The Privacy Commissioner has released the Notifiable Data Breaches Scheme 12-month Insights report, outlining the lessons learned from the first four quarters of statistics on its operation together with the latest quarterly statistics report for January to March 2019.

The report provides evidence of the human factor in data breaches — training and improving processes and technology are critical to keeping customers’ personal information safe.

The Insights Report examines the first four quarters of statistics from the scheme and shows that:
964 eligible data breaches were notified to affected individuals and the OAIC from 1 April 2018 to 31 March 2019:

• 60 percent of breaches were traced back to malicious or criminal attacks;
• The leading cause of data breaches during the 12-month period was phishing (people tricked into revealing information such as passwords) causing 153 breaches;
• More than a third of all notifiable data breaches were directly due to human error;
• That includes personal information being emailed to the wrong recipient, which caused 97 data breaches, or one in ten;
• The remaining 5 percent of all notifiable data breaches involved system faults;
• health service providers and finance were the sectors that made the highest number of data breach notifications under the NDB scheme;
• 168 voluntary notifications were also received by the OAIC, where the reporting threshold or ‘serious harm’ test was not met, or the entity was not regulated under the Privacy Act.