Just under 1,000 (964) ‘eligible’ breaches were reported in NDB (Notifiable Data Breaches) law’s first 12 months, a 712 percent increase compared with the final year of the previous voluntary scheme.

However, over the last quarter (January-March 19), only 215 incidences were reported, a significant 14 percent drop compared with the previous October-December period.

October-December was unusually high, however, with 262 notifications compared with April-June and July-September (with 242 and 254 respectively). Even considering that, Jan-March 2019 notifications are still down by around 12 percent on those lower figures.

You might be tempted to believe that that indicates a trend towards better security practises, although it could equally meant that there has been less vigilance and reporting.

We’ll have to wait for the July report to know whether it’s indicative of a trend and then, until the end of the year, for the next report as the Office of the Australian Information Commissioner (OAIC) moves to half-yearly reports.

Key trends

Aside from the sharp decline in breaches, the biggest change in the January-March quarter was the higher proportion of smaller scale, more targeted attacks.

The majority of data breaches in the period involved the personal information of 100 individuals or fewer (68 percent of data breaches), with data breaches impacting between one and 10 individuals, comprising half of all notifications. The annual average here was 63 percent.

The source of breaches remains on trend with ‘malicious’ breaches up from 60 to 61 percent of reported incidences, ‘human error’ at 35 percent, while ‘system faults’ fell from five to four percent.

The majority of cyber incidents were linked to the compromise of credentials through phishing (28 notifications), unknown methods (33 notifications), or by brute-force attack (6 notifications).

‘Human error’ was notably highest in healthcare, accounting for 30 of the 58 breaches reported by the sector, with ‘malicious attacks’ and ‘system faults’ coming in at 26 and 2 respectively.

The risks of human error were brought home by the fact that 37,000 people were reported as having been affected by just 21 Notifiable Data Breaches received that involved ‘unauthorised disclosure’, or the unintended release or publication of information.

Just two Notifiable Data Breaches saw 432 people affected because ‘BCC’ wasn’t used when sending emails.

Healthcare infections

Healthcare extended its lead over the other top four sectors covered in the report for data breaches, with its 58 breaches more than double that reported for next-placed financial services, on 27, and more than accounting (23), education (19) and retail (11) combined.

‘Contact information’ was the most common form of information involved in data breaches as reported by all sectors, accounting for 186. Financial details came in at 98, followed by healthcare information (63), identify information (55), tax-file-numbers (36) and 25 reported cases where ‘other sensitive’ information was compromised.

The decline in Notifiable Data Breaches reported for January-March is encouraging, yet even if it’s indicative of a trend there’s clearly a lot more that needs to be done to ensure that organisations tick all the right boxes when to cyber security, whether that’s ensuring internal systems are properly protected, or enshrining the best cultural practices to curb what remain high rates of human error across the board.

Now that the Notifiable Data Breaches scheme is fully up and running, the implications for failing to protect users’ data extend beyond economic and reputational damage, to heavy fines for organisations and individuals.


Speak to Brennan IT today to discuss your needs and discover how we can help prevent you from becoming one of the victims, whether that be through our ongoing managed security services, risk assessments, or staff training.