The Office of the Data Protection Authority (ODPA) has released personal data breach statistics for Q3 2025.
The ODPA saw a rise in self-reported personal data breaches compared to the second quarter, with an increase in their average severity.
Following 53 breaches in the first quarter and 52 in the second, the ODPA processed a total of 62 self-reported breaches in the third quarter of this year. It is encouraging to note that organisations are recognising their obligation to report data breaches, which in many cases enables the ODPA to assist in mitigating the damage from the breach.
In most cases an organisation became aware of the breach through a customer or third party, rather than discovering it themselves. We would encourage organisations to actively monitor for intrusions as the quicker a breach can be detected the more that any ensuing harm can be reduced.
15 of the breaches were deemed ‘not reportable’ due to the low level of risk posed. We have included a case study below to illustrate the types of breaches that may not be reportable and why.
Of the 62 reported breaches in Q3, 20 were classified as high-risk, compared to 14 and eight in each of the last two quarters.
Case study
A volunteer at a sports club was sending an email to fellow volunteers about an upcoming event but forgot to blind copy (bcc) the recipients meaning they could see the email addresses of other recipients. Concerned that they had committed a breach of data protection law, they considered self-reporting this to the ODPA.
Membership of the recipient list did not reveal any special category data and merely revealed affiliation to the sports club. The sports club’s committee established that the individuals already knew each other and did not know of any grievances amongst them. Therefore, they rightly concluded that they did not need to inform the ODPA.
Why didn’t this need reporting?
A personal data breach is defined in the Law as a breach of security leading to accidental or unlawful destruction, loss or alteration of personal data or unauthorised disclosure of or access to personal data.
If you become aware of a breach, you are legally obliged to tell the ODPA within 72 hours after becoming aware unless the breach is unlikely to result in any harm to the individuals whose data are involved.
In this instance, the breach was unlikely to result in any harm to the individuals whose email addresses were revealed, therefore it was not necessary to inform the ODPA.
Incidents that do not meet the reporting threshold do still need to be included on an internal breach log.