Data breach notifications on the rise

More than 500 data breaches in Australia were reported to the Office of the Australian Information Commissioner (OAIC) in the six months ending December 2019, a 19 per cent increase over the prior six-month period.

Altogether, the OAIC was notified of 537 data breaches from July to December 2019 under the Government’s Notifiable Data Breaches scheme, according to the latest half-yearly report by the Commissioner’s Office.

Once again, malicious or criminal attacks, including cyber incidents, remain the leading cause of data breaches involving personal information in Australia, the report revealed. Indeed, malicious or criminal attacks accounted for 64 per cent of all data breaches.

The OAIC received 230 notifications under the malicious or criminal attack category, with phishing, malware, ransomware, brute-force attack and compromised or stolen credentials the main source of the data breaches.

“There was a substantial increase in the number of data breaches attributed to malicious or criminal attacks during the reporting period compared to the previous six months, including a rise in breaches attributed to cyber incidents from 192 to 230,” the report stated. 

At the same time, human error remained a key factor in data breaches, causing 32 per cent of breaches reported under the scheme, the report revealed. 

Again, health service providers remained the leading source of notifiable data breaches over the six-month period, notifying 22 per cent of all breaches, while finance was the second highest reporting sector, notifying 14 per cent of all breaches.

The ongoing prominence of Australia’s health sector in the periodic Notifiable Data Breaches (NDB) reports has prompted the OAIC to jointly develop an action plan to help the health sector contain and manage data breaches and implement continued improvement.

The half-yearly report also revealed that there was at least one notifiable breach that affected 10 million or more people, while 132 of the notifiable breaches affected just one person each. 

In the first year after the NDB scheme came into effect -- in February 2018 -- a total of 812 data breaches were notified to the OAIC, an average of 67 breaches per month.

According to Australian Information Commissioner and Privacy Commissioner Angelene Falk, the NDB scheme is now well established as an effective reporting mechanism.

“There is now increasing focus on organisations taking preventative action to combat data breaches at their source and deliver best practice response strategies,” Falk said.

“Where data breaches occur, organisations and agencies must move swiftly to contain the breach and minimise the risk of harm to people whose information has been compromised,” she added.