There was an uptick in data breaches in the second half of 2021 but an overall drop compared to the previous year, according to the privacy watchdog’s end of year report.
The frequency of data breaches reported under the Notifiable Data Breaches (NDB) scheme rose by 6 per cent in the second half of 2021, according to the latest report by the Office of the Australian Information Commissioner (OAIC).
The OAIC publishes biannual reports on the NDB scheme, which began in 2018.
Between July and December 2021 there were 464 data breach notifications made to the OAIC. This puts the total number of data breaches in 2021 at 907, which is 150 fewer than the 1057 reports made in 2020. More than 70 per cent of the breaches last year affected 100 or less people.
The most common pieces of information compromised were contact information, involved in 85 per cent of cases. Identity information, such as date of birth, passport and drivers licence details were exposed in 40 per cent of breaches. Financial details, including bank account and credit card numbers, were involved in 39 per cent of breaches.
The health service sector was the most frequently breached industry, making up almost 18 per cent of breaches. The finance sector and the legal, accounting, and management services sector were also breached frequently, constituting 12 and 11 per cent of the total breaches respectively.
Australian Information and Privacy Commissioner Angelene Falk said that holding organisations accountable for their handling of information through the NBD scheme will give people greater confidence in engaging with them.
“Australians expect that their personal information will be handled with care when they choose to engage with a product or service and are more likely to entrust their data to organisations that have demonstrated effective privacy management,” Ms Falk said.
“If organisations wish to build trust with customers, then it is essential they use best practice to minimise data breaches and, when they do occur, they put individuals at the centre of their response.”
Ms Falk said that given the NDB has been running for four years, she expects organisations to have implemented accountability measures as legally required but that some still fall short.
“A key objective of the scheme is to protect individuals by enabling them to respond quickly to a data breach to minimise the risk of harm. Delays in assessment and notification reduce the opportunities for an individual to take steps to protect themselves from harm,” Commissioner Falk said.
Although breaches resulting from malicious or criminal attacks continue to be the most prevalent, in the second half of 2021 they made up the lowest proportion of breaches in a six-month period since records began. The most common type is classified as a cyber incident, followed by social engineering or impersonation, and theft of paperwork or data storage device.
In the same time period, breaches caused by human error increased by 43 per cent to 190. Human error was also the main source of breaches in the financial and education sector causing 48 and 75 per cent of incidents respectively. However, the total human error caused breaches in 2021 was 323 compared to 380 in 2020.
Human error breaches can be the result of emailing personal information to the wrong recipient, unintended release or publication of personal information, and loss of paperwork or data storage device.
Cybersecurity firm Crowdstrike’s chief technology officer Fabio Fratucello said the latest report is alarming and urged organisations to maintain vigilance.
“CrowdStrike urges organisations to continue to pursue the ‘1-10-60 rule’ to effectively combat cyber threats and breaches. This includes detecting incidents in under one minute, investigating and understanding threats in under 10 minutes, and containing and eliminating the adversary from the environment in under 60 minutes,” Mr Fratucello said.
The latest report from the OAIC comes after an Australian Cyber Security Centre co-authored paper warning of the increasing threat of ransomware attacks was released on 9 February.
Under the NDB scheme, companies must complete a data breach assessment and report to the Commissioner within 30 days of a breach being identified. Between July and December 2021, 75 per cent of organisations reported a breach within 30 days of identifying a breach, which was 2 per cent higher than the previous period. However, 28 organisations took more than 120 days.
The organisations and agencies that must report breaches under the NDB scheme include Australian Government agencies, organisations with an annual turnover of more than $3 million, private sector health service providers, credit reporting bodies, credit providers, entities that trade in personal information and tax file number (TFN) recipients. Breaches involving data shared under the consumer data right must also be reported.
This does not include state or territory authorities, political parties, small business operators or prescribed instrumentality of the state.
Do you know more? Contact James Riley via Email.