10 November 2022

The significant impact of recent data breaches on millions of Australians and the findings of the latest Notifiable data breaches report released today stress the need for organisations to have robust information handling practices and an up-to-date data breach response plan.

Australian Information Commissioner and Privacy Commissioner Angelene Falk said the widespread attention on data breaches and statistics for January to June 2022 show areas that require organisations’ immediate action.

“Recent data breaches have brought attention to the importance of organisations securing the personal information they are entrusted with and the high level of community concern about the protection of their information and whether it needs to be collected and retained in the first place,” Commissioner Falk said.

“I urge all organisations to review their personal information handling practices and areas of ongoing risk identified in our report. Only collect necessary personal information and delete it when it is no longer required.

“Organisations should also ensure they have a robust data breach response plan, so in the event of a data breach, they can rapidly notify affected individuals to minimise the risk of harm,” she said.

The Office of the Australian Information Commissioner (OAIC) was notified of 396 data breaches from January to June 2022, a 14% decrease compared to July to December 2021.

Forty-one per cent of all breaches (162 notifications) resulted from cyber security incidents. The top sources of cyber incidents were ransomware (51 notifications), phishing (42 notifications) and compromised or stolen credentials (method unknown) (40 notifications).

Despite the overall fall in notifications, the data trended upwards in the later part of the period, which has continued. The report also draws attention to an increase in larger scale breaches and breaches affecting multiple entities in the reporting period.

There were 24 data breaches reported to affect 5,000 or more Australians, four of which were reported to affect 100,000 or more Australians. All but one of these 24 breaches were caused by cyber security incidents.

“The number of larger scale breaches caused by cyber security incidents reiterates the importance of entities having measures in place to protect, detect and respond to the range of cyber threats in the environment,” Commissioner Falk said.

The Privacy Act 1988 requires entities to take reasonable steps to conduct a data breach assessment within 30 days of becoming aware that there are grounds to suspect they may have experienced an eligible data breach. Once the entity forms a reasonable belief that there has been an eligible data breach, they must notify the OAIC and affected individuals as soon as practicable.

In the reporting period, 71% of entities notified the OAIC within 30 days of becoming aware of an incident, compared to 75% in the previous period.

“A key focus for the OAIC is the time taken by entities to identify, assess and notify us and affected individuals of data breaches,” Commissioner Falk said.

“As the risk of serious harm to individuals often increases with time, organisations that suspect they have experienced an eligible data breach should treat 30 days as a maximum time limit for an assessment and aim to complete the assessment and notify individuals in a much shorter timeframe.”

Commissioner Falk welcomed measures in the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022, currently before Parliament, which give the Commissioner stronger information gathering powers to ensure entities are reporting breaches and notifying individuals when they need to and increase penalties for serious or repeated privacy breaches.

Read the Notifiable data breaches report January to June 2022.

Notes to editors

An eligible (notifiable) data breach occurs when:

  • personal information has been lost, or accessed or disclosed without authorisation
  • this is likely to result in serious harm to one or more individuals
  • the organisation or Australian Government agency has not been able to prevent the likely risk of serious harm with remedial action.

The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 increases the maximum penalties for serious or repeated privacy breaches from the current $2.22 million to whichever is the greater of:

  • $50 million
  • three times the value of any benefit obtained through the misuse of information; or
  • 30% of a company’s adjusted turnover in the relevant period.