It’s that time of the year again, folks, the time when we find out just how many data breaches happen on our own soil without us even realising. It happens twice a year, and this time there’s a little bit of good news: In the six-month period spanning January to June, there were 77 fewer data breaches warranting notification than there was the prior six months.
But that’s where the good news stops. There were still 409 breaches that qualified for notification to Australia’s Privacy Commissioner. And this time last year, there was 404.
Australia’s Privacy Commissioner every six months publishes stats on the state of data breaches in the country, as part of her agency’s oversight of the Notifiable Data Breaches (NDB) scheme. The last stats we published contained data on the entirety of 2022. In 2022, a whopping 890 data breach notifications were made. But, this year it looks like we’re on track to have less – but the trend seems to be the second half of the year gets nasty.
So, what did we learn from the latest stats?
Firstly, that March was the busiest month. It seems 100 data breach notifications were made during this period. Secondly, the most common type of breach experienced was malicious or criminal attack. This could be anything from a successful phishing campaign through to a large-scale, complete shutdown of IT systems.
Although the pic below shows that ransomware was the top source of cyber incidents, the OAIC noted that brute force attacks (which only received seven data breach notifications) affected the most individuals on average, at 1,667,293.
And despite this half of the year resulting in less notifications than the previous six months, March 2023 was the highest month, when we count notifications, since the scheme started.
According to the OAIC’s report, 91 per cent of the total data breaches counted involved the personal information of 5,000 or fewer individuals worldwide. But, 63 per cent of these breaches affected a lot less, up to 100 individuals. Three breaches impacted 10,000,0001 or more people, however, but only one of those affected Australians. Still, that scale is unfathomable.
Of the 23 breaches that affected over 5,000 Australians, 21 were caused by cyber incidents. The OAIC said of these, seven were caused by ransomware, seven by compromised or stolen credentials, four by hacking, and one each by brute-force attack, malware, and phishing.
Fourth (fifth, sixthly??), the most common type of information caught up in data breaches notified to the OAIC was contact information, which can include an individual’s name, home address, phone number, or email address. This is different to identity information, which can include an individual’s date of birth, passport details, and driver’s licence details.
The OAIC said personal information being emailed to the wrong recipient was the most common cause of human error breaches in the first half of 2023. Just under 55 per cent of human error breaches resulted from personal information being sent to the wrong recipient, whether by email, post, or another unidentified means. Probably carrier pigeon.
And, lastly, the industries most at fault. Health service providers and the finance industry have consistently reported the most data breaches of all sectors since the NDB scheme began – this time, it’s no different. Health service providers were to blame for 63 data breach notifications and finance for 54. Malicious or criminal attack remained the leading cause of data breaches notified by the top five sectors (which, in addition to health and finance, included recruitment agencies, legal/accounting/management services, and insurance firms).
The OAIC broke that down a little more.
That’s all for now, stay vigilant out there.