The Australian Information Commissioner (OAIC) regularly releases statistics on data breaches reported under the Notifiable Data Breaches (NDB) scheme. This information helps organisations and the public stay informed about the privacy risks identified through the scheme. The rising number of data breaches suggests that organisations may not be conducting enough network penetration testing, cyber security audits and other regulatory compliances like PCI-DSS, ISO 27001, Essential 8. This report specifically focuses on data breaches reported from July 1st, 2023, to December 31st, 2023.
It’s important to note that comparisons in this report are typically made against data from the first half of 2023 (January 1st to June 30th) unless otherwise stated. Additionally, percentages in the charts might not perfectly add up to 100% due to rounding.
The source of each breach is based on what the reporting entity provides. If there are multiple possible sources, the report considers the most likely or dominant source. It’s important to remember that notifications made under the My Health Records Act 2012 are not included in this report, as they have their own specific reporting requirements defined by that legislation.
Finally, while the statistics in this report are current as of January 30th, 2024, some data breach notifications are still being assessed. This means that adjustments might be made to the related statistics, potentially impacting the data presented for the July to December 2023 period in future reports. Similarly, statistics from before July 2023 in this report might differ slightly from those published in previous reports.
Key findings for the July to December 2023 reporting period:
1.The number of reported breaches increased by 19 percent, rising from 407 in January to June of 2023 to a total of 483.
2. Malicious or criminal attacks remained the leading cause (67%) of data breaches.
3. The health and finance sectors remained the top reporters of data breaches. Health reported 104 breaches (22% of all notifications) and finance 49 breaches (10%).
4. The majority of breaches (65%) affected 100 or fewer people.
Besides the 483 main notifications, the OAIC got 121 extra notifications, which was a big rise from the 29 extra notices they had between January and June of 2023.
Increased focus on Ensuring Organisations Comply With the NDB Scheme
The Australian Information Commissioner (OAIC) prioritises data security and expects businesses to have effective data breach response plans. Recent determinations and legal actions highlight the importance of:
- Taking reasonable steps to protect personal information.
- Having proper data retention practices.
- Complying with data breach reporting requirements, especially when the OAIC raises concerns.
- Conducting swift assessments of suspected data breaches.
Businesses are encouraged to review the recent determinations and consider developing their own data breach response plans.
All Industry Data Breach Notifications, July-December 2023
During this time of reporting, the OAIC got 483 notifications, which is a rise of 19% if you look at it from January to June in 2023. This follows what the OAIC has been seeing since they began the NDB scheme in February of 2018; that there are usually more notifications coming in during the last part of each year.
After a usually small count of notices, being 57 in July of the year 2023, we observed a consistent growth in the number of such notices every month. It reached its highest point with 97 notifications in December of that same year.
Reporting period |
Number of notifications |
January to June 2023 |
407 |
July to December 2023 |
483 |
Total |
890 |
Chart 1: Notifications received by month from January 2022 to December 2023
Chart 2: Notifications received by month showing the sources of breaches
Number of individuals worldwide affected by breaches
During the reporting period that we are talking about, most of the data leaks (91%) involved personal details of around 5,000 people worldwide. When there were breaches that hit less than 100 persons, this was 65% of every alert made. Breaches involving between one and ten people represented 44 percent of all the reports, which is comparable to past reporting times.
Chart 3: Number of individuals worldwide affected by breaches.
Massive data breaches impacting Australians
In the second half of 2023, the OAIC received about the same number of data breaches that impacted over 5,000 Australians as it did in the first half of the year.
Number of Australians affected by breaches |
Jan–Jun 2023 |
Jul–Dec 2023 |
5,001–10,000 |
11 |
7 |
10,001–25,000 |
5 |
4 |
25,001–50,000 |
3 |
7 |
50,001–100,000 |
3 |
0 |
100,001–250,000 |
1 |
4 |
250,001–500,000 |
0 |
1 |
500,001–1,000,000 |
0 |
1 |
1,000,001–10,000,000 |
2 |
2 |
10,000,001 or more |
1 |
0 |
Total number of breaches affecting over 5,000 Australians |
26 |
26 |
Cyber incidents kept being the main reason for data breaches that affected many people in Australia. Out of 26 big breaches impacting more than 5,000 Australians, cyber events were responsible for 22 of them. The primary reasons were credentials that got compromised or stolen, reported 9 times; ransomware issues, which had 8 reports; and hacking incidents with 4 reports.
