Peter A Clarke

The Information Commissioner releases a report of data breaches semi annually. Those statistics are data breaches reported to the Commissioner under the Notifiable Data Breaches Scheme or because the organisation or agency chooses to report out of an abundance of caution or because the data breach has been reported in the media. There is not an automatic requirement to notify the Commissioner of a data breach. And there are entities that are exempt from coverage of the Privacy Act 1988, notably Small Businesses. And there are organisations that do their best to keep data breaches quiet. According to the report for the period July to December 2024 the Commissioner was notified of 595 data breaches. That makes for a total of 1,113 notifications in the year. That is over 200 more notifications than 2023 which had 893 notifications.

What needs to be understood is that these figures are only reflective of a trend in data breaches.  The number of actual data breaches suffered by Australian entitities is far larger that those reported to the regulator.

Some interesting statistics regarding the latest report:

• the health sector had the most notifications, 121 of the 595. 
• 63% of data breaches involved 100 people or fewer.
• 42% of data breaches resulted from cyber security incidents with phishing being the most common means (34%) followed by Ransomware (24%).
• the main cause of human error breaches was sending personal information to the wrong recipient, at 42%.  This is a chronic problem for government. 
• there were 2 notified breaches involving 500,000 – 1,000,000 people and 4 affecting 250,001 – 500,000 people.
• contact information was stolen in 489 breaches while identity information involved in 376 breaches.
• 52% of breaches were notified to the Commissioner in 10 days or less while 30% were notified in more than 30 days. 
• 49% of malicious or criminal attacks were notified in 10 days or less. 62% of breaches caused by human error were notified in 10 days or less and 10% of breaches caused by a system fault were notified in 10 days or less. Conversely  33% of malicious or criminal attacks were notified in more than 30 days . 22% of breaches caused by human error were notified in more than 30 days  and 67% of breaches caused by a system fault were notified in more than 30 days.
• interestingly while 56% of data breaches in the health sector were reported in 10 days or less only 16% of data breaches in the Government sector were reported in that time frame.  The Australian Government was quite the laggard in reporting given 74% of data breaches suffered by the Government were reported over 30 days from the breach being detected.   Legal. accounting and management services were the most diligent in reporting promptly with 69% reporting a breach in 10 days or less.