Did you know 40 per cent of data breaches are malicious or criminal?

Cannings Purple 2 May 2018
2 mins
Cannings Purple | The 268 | Update on notifiable data breaches

Download our white paper on preparing for notifiable data breaches



With Australia’s notifiable data breach reporting rules now in place — and changes to European legislation looming — Design and Digital Director Jamie Wilkinson looks at what lessons we have learned so far.

It’s been nearly three months since Australia’s new data breach laws came into place, and the Office of the Australian Information Commissioner has just published the first data regarding the number of notifiable breaches it received for the first quarter of 2018.

It makes for interesting reading:

  • There were 55 notifiable data breaches in March alone, and 63 in total for two months
  • The largest industry to report was health service providers (28% of all breaches were from health service providers)
  • The clear majority (78%) of breached personal data was contact information
  • Human error was responsible for most of the reported data breaches (50%), with malicious or criminal attacks making up 44% of all notifiable breaches.

The first thing to say is that this isn’t data for a full quarter. Because the new laws only came in towards the end of February, we don’t have a full set of data just yet.

But already we can see human error making up half of all breaches (so we’re talking about people accidentally sending attachments to the wrong people for example).


Still, four in 10 breaches were due to malicious or criminal attack. This is one of the first times we’ve had some insight into the proportion of cyber breaches which are malicious, and should be cause for concern in corporate Australia.


As if there was ever any question, it’s clear that businesses are being targeted for their data.

Some 73 per cent of reported eligible data breaches involved the release of personal information of fewer than 100 individuals.

This means that — on the one hand — most of the breaches were unlikely to have widespread impact. Yet this is cold comfort if you are the one person whose bank details, phone number and TFN have been breached.

It’s also no indicator of the impact or scale of future breaches: as we’ve seen, they can be far-reaching and massive.

It’s early days for data breach reporting in Australia, and there’s a lot for organisations to understand about what is and isn’t notifiable in this area. We’ll keep a tab on the figures in coming quarters to see what other insights can be found in the data as and when the OAIC reveals it.

Cannings Purple Director of Digital Jamie Wilkinson is an expert in proactively preparing communications strategies to respond to data breaches and managing communications during a data breach crisis. Email Jamie.