Australian Notifiable Data Breach – Key Takeaways

Data Breach / Cyber Compliance

The Office of the Australian Information Commissioner (OAIC) released a report after the end of March this year to summarise the results of their findings since the inception of mandatory breach notification (Notifiable Data Breach – NDB) in February 2018.

Here is the link to the data breach report:

The findings are very interesting as Australian organisations come to terms with regulations around cyber data breaches.

As a security consultant who has been working with organisations on cybersecurity since the early days of the internet, below are some key takeaways from the report:

  • 964 eligible data breaches were notified to the OAIC in this period
  • This is a 712% increase in notifications from the previous year, pre-NDB
  • Majority (60%) were due to malicious intent
  • 35% of the reported breaches were due to human error
  • Australian organisations are woefully unprepared to deal with this risk


Some Australian organisations are woefully undefeated and unprepared for being targeted by organised criminals that make a profit from stealing people’s personal details.

The key things that are missing and thereby not good enough are:

  • Organisational understanding of employee cyber risk culture
  • Security awareness training
  • Board, executive leadership, and risk committee understating of the gravity of the issue
  • Incident response planning and testing

Also to those organisations that tell me they have the best firewalls and the best endpoint security, look at the stat above – 35% of reported eligible breaches are the result of human error! 60% of the breaches are due to malicious intent.


Organised criminals are coming after the data that you hold. They are committed and they will get in.

CTRL Group have a 100% success rate for paid red-teaming and capture-the-flag exercises for our clients. Some other advice for the NDB:

  • Profile your cyber risks into a register
  • Prepare for the worst – cyber incident response planning
  • Integrate your cyber incident response plan with your crisis management and crisis communications plans; you may find there is not too much work to do
  • Escalate concerns and strategy to the highest levels of management; seek their support and sponsorship
  • Embark on an advanced cybersecurity awareness program
  • Build/modify your response plans and TEST THEM! Your plans are only as good as their last test
  • Consider cyber insurance as good cyber insurers have incident response capabilities built into their policies
  • Have experts monitor your security; third party security operations centre will greatly improve your peace of mind

The CTRL Group team are always available to have a chat and discuss how our services can help your organisation.

Related Articles

Cyber Breach and Cyber Incident response and cyber insurance are fundamental to an organisation's cybersecurity.
Cyber Insurance / Incident Response
Are you Cyber Ready for Cyber Insurance?
Read more
Cyber Compliance / Cyber Advisory, Cyber Compliance
Cyber Regulations and Australian Compliance Overview 2022
Read more
Cyber Breach and Cyber Incident response and cyber insurance are fundamental to an organisation's cybersecurity.
Cyber Insurance / Cyber Advisory, Incident Response
Cyber Insurance – What should you know?
Read more