Five data breaches hit a million-plus Australians in six months


Five data breaches impacted more than a million Australians each in the second half of 2022, according to new data that also reveals a 41 per cent increase in malicious attacks against businesses and federal government agencies.

The full extent of large-scale data breaches during the six-month period in which notable breaches at Optus and Medicare occurred is revealed in Office of the Australian Information Commissioner’s latest six-monthly Notifiable Data Breaches (NDB) Report.

A total of 497 notifications were reported to privacy watchdog in the six months to December – an increase of 26 per cent increase on the first half of 2022. Most breaches occurred in the health (71 notifications) and finance (68 notifications) sectors.

The report, released on Wednesday, reveals that three data breaches impacting between 1 million and 10 million Australians were reported in addition to Optus and Medibank, though none of the entities are disclosed.

Optus and Medibank experienced data breaches over a three-week period in September and October that impacted close to 10 million customers each, resulting new penalties for serious and repeated breaches.

Other entities known to have experienced data breaches impacting more than 1 million Australians over the last six months includes Woolworths subsidiary MyDeal, which experienced a breach impacting 2.2 million customers.

Another 35 data breaches impacted over 5,000, with most incidents caused by ransomware, compromised or stolen credentials or hacking. The vast majority of data breaches (62 per cent) affected less than 100 people.

The report also reveals that malicious or criminal attacks, which accounted for 70 per cent of data breaches, increased 41 per cent on the first half of 2022. Human error (25 per cent) and system fault (5 per cent) were responsible for the remaining 30 per cent.

Information and Privacy Commissioner Angelene Falk said the “significant increase” in data breaches impacting a larger number of Australians showed the need for organisations to be alert to the risk of cyber security incidents.

“Cyber security incidents continue to have a significant impact on the community and were the cause of the majority of large-scale breaches,” she said in a statement accompanying the report on Wednesday.

“Organisations should take appropriate and proactive steps to protect against and respond to a range of cyber threats. This starts with collecting the minimum amount of personal information required and deleting it when it is no longer needed.”

Discussing the findings of the report and the harmonisation of cybersecurity and privacy laws at a Minter Ellison briefing later on Wednesday, Ms Falk said the government needed to be careful to ensure the intent behind specific laws remains unchanged.

“In looking for harmonisation I think we need to be careful to ensure that the policy and social policy issues that each legislation seeks to address is maintained,” she said, referring to changes suggested in a discussion paper this week.

Ms Falk said there was a way in which “harmonisation could occur without loosing sight of those important differences”, however, pointing to proposed changes to Notifiable Data Breach Reporting obligations.

According to the NDB report, the number of business and federal government agencies that reported report within 30 days is steady at 71 per cent. The Privacy Act review has flagged changes that could see reporting timeframes fall to only 72 hours, as is the case in the United Kingdom.

Do you know more? Contact James Riley via Email.

Leave a Comment