Scale of Reported Australian Data Breaches Hits New High: OAIC
Office of Australian Information Commissioner says new breach data highlights need for ‘ongoing vigilance'
While the number of data breaches in the six months to June 2023 was down 16% on the previous six months, the period did include the first breach notified under the Australian Notifiable Data Breach Scheme to affect more than 10 million Australians.
The Office of the Australian Information Commissioner has released its latest Notifiable Data Breaches report, covering the six months from January to June 2023.
The report highlights that 409 notifications were received, down 16% on the previous 6 months from July to December 2022.
Malicious or criminal attacks were attributed to 70% of those data breaches, while 26% were the result of human error, and 4% due to system faults.
Cyber security incidents directly affected 42% of all reported data breaches. Of those, ransomware accounted for 31% of incidents, stolen credentials accounted for 29% of incidents and phishing accounted for 19% of incidents.
The OAIC also reported that the health and finance sectors remained the top reporters of data breaches. The healthcare sector reported 15% of all notifications for the period (63), while the finance sector reported 13% of all notifications (54).
Most breaches (63%) affected 100 or fewer people. Contact details were the most common form of personal information exposed in the breaches, related to 87% of breaches or 356 incidents.
The OAIC also reported that 23 breaches affected more than 5000 Australians in the six months to June 2023. This was down 45% over the prior six months figure of 42.
However, two of the breaches reported in the first half of 2023 affected more than 1 million Australians, and one affected more than 10 million. The latter representing the first breach notified under the notifiable data breaches scheme to affect more than 10 million Australians, the OAIC reported.
Australia has witnessed several high-profile data breaches in the past six to 12 months.
These include Latitude Financial, which was subject to a cyber attack in March 2023 that it claimed affected approximately 7.9 million Australian and New Zealand driver licence numbers were stolen. The company also reported a further 6.1 million records dating back to at least 2005 were also stolen.
In September 2022, Optus reported a breach that exposed up to 9.8 million customer records. In November Medibank announced that it suffered a breach covering around 9.7 million current and former customers.
Notification Delays Increase Risk
Australian Information Commissioner and Privacy Commissioner Angelene Falk said the Office expected organisations to protect personal information.
“As the guardians of Australians’ personal information, organisations must have the security measures required to minimise the risk of a data breach,” Commissioner Falk said.
“In the event of an incident such as a cyber-attack, organisations must also be able to adequately assess whether a data breach has occurred, how it has occurred and what information has been affected.
“The longer organisations delay notification, the more the chance of harm increases.
“Every piece of data that is compromised can increase the likelihood of cyber actors linking together pieces of information to gain insight or do harm.
“This ‘mosaic effect’ gives threat actors the ability to more easily impersonate an individual or access systems or accounts using compromised credentials.
“Organisations need to be alert to this growing attack surface and have robust controls in place to minimise the risk of a data breach.”
The Office of the Australian Information Commissioner (OAIC) periodically publishes statistical information about notifications received under the Notifiable Data Breaches (NDB) scheme to help entities and the public understand privacy risks identified through the scheme.
The full report can be accessed by clicking this link.
Hear more about the impact of recent data breaches in our region at CISO Auckland this November. Click here to check out the agenda and reserve your place.