The Office of the Data Protection Authority (ODPA) has released personal data breach statistics for the first quarter of 2026, revealing a decrease in the average severity of the breaches reported.
Following 61 reported breaches in the fourth quarter of last year, the ODPA received 65 self-reported personal data breaches in the first quarter of 2026. However, the number of breaches deemed high-risk upon assessment reduced by almost half, from 12 to 7. This marks two successive quarters where there has been a reduction in this area.
As was the case at the end of 2025, organisations most commonly became aware of the breach through their own employees, rather than from the data subject affected or another party.
This is another encouraging sign for breach detection.
By detecting breaches internally, harm can often be mitigated and matters can be resolved more quickly. These statistics imply an improving awareness level of data protection law and principles among those handling personal data in the Bailiwick.
“Notwithstanding the continuing high volume of breach incidents, there are some very encouraging signs”, said Data Protection Commissioner Brent Homan. “The fact that the severity of compromises has decreased and that breaches are increasingly being detected from within organisations points to reduced harms that are mitigated more quickly”.
Emails sent to incorrect recipients continued to be the most common type of breach reported, with loss of confidentiality the most prevalent potential harm.
Organisations are legally required to notify the ODPA of any personal data breach within 72 hours of becoming aware of it (see section 42 (2) of the Law). You can report a breach to us here.
Why does the ODPA publish breach statistics?
We publish statistics of the number of breach reports we receive every quarter.
Publishing this information allows everyone to benefit from a better understanding of how and why breaches happen and how they can be avoided in future.