Types of Personal Information Involved in Breaches
Contact details and personal identity were the types of private information most frequently involved in security breaches. The majority of these incidents, about 88 percent, included elements like a person’s name, residential address, telephone number, and email. This is different from identity information, that got revealed in 63% of the breaches and has details to verify someone’s identity like when they were born, passport specifics and other government identification numbers.
In this time for reporting, health information became uncovered in 41% of the data breaches, and it went past financial details to be the third most usual type of personal information involved.
Chart 4: Kinds of personal information involved in breaches.
Time required to identify breaches
Quickly detecting a data breach helps an organisation to control it fast, which cuts down the damage and shortens how long hackers can get into systems. During this report period, entities noticed 64% of breaches within ten days after they happened. Around a quarter (23%) of breaches were identified over 30 days after it occurred.
Chart 5: Time taken to identify breaches.
Depending on where the breach originated, different entities took different amounts of time to identify it. The fastest to be identified were breaches due to human error (71% found within 10 days), followed by malicious or criminal attacks (61%).
System fault breaches were the slowest to be discovered (53% within 10 days), in line with earlier reports.
Chart 6: Time taken to identify breaches by source of breach.
Time required to notify the OAIC of breaches
The numbers in this part show the period from when a company realised an incident occurred to when they informed the OAIC. This is not about how long it took for the company to decide if the incident was a significant data breach and then tell the OAIC.
In this time for reporting, 72% of organisations informed the OAIC within 30 days after they knew about an incident, which is close to the previous period’s figure of 74%.
Chart 7: Time taken to notify the OAIC of breaches.
The duration for organisations to inform the OAIC differed based on where the breach came from, and there were a few changes compared to the last time period.
The duration for organisations to report breaches from criminal activities or mistakes by people was similar to the last time period. Most of the breaches due to system errors were reported to OAIC within a 30-day window after the organisation realised what happened.
Chart 8: Time taken to notify the OAIC of breaches by source of breach.
Source of breaches
Malicious or criminal activities continue to be the main reason for data breach reports submitted to the OAIC.
In regards to proportion, the sources of the breaches were largely similar from the prior time frame:
- 67% were caused by malicious or criminal attacks, compared to 71% the previous period.
- 30% were caused by human error, compared to 26% the previous period.
- 4% were caused by system faults, compared to 3% the previous period.
Chart 9: Source of data breaches
Malicious or Criminal Attacks
Cyber incidents accounted for 66% of breaches that resulted from malicious or criminal attacks. From January to June 2023, there were 171 breaches as a result of cyber incidents; this is a 23% increase in breaches. 44% of all data breaches had a cyber incident as their cause, up from 42% during the prior period.
17% of breaches caused by malicious or criminal attacks were the result of social engineering or impersonation attacks; 11% were the result of actions taken by rogue employees or insider threats; and 7% were the result of theft of documents or data storage devices.
Chart 9: Source of data breaches
Malicious or Criminal Attacks
Cyber incidents accounted for 66% of breaches that resulted from malicious or criminal attacks. From January to June 2023, there were 171 breaches as a result of cyber incidents; this is a 23% increase in breaches. 44% of all data breaches had a cyber incident as their cause, up from 42% during the prior period.
17% of breaches caused by malicious or criminal attacks were the result of social engineering or impersonation attacks; 11% were the result of actions taken by rogue employees or insider threats; and 7% were the result of theft of documents or data storage devices.
