Australian data breach report shows health and finance sectors are most affected
The July to December 2023 period saw 483 data breaches reported to the Office of Privacy & Information Commissioner (OAIC) up 19% from the first half of the same year. There were an additional 121 secondary notifications, a significant increase from 29 notifications in January to June 2023.
Malicious or criminal attacks remained the leading source of data breaches, accounting for 322 notifications, and the majority of those (211 notifications) were cyber security incidents.
The health and finance sectors remained the top reporters of data breaches. Health reported 104 breaches (22% of all notifications) and finance 49 breaches (10%).
Notifications received by month from January 2022 to December 2023.
Notifications received by month showing the sources of breaches
The majority of data breaches (91%) during this reporting period involved personal information of 5,000 or fewer individuals worldwide.
Cyber incidents continued to be the leading cause of data breaches that impacted a large number of Australians. Of the 26 breaches that affected over 5,000 Australians, 22 were caused by cyber incidents.
The top causes were compromised or stolen credentials (9 notifications), ransomware (8 notifications) and hacking (4 notifications).
Contact and identity information continued to be the most common kinds of personal information involved in data breaches. Most data breaches (88%) involved contact information, such as an individual’s name, home address, phone number and email address.
Chart: Kinds of personal information involved in breaches. OAIC.
In this reporting period, 64% of breaches were identified by the entity within 10 days of it occurring. Around a quarter (23%) of breaches were identified over 30 days after it occurred.
Chart: Time taken to identify breaches. OAIC.
Supply chain risks
Additionally, the OAIC has called for businesses to consider privacy risks of outsourcing personal information handling and collecting to third parties.
The Office of the Australian Information Commissioner (OAIC) has warned of a growing number of supply chain risks faced by Australian organisations in its latest data breach report.
Australian Information Commissioner Angelene Falk said that the OAIC continues to be notified of a high number of multi-party breaches, with most resulting from a breach of a cloud or software provider, which then impacted the clients who had outsourced their personal information handling to those providers. This highlights the significant data breach risks that can arise from outsourcing personal information handling.
Lessons learned
Recent data breaches have highlighted the risks of organisations retaining personal information for longer than required. The more personal information an entity holds, the greater the likelihood, scale and complexity of a data breach.
Entities may have various data breach reporting obligations. The Australian Government recently released the Overview of cyber security obligations for corporate leaders booklet to help corporate leaders understand and fulfil their cyber security obligations, including obligations under the Privacy Act and NDB scheme. The Australian Government has also launched a single reporting portal for cyber security incident reporting.
A key takeaway from these notifications is entities should have an up‑to‑date data breach response plan.
The Federal Court can impose a civil penalty of up to $2,220,000 for each contravention of the Privacy Act. Whether a civil penalty order is made is up to the court to determine.
An objective of the NDB scheme is to ensure individuals are promptly told of data breaches so they can quickly take steps to minimise their risk of harm, but isn’t occurring.
A data breach does not necessarily mean an entity will lose the trust of Australians. The Australian Community Attitudes to Privacy Survey 2023 found most Australians would remain with an entity that acts quickly in response to a data breach.
Resources
The Australian Signals Directorate’s and Australian Cyber Security Centre (ASD’s ACSC) has developed prioritised mitigation strategies – the Strategies to Mitigate Cyber Security Incidents – to help entities protect themselves against various cyber threats.
The Cyber Security Agency of Singapore offers a simple cyber health lookup tool to scan your domain or email address. The provided report shows is your website connection and web domain are sufficiently secured. The web features a clean design, and a PDF report is also available.
The Cyber Readiness Program is a free resource that helps small and medium-sized enterprises become cyber-ready, improving their resilience to cyber threats. By completing the program, you can develop and implement cyber readiness policies throughout the organization, using checklists, templates, and training materials to engage the workforce and build a stronger cybersecurity posture.
Organisations can perform your own phishing security test before an outsider does it. Receive a report within 24 hours which shows how prone your organization is to phishing attempts and the report offers an industry comparison of your strength against this insidious and all-too-often successful practice. One again, being informed is the first step to being armed against possible security breaches.
Microsoft also provides a Phishing attack simulator in Microsoft Security Center.
For network administrators working with Microsoft Windows and other Microsoft products, this Security Compliance Toolkit (SCT) allows them to download, analyze, test, edit, and store Microsoft-recommended security configuration baselines.
Back to the basics
Creating a strong password is an essential step to protecting yourself online. Using long and complex passwords is one of the easiest ways to defend yourself from cybercrime.
Check the security settings in your web browser to make sure they are at an appropriate level. While increasing your security may affect the functionality of some web sites, it could prevent you from being attacked.
Ensure your devices are running antivirus where possible. Keep antivirus updated to detect new threats.
Check if your email account has been compromised by checking if your email has been part of any data breaches through: https://haveibeenpwned.com/
Cyber insurance is one option that can help protect your business against losses resulting from a cyber attack. The cost of dealing with a cyber-attack can be much more than just repairing databases, strengthening security or replacing laptops.
Cyber liability insurance cover can help your business with the costs of recovering from an attack. Like all insurance policies, it is very important your business understands what it is covered for.
If you’re thinking about cyber insurance, discuss with your broker or insurance agent what policy would best fit your company’s needs.
Be Connected is an Australian government initiative committed to building the confidence, digital skills and online safety of older Australians. Whether you want to pick up new skills or dive into a new topic, you can access free learning resources online or join one of the thousands of community organisations running free computer classes across Australia.
Do you know any other resources? Let me know in the comment’s below.
