Office of the Information Commissioner reports that from January to June 2024 there was the highest number of data breaches for 3 1/2 years.
September 23, 2024 |
The Office of the Information Commissioner has released its data breach report for first 6 months of 2024. It is a useful if imperfect indication of the number of notifiable data breaches in Australia. The latest report shows an increased number of reportable breaches, reaching the highest number in three and a half years. It should be a given that the figures set out in these reports are very much a indication of trends. The actual number of data breaches is significantly higher. Some industries are more assiduous than others in reporting. The legislation allows for considerable interpretation of what is a reportable data breach. The culture of reporting remains poor because the consequences of non compliance with the legislation
The Commissioner provided a forward to the Report where she foreshadowed a more muscular approach to enforcement. Finally. The forward provides:
Since the launch of the Notifiable Data Breaches (NDB) scheme in 2018, the Office of the Australian Information Commissioner (OAIC) has published statistical information about data breach notifications we have received. Our goal in doing so has been to help entities and the public understand privacy risks identified through the scheme, highlight areas that require attention and provide clarity around our regulatory approach.
Six years on, the NDB scheme is now mature, and we are moving into a new era in which our expectations of entities are higher, seen in our recent commencement of civil penalty proceedings against Medibank Private Limited and Australian Clinical Labs Limited. This enforcement action should send a strong message that keeping personal information secure and meeting the requirements of the NDB scheme must be priorities.
The OAIC is accelerating our shift to a more risk-based and enforcement and education-focused posture. Entities and the community can expect to see this reflected in a greater focus on directing our regulatory effort where it has the greatest impact, including areas where there is a high risk of harm to the community.
You will observe this report is a little different to previous ones. Our office is evolving our approach in sharing our insights and emerging trends with Australians and the regulated community. There is still statistical information; however, we have focused on providing more succinct guidance and trend observations to help entities comply with obligations.
From January to June this year, we received 527 data breach notifications. This is the highest number of notifications received since July to December 2020 and an increase of 9% compared to the previous 6 months.
Cyber security incidents continue to be a prevalent cause of data breaches, representing 38% of the total, as our increasing reliance on digital tools and online services exposes our details more frequently to malicious cyber actors. This serves as a reminder of how important it is that entities enact measures that guard against common threats, such as malicious actors using compromised credentials, ransomware and phishing, and update these measures as threats arise and change.
While 63% of data breaches affected 100 or fewer people, one incident reported affected over 10 million Australians. This is the second breach recorded to affect more than 10 million Australians and is the highest number of individuals affected by a breach since the NDB scheme came into effect.
Like the last reporting period, the Australian Government is in the top 5 sectors to notify data breaches. This highlights there is still work to do, both in the private and public sectors.
After 6 years of the NDB scheme, we expect entities to comply with their obligations. It is no longer acceptable for privacy to be an afterthought; entities need to be taking a privacy-centric approach in everything they do.
Relevant matters arising from the report:
- health sector topped the number of breaches, 102 of the 527
- 63% of data breaches affected 100 people or fewer
- 67% of the data breaches suffered malicious or criminal attack
- 31% of the data breaches were caused by phishing and 24% occurred via ransomware
- The risk of outsourcing personal information handling to third parties continues to be a prevalent issue.
- the Australian Government reported the most data breaches involving social engineering or impersonatio, being 42%
- 4 breaches involved between 50,000 and 100,000 while 1 involved more than 10,000,000
- 462 data breaches involved the access of contact information and 350 involved identity information
- 56% of the data breaches took 10 days or less to detect
- 31% of cases were notified to the Commissioner in 10 days or less but in 27% of cases reports took more than 30 days to reach the Commissioner
- of the human errors causing data breaches 38% involved personal information sent to the wrong recipient while 24% involved the unauthorised disclosure
The press release relevantly provides:
The OAIC was notified of 527 data breaches from January to June 2024, according to the latest Notifiable data breaches report released today. This is the highest number of notifications since July to December 2020 and an increase of nine per cent from the second half of 2023.
Australian Privacy Commissioner Carly Kind said the high number of data breaches is evidence of the significant threats to Australians’ privacy.
“Almost every day, my office is notified of data breaches where Australians are at likely risk of serious harm. This harm can range from an increase in scams and the risk of identity theft to emotional distress and even physical harm,” Commissioner Kind said.
“Privacy and security measures are not keeping up with the threats facing Australians’ personal information and addressing this must be a priority.”
The MediSecure data breach notified in the period affected approximately 12.9 million Australians – the largest number of Australians affected by a breach since the Notifiable Data Breaches scheme came into effect.
Similar to previous reports, malicious and criminal attacks were the main source of breaches (67%), with 57% of those cyber security incidents.
Health and the Australian Government notified the most data breaches of all sectors (19% and 12% of all breaches respectively), highlighting both the private and public sectors are vulnerable.
Commissioner Kind said six years on from the launch of the scheme, the OAIC has high expectations of organisations.
“The Notifiable Data Breaches scheme is now mature, and we are moving into a new era in which our expectations of entities are higher,” Commissioner Kind said.
“Our recent enforcement action, including against Medibank and Australian Clinical Labs, should send a strong message that keeping personal information secure and meeting the requirements of the scheme when a data breach occurs must be priorities for organisations.”
The OAIC will continue to take a proportionate approach to enforcement and is also focused on providing guidance to help organisations comply with their obligations, reflected in changes to the latest report.
“Our priority is ensuring compliance with the law, and we will help organisations achieve this through education and articulating what ‘good’ looks like.”
The report’s release comes in the wake of the Australian Government introducing the Privacy and Other Legislation Amendment Bill 2024.
The Bill would strengthen the OAIC’s enforcement toolkit, including through an enhanced civil penalty regime and infringement notice powers. It would also provide important clarification to the scope of existing security obligations by amending Australian Privacy Principle 11 to expressly require organisations to implement technical and organisational measures (such as encrypting data, securing access to systems and premises, and undertaking staff training) to address information security risks.
The OAIC has welcomed these and other measures contained in the Bill as an important step in strengthening Australia’s privacy framework. However, further reform consistent with the Australian Government’s response to the Privacy Act Review is still required to improve security across the economy and enhance the Notifiable Data Breaches scheme.
“We would like to see all Australian organisations be required to build the highest levels of security into their operations to protect Australians’ personal information to the maximum extent possible,” Commissioner Kind said.