Chart 10: Malicious or criminal attack breakdown
An analysis of the global average and median numbers of victims of malicious or criminal attacks
Source of breach |
Number of notifications |
Average number of affected individuals |
Median number of affected individuals |
Cyber incident |
211 |
56,279 |
171 |
Rogue employee / insider threat |
36 |
9,080 |
11 |
Social engineering / impersonation |
54 |
183 |
4 |
Theft of paperwork or data storage device |
21 |
152 |
48 |
Total |
322 |
37,346 |
58 |
Cyber incidents
Phishing (28%, 59 notifications) surpassed ransomware (27%, 57 notifications) as the leading cause of cyber incidents during this reporting period. 58% of all cyber incidents involved compromised credentials, whether via phishing, a brute-force attack, or another technique.
Chart 11: Cyber incident breakdown
Breakdown of cyber incidents by average and median number of affected people globally
Source of breach |
Number of notifications |
Average number of affected individuals |
Median number of affected individuals |
Brute-force attack (compromised credentials) |
7 |
803,222 |
95 |
Ransomware |
56 |
57,900 |
693 |
Hacking |
22 |
49,501 |
879 |
Compromised or stolen credentials (method unknown) |
57 |
27,320 |
17 |
Phishing (compromised credentials) |
59 |
1,951 |
70 |
Malware |
10 |
356 |
9 |
Total |
211 |
56,279 |
171 |
Human error
In the second half of 2023, emailing personal information to the incorrect person continued to be the most frequent source of human error breaches. The incorrect recipient receiving personal information via email, mail, or other channels was the cause of nearly half (49%) of human error breaches.
Chart 12: Human error breakdown
Around the world, a greater number of people were impacted by some types of human error breaches. In fifteen breaches, personal data was mailed to the incorrect person, affecting 2,231 people on average. Two breaches that resulted from the improper disposal of personal data, affecting an average of 1,074 people, came after this.
Source of breach |
Number of notifications |
Average number of affected individuals |
Median number of affected individuals |
PI sent to wrong recipient (mail) |
15 |
2,231 |
1 |
Insecure disposal |
2 |
1,074 |
1,074 |
Unauthorised disclosure (unintended release or publication) |
29 |
299 |
1 |
Loss of paperwork / data storage device |
13 |
193 |
5 |
Failure to use BCC when sending email |
11 |
145 |
66 |
Unauthorised disclosure (failure to redact) |
8 |
35 |
2 |
PI sent to wrong recipient (email) |
48 |
29 |
1 |
Unauthorised disclosure (verbal) |
11 |
1 |
1 |
PI sent to wrong recipient (other) |
7 |
1 |
1 |
Total |
144 |
348 |
1 |
System faults
In the majority of system fault breaches (59%) personal information was accidentally released or published. Misaligned or asynchronously operating systems or databases, as well as untested system or infrastructure modifications, are a few examples of problems that could cause this.
Chart 13: System fault breakdown
Time taken to identify breaches – Top 5 sectors
The amount of time it took for entities to identify incidents varied significantly by sector.
In contrast to 37% of notifications from the Australian Government during the reporting period, 75% of notifications from health service providers had the incident identified within 10 days of it happening.
Chart 14: Time taken to identify breaches – Top 5 sectors.
Primary Breach Origins: Top 5 Sectors
The top 5 sectors reported that the most common cause of data breaches was still malicious or criminal attacks. 53% of the breaches reported by health care providers, 67% by the finance industry, 53% by the insurance industry, and 82% by the retail industry were caused by them.
Chart 15: Source of breaches – Top 5 sectors
Top 5 sectors affected by Malicious or criminal attack breaches
Chart 16. Malicious or criminal attacks breakdown – Top 5 sectors
Top 5 sectors affected by Cyber incident breaches
Chart 17: Cyber incident breakdown – Top 5 sectors
Top 5 sectors affected by human error breaches
Chart 18: Human error breakdown – Top 5 sectors
Top 5 sectors affected by system fault breaches
Chart 19: System fault breakdown – Top 5 sectors
Cybersecurity experts at Cybernetic Global Intelligence, a global cyber security firm, assist their clients to achieve various certifications and regulatory compliances like ISO 27001, PCI-DSS, Essential 8, SSAE 18, vulnerability assessment and Penetration testing, WAPT, information security audits.
Get in touch with Cybernetic Global Intelligence (CGI) – a cybersecurity company with years of experience in assisting various organizations involved in the uphill battle against cybercriminals!.
Source: OAIC