OAIC: Australian data breaches rise in last 6 months of 2021
- 01 March, 2022 07:07
The latest Office of Australian Information Commissioner (OAIC) Notifiable Data Breach Report has been released, highlighting a rise in incidences over the last six months of 2021 as well as the need for organisations to step up their reporting game.
In all, 464 data breach notifications were received by the OAIC between July and December 2021, an increase of 6 per cent over the previous reporting period. The highest number were recorded in the month of November. Overall, 900 data breaches were reported in Australia during 2021.
Of these, 55 per cent, or 256 notifications, related to malicious or criminal attacks. These remain the leading source of breaches but were down 9 per cent over the six-month period. Within this segment, cyber incidents represented the largest share at 68 per cent, with phishing accounting for the latest percentage of this pie (32 per cent). This was followed by compromised or stolen credentials (28 per cent) and ransomware (23 per cent).
By comparison, OAIC reported a significant in breaches due to human error, increasing 43 per cent to 190 after a dip in the previous reporting period. Top causes of these breaches are personal information being sent to the wrong recipient (43 per cent), unintended release of publication (21 per cent) and loss of data storage device or paperwork (8 per cent).
The third pot of breaches are related to system faults. These were down by 18 per cent compared to the previous reporting period.
Across industries, the health sector is the largest source of data breaches at 18 per cent. This was followed by finance (12 per cent). Malicious or criminal attacks were the leading source of breaches for legal, accounting and management services (71 per cent), insurance (53 per cent) and personal services (50 per cent).
Health service providers reported an equal number of breaches resulting from malicious or criminal
attack and human error (47 per cent apiece). However, the OAIC noted unlike previous reports, human error was the leading source of breaches for the finance sector (48 per cent). Human error also caused the majority of breaches experienced by education providers (75 per cent).
The most common type of personal data impacted is contact information, such as email addresses, name, home address and phone number. The OAIC pointed out this is distinct to identity information, which encompasses date of birth, drivers licence details and passport details. Across the six-month reporting period, identity information was exposed across 40 per cent of data breaches. Financial details were also exposed in 39 per cent of data breach instances.
As to their effect, the OAIC found 96 per cent of breaches affect fewer than 5000 individuals, while 71 per cent effect fewer than 100 people.
Three in four organisations reported the data breaches within the first 30 days, considered the outside limit for notifications by the OAIC. However, 28 organisations took more than 120 days from becoming aware of the incident to reporting the data breach. System fault breaches were usually the quickest to be reported, followed by human error then malicious or criminal attacks.
Commenting on the findings, OAIC commissioner, Angelene Falk, urged organisations to put accountability at the centre of their information handling practices.
“Australians expect that their personal information will be handled with care when they choose to engage with a product or service and are more likely to entrust their data to organisations that have demonstrated effective privacy management,” Commissioner Falk said. “If organisations wish to build trust with customers, then it is essential they use best practice to minimise data breaches and, when they do occur, they put individuals at the centre of their response.”
The OAIC warned some organisations are falling short of the scheme’s assessment and notification requirements. Commissioner Falk said swift assessment and notification is required, supported by systems to detect that a breach has occurred. For example, a notable proportion of organisations that experienced system faults (11 per cent) in 2021 did not become aware of the incident for over a year.
“A key objective of the scheme is to protect individuals by enabling them to respond quickly to a data breach to minimise the risk of harm,” Commissioner Falk said. “Delays in assessment and notification reduce the opportunities for an individual to take steps to protect themselves from harm.”
The OAIC’s Notifiable Data Breach scheme has been in play for four years and introduced new obligations for Australian Government agencies and private sector organisations that have existing information security obligations under the Privacy Act. The NDB scheme replaced the voluntary data breach notification scheme that had been in operation since 2008.
You can also follow CMO on Twitter: @CMOAustralia, take part in the CMO conversation on LinkedIn: CMO ANZ, follow our regular updates via CMO Australia's Linkedin company page
