The Office of the Data Protection Authority (ODPA) has released personal data breach statistics for Q4 of 2025. The Authority saw a similar number of self-reported personal data breaches compared to the previous quarter, with a welcome decrease in their average severity.
Following 62 breaches in the third quarter, ODPA processed a total of 61 self-reported breaches in the fourth quarter of this year.
In most cases an organisation became aware of the breach through their own employees, rather than from the data subject affected or another party, suggesting improved awareness from those handling personal data. In the previous quarter, the inverse was the case.
This is cause for encouragement, as by detecting breaches internally, the ensuing harm can often be reduced and the matter resolved more quickly.
Of the 61 reported breaches in Q4, only 12 were classified as high-risk, compared to 20 in the prior quarter. Emails sent to incorrect recipients continued to be the most common type of breach reported.
Case study
Several breaches this quarter were caused by people using personal email accounts to send or receive work-related information.
This is a problem for several reasons. Firstly, personal email providers are outside the control of the organisation meaning usual security policies do not apply and the organisation does not know what its data is being used for.
Furthermore, access is likely to be less tightly controlled, as accounts can be shared by couples or devices given to children, which means information could easily fall into the wrong hands.
Finally, using personal messaging to conduct your work can blur where the boundaries of your personal life and your job are in a way that harms professionalism and confidentiality.