Privacy tsar using new powers to search out data breaches

Powers handed to Australia’s privacy watchdog in the wake of the Optus and Medibank data breaches have been used for the first time to gather information on a suspected data breach at an unnamed IT service provider.

The regulatory action – intended to ensure individuals impacted by data breaches are notified — is detailed in the latest six-monthly Notifiable Data Breaches (NDB) Report that covers the first six months of the year.

In November last year, the federal government passed new laws that significantly increased fines against companies for serious or repeated privacy breaches from $2.22 million to $50 million or more.

As part of the changes, the Information Commissioner was also given powers to request information, documents, or answers to questions about a suspected or actual eligible data breach, or face fines of up to $93,900.

According to the NDB report, the OAIC became aware of a suspected eligible data breach at an IT service provider that also impacted 20 of its health service provider clients and patients’ treatment information.

When the OAIC requested a client list, the IT service provider declined as it had previously notified the health service provider and “did not have consent to disclose the information”, leading the Information Commissioner to exercise her information gathering powers.

“Following receipt of the notice, the entity provided the information required. This information enabled the Commissioner to ensure the affected individuals were notified and that all entities involved in the data breach complied with the NDB scheme,” the report said.

The Information Commissioner also used the report as an opportunity to alert companies that the discretionary powers can be used to request information in instances where entities take more than 30 days to notify it of an eligible data breach.

The report shows 26 per cent of companies took more than 30 days to notify the OAIC of data breaches, which is similar to the previous six months. Of the 26 per cent of entities, 5 per cent took between four and six months.

In a statement, the Australian Information Commissioner and Privacy Commissioner Angelene Falk said said the latest NDB report highlighted the need for organisations to promptly respond to suspected breaches.

“In the event of an incident such as a cyber-attack, organisations must also be able to adequately assess whether a data breach has occurred, how it has occurred and what information has been affected,” she said.

“Prompt notification ensures individuals are informed and can take further steps to protect themselves, such as being more alert to scams. The longer organisations delay notification, the more the chance of harm increases.”

The report shows a total of 409 breaches were reported to privacy watchdog in the first half of this year – 16 per cent fewer notifications than was reported in the final six months of 2022, when the Optus and Medibank breaches occurred.

The equal lowest number of notifications since the NDB scheme was introduced in February 2018 were reported in the month of April (45), but this followed 100 notifications in March – the most on record.

But with the OAIC observing a trend where “more notifications are received in the second half of the calendar year”, the result is expected to be short-lived and unlikely to be repeated in the next six-monthly report.

The six-month period covered by the report is also the first time that a data breach affecting more than 10 million Australians has been reported to the OAIC. While the report does not disclose the impact entities, the data breach against Latitude earlier this year impacted 14 million people.

Health service providers reported the most breaches (63), followed by finance (54) and recruitment agencies (33). Legal, accounting and management services and insurance rounded out the top five, with 26 and 25 notifications, respectively.

Malicious or criminal attacks were responsible for 70 per cent of reported breaches for the second time in a year, followed by human error (26 per cent) and system fault (3 per cent). Ransomware remains the top source of cyber incidents.

Do you know more? Contact James Riley via Email.

Leave a Comment

Related stories