Human error still causing data breaches

Feb 2021 | Cyber Risk

The Office of the Australian Information Commissioner (OAIC) has published an updated report capturing information regarding data breaches reported under the Notifiable Data Breaches (NDB) scheme between January 2020 and June 2020.

The NBD scheme was established in February 2018, requiring all agencies and organisations1 who are covered by the Privacy Act 1988 to report data breaches that are likely to cause serious harm. The OAIC publishes biannual reports which highlight the prevalence, causes and emerging issues based on the notifications received.

Key statistics

Between January 2020 and June 2020 there was a total of 518 notifications to the OAIC, marking a 3% decrease in the number of reported incidents compared to the previous six months. It is however a 16% increase in reported incidents compared to the notifications received between January and June 2019.


The causes of the data breaches reported were:

  • malicious or criminal attacks, accounting for 317 breaches (61%). This marks a decrease of 7% in the prevalence of these attacks since the OAIC’s last report. These attacks include phishing, malware, ransomware, brute-force attacks and compromised or stolen credentials (often as a result of an individual clicking on a phishing email or disclosing passwords, which accounted for 133 notifications);

  • human error which accounted for 176 breaches (34%), marking a 7% increase since the OAIC’s last report. Over half of those breaches were caused by sending emails or posting information to the wrong recipient. Incidents involving a failure to use the blind carbon copy feature when emailing affected an average of 486 individuals per incident;2 and

  • system failure, accounting for 25 attacks (5%), marking a decrease of 7% since the OAIC’s last report.

The prevalence of ransomware attacks increased by more than 150% (from 13 to 33) compared to the previous six months. Often installed on a system through a malicious email attachment, a fraudulent software download or by visiting a malicious webpage, ransomware-attackers disable users from accessing data and demand a sum of money in exchange for the decryption key.

More data breaches were reported in May than any other month within the period and a majority of those incidents were caused by human error. The OAIC has stated there is no evidence to suggest the increase is related to changed business practices resulting from COVID-19 as the data for the period as a whole largely aligns with long term trends.


The health sector, which has consistently reported the highest number of incidents since the inception of the NBD, continued this trend by notifying 22% of all data breaches. 57% of those breaches were caused by human error.

This is significantly higher than the next highest reporting sector, being finance, which notified of 14% of all breaches, followed by education (8%), insurance (7%) and legal, accounting and management services (5%).

Scope and type of information involved

Consistently with previous reporting periods, a majority of data breaches affected fewer than 100 individuals (64% for this reporting period). 46% of notifications related to breaches affecting between 1 and 10 individuals, with 151 reported incidents affecting one person.

Contact information was involved in 84% of notified incidents. This includes an individual’s home address, phone number or email address.

Over a third of breaches involved identity information, distinct from contact information as it refers to any data which could be used to confirm a person’s identity. Common examples include a person’s passport number, driver licence number or other government identifiers.

Breaches otherwise involved tax file numbers (17%), financial details (37%), health information (26%) and ‘other sensitive information’ (11%) which does not fit into the above categories.


The statistics, largely in line with trends within the previous reporting period, indicate businesses need to ensure they are consistently educating their employees on the common causes of cyber incidents and how to avoid them. The largest source of data breaches continues to be malicious attacks, which is mainly caused by individuals entering personal information into fraudulent websites or in response to emails impersonating another user. These attacks appear to be largely preventable yet have remained a leading cause of data breaches throughout each of the OAIC’s reports.


1 This includes Australian Government agencies, businesses and not-for profit organisations that have an annual turnover of more than AU$3 million, private sector health service providers, credit reporting bodies, credit providers, entities that trade in personal information and tax file number recipients.
2 There were 12 incidents within the relevant period.

This article may provide CPD/CLE/CIP points through your relevant industry organisation.