subscribe to our newsletter

2 in 5 financial sector data breaches due to human error

Two in five data breaches in the financial services sector are attributable to human error, a new OAIC report has concluded.

The Office of the Australian Information Commissioner (OAIC) released its Notifiable Data Breaches Scheme 12-month Insights Report this week, which showed that the finance industry was the second-most prone to data breaches, following health.

Of the 1,132 total data breach notifications recorded between 1 April 2018 to 31 March 2019 – which represents the first 12 months of the mandatory data breach-reporting (NDB) scheme for businesses coming into effect – 138 were reported by financial services firms.  

Fifty-seven, or 41 per cent, of these breaches were attributable to human error, such as personal information being sent to the wrong recipient.

Meanwhile, 77, or 56 per cent, were due to malicious or criminal attacks, while just four, or 3 per cent, of the breaches were attributed to system faults.


“The consistent presence of the health and finance sectors at the top of the rankings throughout the year likely reflects the scale of data holdings, volume of processing activities and/or sensitivity of the personal information held by those sectors, as well as those sectors’ higher preparedness to report data breaches,” the OAIC report states.

“Both industries have also been subject to long‑standing information protection obligations (including duties of confidentiality and strict regulatory frameworks) which have likely contributed to their relative maturity and preparedness to meet obligations under the NDB scheme.”

Due to the accelerating threat of cyber attacks, the Australian Prudential Regulation Authority (APRA) created a cross-industry prudential standard, CPS 234, focused on the management of information security at regulated entities.

Coming into effect on 1 July 2019, the infosec standard requires authorised deposit-taking institutions, and other regulated entities, to:

  • “clearly define” information security-related roles and responsibilities
  • “maintain an information security capability commensurate with the size and extent of threats to their information assets”
  • implement controls and regularly test their effectiveness to protect assets (including those managed by related and third parties) from new threats
  • have “robust mechanisms” in place to detect and respond to information security breaches in a timely manner
  • notify APRA of information security incidents (that had a material impact or could have an impact on the entity or the interests of depositors, policyholders, beneficiaries or other customers) within 72 hours of becoming aware of them

The standard also stipulates that company boards are “ultimately responsible for ensuring that the entity maintains its information security”.


APRA has also been updating its Prudential Practice Guide CPG 234 Management of Information and Information Technology to help entities fulfil their requirements.

Another survey of 1,000 consumers, conducted by Roy Morgan and commissioned by Deloitte, revealed that consumer trust in the privacy practices of financial institutions had fallen the steepest over the last three years.

According to Deloitte’s Privacy Index 2019, the finance sector has dropped from first place in 2016 and 2017, and second place in 2018, to ninth in 2019.

“Financial services has seen the biggest loss in trust in privacy but is still in positive territory, meaning more consumers trust than distrust financial services brands with their personal information,” the report states. 

The IT sector was considered the most trustworthy when it comes to privacy, followed by real estate, travel and transport, and energy and utilities.

On the other hand, the report ranked the finance sector as the best-performing industry on one of the criteria in the study, with 94 per cent of finance apps providing a privacy policy.

[Related: Deloitte research paints dim picture of trust in banks]

2 in 5 financial sector data breaches due to human error

Are you a new-to-industry broker in the process of growing your business? Then there’s some great news: The Adviser’s New Broker Academy is back in 2021 and will provide you with essential insights into cutting-edge tools, strategies and processes to fast-track to success. Don’t miss your chance to attend. To secure your FREE place, visit newbroker.com.au now!

Tas Bindi

Tas Bindi is the features editor on the mortgage titles and writes about the mortgage industry, macroeconomics, fintech, financial regulation, and market trends.  

Prior to joining Momentum Media, Tas wrote for business and technology titles such as ZDNet, TechRepublic, Startup Daily, and Dynamic Business. 

You can email Tas on: This email address is being protected from spambots. You need JavaScript enabled to view it.



Latest News

Risks to financial stability could be building as house prices and debt levels keep rising, the Reserve Bank has cautioned. ...

The big four bank has unveiled its response to past regulatory issues, a program meant to improve its risk management and accountability.  ...

The proposed acquisition of Westpac PNG and Westpac Fiji by Kina will no longer proceed, it has been confirmed. ...

Join Australia's most informed brokers

Do you know which lenders are providing brokers and their customers with the best service?

Use this monthly data to make informed decisions about which lenders to use. Simply contribute to the survey and we'll send you the results directly to your inbox - completely free!

How long do you think it should take to discharge a mortgage?

Website Notifications

Get notifications in real-time for staying up to date with content that matters to you.