FAL Lawyers
Home Our People Legal Services Intellectual Property Industry Expertise News & Resources Contact Us
Back to Resources

964 Data Breach Notifications in the last 12 months


964 data breach notifications were made in the first 12 months of the Australian mandatory notification scheme according to a report recently released by the Office of the Australian Information Commissioner (OAIC).   The rate of reporting was steady over the year and there is no indication of a slowing of the rate in the future.  The notifications attributed the breaches

  • 60% as malicious or criminal attacks;

  • 35% as human error; and

  • 5% as system faults.

Malicious or criminal attacks were further attributed to;

  • 68 % as common cyber threats such as phishing, malware, ransomware, brute-force attacks and stolen credentials; and

  • 32 % as theft of paperwork, data storage device, social engineering or rogue employee.


Phishing was the most common cause of data breaches.  Phising is tricking people to reveal their information, such as passwords.   An example is a password reset request email purporting to be from a legitimate email provider, such as, Gmail or Office 365.  Knowing the causes of the breaches enables organisations to better focus their prevention strategies.  Accordingly, a key prevention measure is training staff to recognise phishing emails.  Whilst, this may seem obvious, the increasing degree of sophistication of phishing emails means that an increased level of aware is required to avoid acting on a dodgy email.

Most breaches involve a human element, such as clicking on a link which stole the security credentials of the user or sending information to the wrong person.  Employees were centrally involved in these errors.

The scale of the breaches reported were relatively small with 83% affecting fewer than 1000 and only 1.5% affecting more than 50,000.

The most common form of personal information lost was contact information.  Whilst initially less serious than credit card information, it is important to note that contact information can be used by hackers in subsequent social engineering and phishing attacks.

15% of the reports of the data breaches made were determined not to be serious by OAIC therefore not reportable and not counted towards the 964 total.    


  1. All employees should be trained to detect and deal with email-based attacks and secure password practices;

  2. Organisations should invest to improve the security of their system, including security experts;

  3. Organisations should regularly test their data breach incident plan by way of simulations;

  4. Organisations should have a good knowledge of their data to support any decision whether to report a breach or not; and

  5. Clarity and simplicity in communications with customers about data breaches is important and may include dedicated webpages, FAQs and support lines.


Sam Funnell

Partner, Melbourne

Ph: 0425 710 957