Cyber-attacks add scale to hundreds of data breaches

Joseph Brookes
Senior Reporter

Four large data breaches, including one impacting more than 1 million Australians, were reported to Australia’s privacy regulator in the first half of this year, with ransomware the leading cause of nearly 400 total incidents.

Less breaches were reported overall under the mandatory scheme compared to recent periods. But the regulator is warning about a trend back up within the latest period and an increase in large-scale breaches even before including the Optus and Medibank incidents.

On Thursday, the Office of the Australian Information Commissioner (OAIC) released its six-month Notifiable Data Breaches Report, showing the regulator received 396 notifications. This is down from the reports a year earlier.

24 data breaches were reported to have affected 5000 or more Australians, four of which were reported to affect more than 100,000, including one impacting at least one million Australians. All but one of these breaches were caused by cyber security incidents.

The OAIC report does not detail the breaches, but the reporting period includes significant breaches at an NDIS provider, a superannuation fund and a state government insurance provider.

Of the total 396 breaches reported to the OAIC between January and June, 63 per cent resulted from a malicious or criminal attack, 33 per cent were from human error, and the remaining four per cent from a system fault.

Ransomware was behind nearly a third of the malicious attacks, accounting for 50 breaches. Phishing accounted for 42 breaches, with compromised or stolen credentials from an unknown method responsible for another 40 breaches.

The recent high-profile data breaches at Optus and Medibank were not included in the OAIC report. The two incidents have drawn fierce criticism from the federal government and expedited privacy law reform, including much tougher penalties for data breaches.

The OAIC said despite the overall drop in reported breaches, the data trended upwards in the later part of the period and has continued since.

Australian Information Commissioner and Privacy Commissioner Angelene Falk said organisations needed to act immediately to ensure data is protected and response plans are in place.

“I urge all organisations to review their personal information handling practices and areas of ongoing risk identified in our report. Only collect necessary personal information and delete it when it is no longer required,” she said.

“Organisations should also ensure they have a robust data breach response plan, so in the event of a data breach, they can rapidly notify affected individuals to minimise the risk of harm,” she said.

Australia’s Notifiable Data Breach Scheme launched in 2018. It requires any organisation or government agency covered by the Privacy Act 1988 that experiences a data breach likely to result in serious harm to one or more individuals to notify affected individuals and the OAIC.

In the latest reporting period, 71 per cent of reporting entities notified the OAIC within 30 days of becoming aware of an incident, compared to 75 per cent in the previous period.

Do you know more? Contact James Riley via Email.

Leave a Comment

Related stories