It’s the most concerning time of the year when the Office of the Australian Information Commissioner (OAIC) releases its data breach numbers for the last six months and its latest findings are, well, not good.
Between July and December last year, the OAIC saw 483 data breaches reported, a 19 per cent jump from the first half of the year, where there were 409 breaches.
There were an additional 121 secondary notifications, a significant increase from 29 notifications in January to June 2023. Secondary notifications are when they relate to an initial notification received in a prior period, basically this means this isn’t the first time a company has been impacted by a breach.
Leading the breaches were malicious or criminal attacks, making up 322 notifications with most of them being cyber security incidents. Human error and system faults made up one-third of the total notifications.
According to the OAIC, the health sector was the most impacted with 104 breaches, followed by finance, insurance, retail and the Australian government.
“The increased occurrence of incidents that affect multiple parties is a reason we are seeing data breaches grow in complexity, scale and impact,” OAIC commissioner Angelene Falk said.
“Organisations need to proactively address privacy risks in contractual agreements with third-party service providers.
“This includes having clear processes and policies in place for handling personal information and a data breach response plan that assigns roles and responsibilities for managing an incident and meeting regulatory reporting obligations.”
The OAIC has also identified the security of personal information as a regulatory priority and said it will be focusing on regulatory action that addresses areas where there is the greatest risk of harm to individuals.
This includes serious failures to take reasonable steps to protect personal information, inappropriate data retention practices, and failures to comply with the reporting requirements of the NDB scheme, particularly where the OAIC has publicised risks and mitigations.
“The OAIC is escalating its regulatory actions into data breaches, and we have commenced civil penalty proceedings in the Federal Court,” Falk said.
“We are prioritising regulatory action where there appear to be serious failures to comply with the scheme’s reporting requirements and to take reasonable steps to protect personal information, and where organisations are holding onto data much longer than is necessary.”
Falk said organisations must have security measures in place to minimise the risk of a data breach.
“If a data breach does occur, organisations should put the individual at the front and centre of their response, ensuring they are promptly told so their risk of harm can be minimised,” she ended.