OAIC: Australian data breaches rise in last 6 months of 2021

Latest privacy commission Notifiable Data Breaches report shines light on types of breaches occurring and issues warning to organisations to be more prompt to reporting issues

The latest Office of Australian Information Commissioner (OAIC) Notifiable Data Breach Report has been released, highlighting a rise in incidences over the last six months of 2021 as well as the need for organisations to step up their reporting game.  

In all, 464 data breach notifications were received by the OAIC between July and December 2021, an increase of 6 per cent over the previous reporting period. The highest number were recorded in the month of November. Overall, 900 data breaches were reported in Australia during 2021.  

Of these, 55 per cent, or 256 notifications, related to malicious or criminal attacks. These remain the leading source of breaches but were down 9 per cent over the six-month period. Within this segment, cyber incidents represented the largest share at 68 per cent, with phishing accounting for the latest percentage of this pie (32 per cent). This was followed by compromised or stolen credentials (28 per cent) and ransomware (23 per cent). 

By comparison, OAIC reported a significant in breaches due to human error, increasing 43 per cent to 190 after a dip in the previous reporting period. Top causes of these breaches are personal information being sent to the wrong recipient (43 per cent), unintended release of publication (21 per cent) and loss of data storage device or paperwork (8 per cent).  

The third pot of breaches are related to system faults. These were down by 18 per cent compared to the previous reporting period.  

Across industries, the health sector is the largest source of data breaches at 18 per cent. This was followed by finance (12 per cent). Malicious or criminal attacks were the leading source of breaches for legal, accounting and management services (71 per cent), insurance (53 per cent) and personal services (50 per cent).  

Health service providers reported an equal number of breaches resulting from malicious or criminal

attack and human error (47 per cent apiece). However, the OAIC noted unlike previous reports, human error was the leading source of breaches for the finance sector (48 per cent). Human error also caused the majority of breaches experienced by education providers (75 per cent).  

The most common type of personal data impacted is contact information, such as email addresses, name, home address and phone number. The OAIC pointed out this is distinct to identity information, which encompasses date of birth, drivers licence details and passport details. Across the six-month reporting period, identity information was exposed across 40 per cent of data breaches. Financial details were also exposed in 39 per cent of data breach instances.  

As to their effect, the OAIC found 96 per cent of breaches affect fewer than 5000 individuals, while 71 per cent effect fewer than 100 people.  

Three in four organisations reported the data breaches within the first 30 days, considered the outside limit for notifications by the OAIC. However, 28 organisations took more than 120 days from becoming aware of the incident to reporting the data breach. System fault breaches were usually the quickest to be reported, followed by human error then malicious or criminal attacks.  

Commenting on the findings, OAIC commissioner, Angelene Falk, urged organisations to put accountability at the centre of their information handling practices.  

“Australians expect that their personal information will be handled with care when they choose to engage with a product or service and are more likely to entrust their data to organisations that have demonstrated effective privacy management,” Commissioner Falk said. “If organisations wish to build trust with customers, then it is essential they use best practice to minimise data breaches and, when they do occur, they put individuals at the centre of their response.”  

The OAIC warned some organisations are falling short of the scheme’s assessment and notification requirements. Commissioner Falk said swift assessment and notification is required, supported by systems to detect that a breach has occurred. For example, a notable proportion of organisations that experienced system faults (11 per cent) in 2021 did not become aware of the incident for over a year.  

“A key objective of the scheme is to protect individuals by enabling them to respond quickly to a data breach to minimise the risk of harm,” Commissioner Falk said. “Delays in assessment and notification reduce the opportunities for an individual to take steps to protect themselves from harm.”  

The OAIC’s Notifiable Data Breach scheme has been in play for four years and introduced new obligations for Australian Government agencies and private sector organisations that have existing information security obligations under the Privacy Act. The NDB scheme replaced the voluntary data breach notification scheme that had been in operation since 2008.

Don’t miss out on the wealth of insight and content provided by CMO A/NZ and sign up to our weekly CMO Digest newsletters and information services here.  

You can also follow CMO on Twitter: @CMOAustralia, take part in the CMO conversation on LinkedIn: CMO ANZ, follow our regular updates via CMO Australia's Linkedin company page    




Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Show Comments

Latest Videos

More Videos

More Brand Posts

What are Chris Riddell's qualifications to talk about technology? What are the awards that Chris Riddell has won? I cannot seem to find ...


Digital disruption isn’t disruption anymore: Why it’s time to refocus your business

Read more



CMO's top 10 martech stories for the week - 9 June

Read more

Great e-commerce article!

Vadim Frost

CMO’s State of CX Leadership 2022 report finds the CX striving to align to business outcomes

Read more

Are you searching something related to Lottery and Lottery App then Agnito Technologies can be a help for you Agnito comes out as a true ...


The Lottery Office CEO details journey into next-gen cross-channel campaign orchestration

Read more

Thorough testing and quality assurance are required for a bug-free Lottery Platform. I'm looking forward to dependability.

Ella Hall

The Lottery Office CEO details journey into next-gen cross-channel campaign orchestration

Read more

Blog Posts

Marketing prowess versus the enigma of the metaverse

Flash back to the classic film, Willy Wonka and the Chocolate Factory. Television-obsessed Mike insists on becoming the first person to be ‘sent by Wonkavision’, dematerialising on one end, pixel by pixel, and materialising in another space. His cinematic dreams are realised thanks to rash decisions as he is shrunken down to fit the digital universe, followed by a trip to the taffy puller to return to normal size.

Liz Miller

VP, Constellation Research

Why Excellent Leadership Begins with Vertical Growth

Why is it there is no shortage of leadership development materials, yet outstanding leadership is so rare? Despite having access to so many leadership principles, tools, systems and processes, why is it so hard to develop and improve as a leader?

Michael Bunting

Author, leadership expert

More than money talks in sports sponsorship

As a nation united by sport, brands are beginning to learn money alone won’t talk without aligned values and action. If recent events with major leagues and their players have shown us anything, it’s the next generation of athletes are standing by what they believe in – and they won’t let their values be superseded by money.

Simone Waugh

Managing Director, Publicis Queensland

Sign in