notifiable Data Breaches report shines light on types of breaches occurring and issues warning to organisations to be more prompt to reporting issues

The latest Office of Australian Information Commissioner (OAIC) Notifiable Data Breach Report has been released, highlighting a rise in incidences over the last six months of 2021 as well as the need for organisations to step up their reporting game.  

In all, 464 data breach notifications were received by the OAIC between July and December 2021, an increase of 6 per cent over the previous reporting period. The highest number were recorded in the month of November. Overall, 900 data breaches were reported in Australia during 2021.  

Of these, 55 per cent, or 256 notifications, related to malicious or criminal attacks. These remain the leading source of breaches but were down 9 per cent over the six-month period. Within this segment, cyber incidents represented the largest share at 68 per cent, with phishing accounting for the latest percentage of this pie (32 per cent). This was followed by compromised or stolen credentials (28 per cent) and ransomware (23 per cent). 

By comparison, OAIC reported a significant in breaches due to human error, increasing 43 per cent to 190 after a dip in the previous reporting period. Top causes of these breaches are personal information being sent to the wrong recipient (43 per cent), unintended release of publication (21 per cent) and loss of data storage device or paperwork (8 per cent).  

The third pot of breaches are related to system faults. These were down by 18 per cent compared to the previous reporting period.  

Across industries, the health sector is the largest source of data breaches at 18 per cent. This was followed by finance (12 per cent). Malicious or criminal attacks were the leading source of breaches for legal, accounting and management services (71 per cent), insurance (53 per cent) and personal services (50 per cent).  

Health service providers reported an equal number of breaches resulting from malicious or criminal

attack and human error (47 per cent apiece). However, the OAIC noted unlike previous reports, human error was the leading source of breaches for the finance sector (48 per cent). Human error also caused the majority of breaches experienced by education providers (75 per cent).  

The most common type of personal data impacted is contact information, such as email addresses, name, home address and phone number. The OAIC pointed out this is distinct to identity information, which encompasses date of birth, drivers licence details and passport details. Across the six-month reporting period, identity information was exposed across 40 per cent of data breaches. Financial details were also exposed in 39 per cent of data breach instances.  

As to their effect, the OAIC found 96 per cent of breaches affect fewer than 5000 individuals, while 71 per cent effect fewer than 100 people.  

Three in four organisations reported the data breaches within the first 30 days, considered the outside limit for notifications by the OAIC. However, 28 organisations took more than 120 days from becoming aware of the incident to reporting the data breach. System fault breaches were usually the quickest to be reported, followed by human error then malicious or criminal attacks.  

Commenting on the findings, OAIC commissioner, Angelene Falk, urged organisations to put accountability at the centre of their information handling practices.  

“Australians expect that their personal information will be handled with care when they choose to engage with a product or service and are more likely to entrust their data to organisations that have demonstrated effective privacy management,” Commissioner Falk said. “If organisations wish to build trust with customers, then it is essential they use best practice to minimise data breaches and, when they do occur, they put individuals at the centre of their response.”  

The OAIC warned some organisations are falling short of the scheme’s assessment and notification requirements. Commissioner Falk said swift assessment and notification is required, supported by systems to detect that a breach has occurred. For example, a notable proportion of organisations that experienced system faults (11 per cent) in 2021 did not become aware of the incident for over a year.  

“A key objective of the scheme is to protect individuals by enabling them to respond quickly to a data breach to minimise the risk of harm,” Commissioner Falk said. “Delays in assessment and notification reduce the opportunities for an individual to take steps to protect themselves from harm.”  

The OAIC’s Notifiable Data Breach scheme has been in play for four years and introduced new obligations for Australian Government agencies and private sector organisations that have existing information security obligations under the Privacy Act. The NDB scheme replaced the voluntary data breach notification scheme that had been in operation since 2008.

Don’t miss out on the wealth of insight and content provided by CMO A/NZ and sign up to our weekly CMO Digest newsletters and information services here.  

You can also follow CMO on Twitter: @CMOAustralia, take part in the CMO conversation on LinkedIn: CMO ANZ, follow our regular updates via CMO Australia's Linkedin company page    




Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Show Comments

Latest Videos

More Videos

Nice blog!Blog is really informative , valuable.keep updating us with such amazing blogs.influencer agency in Melbourne

Rajat Kumar

Why flipping Status Quo Bias is the key to B2B marketing success

Read more

good this information are very helpful for millions of peoples customer loyalty Consultant is an important part of every business.

Tom Devid

Report: 4 ways to generate customer loyalty

Read more

Great post, thanks for sharing such a informative content.

CodeWare Limited

APAC software company brings on first VP of growth

Read more

This article highlights Gartner’s latest digital experience platforms report and how they are influencing content operations ecosystems. ...

vikram Roy

Gartner 2022 Digital Experience Platforms reveals leading vendor players

Read more

What about this one FormDesigner.pro? I think it's a great platform providing a lot of options, you can collect different data and work w...

Salvador Lopez

Gartner highlights four content marketing platform players as leaders

Read more

Blog Posts

​Why we need to look at the whole brand puzzle, not just play with the pieces

Creating meaningful brands should be a holistic and considered process. However, all too frequently it’s one that is disparate and reactive, where one objective is prioritized at the expense of all others. So, what are the key pieces to the ‘good’ brand puzzle?

Marketing overseas? 4 ways to make your message stick

Companies encounter a variety of challenges when it comes to marketing overseas. Marketing departments often don’t know much about the business and cultural context of the international audiences they are trying to reach. Sometimes they are also unsure about what kind of marketing they should be doing.

Cynthia Dearin

Author, business strategist, advisor

From unconscious to reflective: What level of data user are you?

Using data is a hot topic right now. Leaders are realising data can no longer just be the responsibility of dedicated analysts or staff with ‘data’ in their title or role description.

Dr Selena Fisk

Data expert, author

Sign in