The second "Notifiable Data Breaches Quarterly Statistics Report", covering aggregated data for the three months from 1 April to 30 June 2018, has been circulated by the Office of the Australian Information Commissioner.This was the first full quarter of reporting since the NDB scheme commenced on 22 February 2018.The largest source of reported data breaches was the private health service provider sector (20 per cent). The second largest source was the finance sector (15 per cent). However, certain kinds of data breaches can affect larger numbers of people. For example, in this quarter human error data breaches involving the loss of storage devices impacted the largest numbers of people (an average of 1199 affected individuals per breach). Failures to use the 'blind carbon copy' (BCC) function when sending group emails impacted an average of 571 affected individuals per data breach. By contrast, human errors involving sending personal information to the wrong recipient generally impacted small groups or single individuals.Looking specifically at the finance sector, the total notifications received in the quarter from April to June 2018 was 36, which is a step up from the eight notifications in not quite half the time, that is, from 22 February 2018 to 31 March.Most notifications from the finance sector in this period involved the personal information of 100 individuals or fewer (67 per cent of breaches). Human error accounted for 50 per cent of data breaches reported from the finance sector, although from a low base, with examples including: sending personal information to the wrong recipient by email (six notifications) or mail (three notifications); and unintended release or publication of personal information (three notifications).Malicious or criminal attacks accounted for 47 per cent of data breaches, with the other three per cent being "system error".Of the cyber incidents notified by the finance sector, 93 per cent of incidents were related to lost or stolen credentials (such as phishing or brute-force attacks). Ransomware attacks comprised the remaining seven per cent.One notification in the quarter identified the source of the data breach as a system fault leading to unauthorised access.