23 August 2021

The latest Notifiable Data Breaches Report highlights how the Office of the Australian Information Commissioner (OAIC) expects entities to prevent and respond to data breaches caused by ransomware and impersonation fraud.

The OAIC received 446 data breach notifications from January to June 2021, with 43% of these breaches resulting from cyber security incidents.

Data breaches arising from ransomware incidents increased by 24%, from 37 notifications last reporting period to 46.

Australian Information Commissioner and Privacy Commissioner Angelene Falk said the increase in ransomware incidents was cause for concern, particularly due to the difficulties in assessing breaches involving ransomware.

“We know from our work and from the Australian Cyber Security Centre that ransomware attacks are a significant cyber threat,” Commissioner Falk said.

“The nature of these attacks can make it difficult for an entity to assess what data has been accessed or exfiltrated, and because of this we are concerned that some entities may not be reporting all eligible data breaches involving ransomware.

“We expect entities to have appropriate internal practices, procedures and systems in place to assess and respond to data breaches involving ransomware, including a clear understanding of how and where personal information is stored across their network.”

The OAIC was notified of a number of data breaches resulting from impersonation fraud, which involves a malicious actor impersonating another individual to gain access to an account, system, network or physical location.

“The growth of data on the dark web unfortunately means that malicious actors can hold enough personal information to circumvent entities’ ‘know your customer’ and fraud monitoring controls,” Commissioner Falk said.

“We expect entities to notify us when they experience impersonation fraud, where there is a likely risk of serious harm.

“Entities should continually review and enhance their security posture to minimise the growing risk of impersonation fraud.”

Other key findings:

  • Malicious or criminal attacks remain the leading source of data breaches, accounting for 65% of notifications.
  • Data breaches resulting from human error accounted for 30% of notifications, down from 203 to 134.
  • The health sector remains the highest reporting industry sector (19% of all notifications), followed by finance (13%).
  • The number of notifications varied across the reporting period, ranging from 45 in January – the lowest monthly total since the Notifiable Data Breaches scheme commenced – to 102 in March.
  • 91% of data breaches involved contact information, making it the most common type of personal information involved in data breaches.
  • 93% of data breaches affected 5,000 individuals or fewer, with 65% of breaches affecting 100 individuals or fewer. 44% of breaches affected between 1 and 10 individuals.
  • 72% of entities notified the OAIC within 30 days of becoming aware of an incident that was subsequently assessed to be an eligible data breach.

While human error breaches decreased after a significant increase last reporting period, Commissioner Falk said entities need to remain alert to this risk, particularly the Australian Government where 74% of breaches fell into this category.

“Human error remains a major source of data breaches. Let’s not forget the human factor also plays a role in many cyber security incidents, with phishing being a good example,” she said.

“Organisations can reduce the risk of human error by educating staff about secure information handling practices and putting technological controls in place.”

Read the Notifiable Data Breaches Report January to June 2021.

The OAIC has released a new Easy English resource on what to do if there is a data breach.