Notifiable data breach scheme: Year one insights

Notifiable Data Breach scheme: Year One insights

The Notifiable Data Breach (NDB) scheme, which came into effect on February 22, 2018, applies to entities governed by the Privacy Act 1988. It requires organisations to notify affected individuals and the Office of the Australian Information Commissioner (OAIC) when a breach of personal information occurs.

Every quarter, the OAIC publishes detailed reports highlighting significant data breach trends to promote greater transparency, accountability, and awareness of security risks. This article compiles the key insights into data breaches that occurred between April 2018 and March 2019.  

Breach notifications

The OAIC received a total of 964 breach notifications over a  year. Prior to the NDB scheme, there were only 159 voluntary notifications in the 2017–2018 financial year and 114 in the year before. This indicates a heightened awareness of and compliance with data security obligations.

83% of the breaches reported under the NDB scheme affected 1,000 individuals or fewer, though there were three incidents that involved 10 million people. The raft of small-scale breaches may suggest poor data management practices that result in only dozens of breached records being reported instead of millions.

Looking at the instances of stolen or compromised data by type, (those concerning) contact information had the highest count followed by financial details, identity information, and health records. The reason for this can be because compromised contact information leads to more lucrative cyberattacks.

Human error and malicious attacks

Malicious and criminal attacks were responsible for 60% of data breaches during the first year of the NDB scheme’s implementation. These attacks are comprised of phishing, stolen credentials, malware, brute force attacks, and theft of storage devices, among many others. Of these, phishing was the biggest threat with 153 breaches. This is largely because such scams are becoming increasingly difficult to detect.

Human error accounted for 35% of data breaches. The most frequent mistakes included personal information sent to the wrong recipient, unauthorised disclosure of information, and loss of paperwork. However, even certain malicious attacks like phishing and compromised credentials rely on some form of human error (e.g., clicking on a dangerous link or failing to set a strong password). This underscores the need to establish strict data management policies and provide comprehensive security training.  

Most vulnerable sectors

According to the OAIC, there are three industry sectors that have consistently reported the most breaches throughout the year.

  1. Healthcare The health services sector reported 206 breaches, the majority of which was a result of human error (55%). Given the vast amount of sensitive records and scale of data processing in this sector, mistakes like sending confidential records to the wrong recipient are bound to happen. Healthcare institutions must therefore find the right balance between streamlining record management and ensuring privacy.
  2. Finance – The second largest source of data breaches was the finance sector, with 138 reported incidents. Most of these incidents (56%) were caused by malicious attacks. This is primarily because financial information is worth thousands of dollars to cybercriminals seeking huge payouts. Sophisticated phishing attacks are also effective against this sector because these are able to circumvent the strongest security systems money can buy.  
  3. Legal, accounting, and management At 100 breaches, legal, accounting, and management services was the third highest reporting sector. Malicious attacks like malware, stolen credentials, and rogue employees were the biggest issues in this sector. This shows legal firms may not have the best security frameworks to defend themselves against a slew of threats. Plus, they manage large volumes of identity information,  making them ideal cyberattack targets.

Learning from the NDB report

There are a few key lessons to learn from these findings. First, organisations must invest in preventative measures like advanced threat detection systems, encryption software, and multifactor authentication. Such tools ensure timely responses to data breaches, protect the confidentiality and integrity of information, and reduce the chances of compromised credentials.

Second, since many data breaches were linked to employee negligence, regular security training is vital. Each session should cover proper data handling processes, password best practices, and how to avoid email-based threats. For maximum results, run phishing simulations to educate employees about real-world threats.

Beyond prevention, companies must also focus on preparation and harm minimisation. This involves developing an incident response plan employees can follow when a breach occurs. The plan should offer practical guidance on how to contain the breach, who to contact during the incident, and how to assess the impact. Finally, companies must establish emergency support lines to communicate with affected parties. Clients and stakeholders tend to respond more favourably when they are promptly informed about the breach and what they can do to protect themselves.

If your organisation’s cybersecurity framework doesn’t measure up to these standards, you should work with leading managed services providers like Empower IT Solutions. From security technologies to training to incident response, we provide everything you need to keep your business safe. Contact us today.

Free Download

Download the latest notifiable data breaches infographic