07 October 2019

Compromised credentials behind most Australian cyber security breaches

Your contact details are what are most at risk from a data breach, and personal information and systems access should be of primary concern to Australian businesses, according to the latest statistics.

The most recent Australian Notifiable Data Breaches Statistics Report from 1 April to 30 June 2019 provides a cyber security snapshot of causes, size of operations and the key industry sectors at risk.

The total number of notifications rose from 215 in the first quarter of the year to 245, with the number of individuals affected by the information lost mainly numbering less than 1000 in 225 of the instances, and just one in 61 incidents. Small numbers of breaches, mainly a couple or single instances, affected between 1001 and 10 million people.


Contact details represented the most predominant kind of information that was compromised at double the number of incidents involving financial details, which was closely followed by identity information, then health information. A significantly smaller proportion involved tax file numbers, then other sensitive information.

Just over 60% of the reported data breaches were malicious or criminal attacks, a third were due to human error and less than 5% to system faults. The primary target for malicious attacks was the health sector; followed by finance; legal, accounting and management services; education; and retail.

The health sector also recorded the highest incidence of human error (25 notifications), followed by finance (18), then legal, accounting and management services, and education (7 each), with retail recording only 2 human error incidents.

Phishing to obtain system access credentials was the methodology used in more than 40% of malicious or criminal attacks, and stolen or compromised credentials also accounted for a further 35% of breaches. Hacking and ransomware were employed much less at 8.7% each and malware in only 2.86% breaches.

This sends a clear message to Australian businesses to focus defence efforts on personal credentials and systems access, educating staff about security awareness and identifying and protecting potential entry points by employing robust controls.

Be prepared

Mitigating against cyber attacks is the best method to avoid any potential damage to a business but cyber insurance can also help to pick up the pieces should something go wrong.

Gallagher can help businesses formulate preventative strategies, as well as deal with the impact of a data breach. Talk to a Gallagher cyber specialist about how our Gallagher cyber security specialists can help you limit your cyber security exposure.

Connect with an expert
Further reading

Cyber insurance

Do I need cyber liability insurance?

Cyber security package for small business endorsed by government

To the extent that any material in this document may be considered advice, it does not take into account your objectives, needs or financial situation. You should consider whether the advice is appropriate for you and review any relevant Product Disclosure Statement and policy wording before taking out an insurance policy.