Office of the Information Commissioner releases latest Data Breach Report. Useful but still under reports the number of breaches in Australia. While number of breaches notified reduced by 16% in this period there was the first breach involving over 10 million people.

September 11, 2023 |

The Office of the Information Commissioner has released the latest Data Breach Report for the first half of 2023. It was a reduction over the previous 6 months.  It should be noted that there are usually more data breaches in the second half of a year. 

Some of the interesting points made in the report was:

  • Health services continued to be the most affected by data breaches, with 63 notifications of the total of 409.
  • 42% of the data breaches resulted from cyber security incidents
  • 288 of of the attacks were malicious or criminal attack
  • human error breaches were the fastest to be identified in 30 days or fewer. 
  • 21 of the 23 breaches that affected over 5,000 Australians were caused by cyber incidents. Of these,

    • 7 were caused by ransomware,

    • 7 by compromised or stolen credentials ,

    • 4 by hacking and 1 each by brute-force attack, malware and phishing (compromised credentials).

    • 2 breaches that affected over 5,000 Australians in this period were caused by a rogue employee or insider threat and theft of paperwork or a data storage device.

  • 87% of information affected was contact information, such as an individual’s name, home address, phone number or email address.
  • in 78% of cases the breaches were identified in 30 days or less.

The media release provides:

The need for organisations to strengthen data security and promptly respond to suspected breaches is highlighted in the latest Notifiable data breaches report, released today.

The Office of the Australian Information Commissioner (OAIC) expects organisations to have robust and proactive procedures in place to protect the personal information they hold, Australian Information Commissioner and Privacy Commissioner Angelene Falk said.

“As the guardians of Australians’ personal information, organisations must have the security measures required to minimise the risk of a data breach,” Commissioner Falk said.

“In the event of an incident such as a cyber-attack, organisations must also be able to adequately assess whether a data breach has occurred, how it has occurred and what information has been affected.”

The Notifiable Data Breaches scheme aims to protect individuals by requiring that they are notified when they are at likely risk of serious harm from a data breach.

“Prompt notification ensures individuals are informed and can take further steps to protect themselves, such as being more alert to scams,” Commissioner Falk said.

“The longer organisations delay notification, the more the chance of harm increases.”

The January to June 2023 period saw 409 data breaches reported to the OAIC. While that was a 16% decrease in the number of notifications compared to the previous period, there was one breach that affected more than 10 million Australians. This is the first breach of this scale for Australians since the scheme began in 2018.

Cyber security incidents were the source of 42% of all breaches (172 notifications). The top three cyber-attack methods were ransomware (53 notifications), compromised or stolen credentials for which the method was unknown (50 notifications) and phishing (33 notifications).

Contact, identity and financial information remained the most common kinds of personal information involved in breaches.

“Every piece of data that is compromised can increase the likelihood of cyber actors linking together pieces of information to gain insight or do harm,” Commissioner Falk said.

“This ‘mosaic effect’ gives threat actors the ability to more easily impersonate an individual or access systems or accounts using compromised credentials.

“Organisations need to be alert to this growing attack surface and have robust controls in place to minimise the risk of a data breach.”

The first half of 2023 also saw the Attorney-General’s Department release its proposed reforms to the Privacy Act 1988 in the Privacy Act review report

“Our latest report demonstrates data breaches are still very much a factor in the digital world,” said Commissioner Falk.

“The proposed reforms to the Privacy Act will provide a stronger framework for the handling of our personal information and help to strengthen trust in the digital economy.

“Our latest Australian Community Attitudes to Privacy Survey found Australians view data breaches as the biggest privacy risk, and 89% would like the government to pass more legislation that protects their personal information.”

Leave a Reply

Verified by MonsterInsights