Data breaches increased 19% to 537 in the second half of last year, compared to the first six months, with malicious or criminal attacks accounting for almost two-thirds of incidents, a regulatory report shows.

Almost one in three incidents was linked to compromised login credentials, the Office of the Australian Information Commissioner (OAIC) says in the Notifiable Data Beaches Report.

The majority of cyber incidents were linked to the compromise of credentials through phishing and malware, while there were also 14 notifications for “brute-force” attack. In 74 cases the entity was unable to identify how the malicious actor obtained the credentials.

Human error accounted for 32% of breaches and included the accidental emailing of personal information to the wrong recipient.

On a monthly basis, total breaches peaked at 106 in November, the most reported in any calendar month since the scheme began in February 2018.

Australian Information Commissioner and Privacy Commissioner Angelene Falk says sensitive personal details such as financial information, tax file numbers and identity documents are being stored in email accounts, where they may be accessed by malicious third parties.

“This personal information should then be stored in a secure document management system and the emails deleted from both the inbox and sent box,” she said.

The health sector accounted for 22% of breaches. Finance, excluding insurance, was the second-highest reporting sector with 14% of breaches.