5 September 2023
The need for organisations to strengthen data security and promptly respond to suspected breaches is highlighted in the latest Notifiable data breaches report, released today.
The Office of the Australian Information Commissioner (OAIC) expects organisations to have robust and proactive procedures in place to protect the personal information they hold, Australian Information Commissioner and Privacy Commissioner Angelene Falk said.
“As the guardians of Australians’ personal information, organisations must have the security measures required to minimise the risk of a data breach,” Commissioner Falk said.
“In the event of an incident such as a cyber-attack, organisations must also be able to adequately assess whether a data breach has occurred, how it has occurred and what information has been affected.”
The Notifiable Data Breaches scheme aims to protect individuals by requiring that they are notified when they are at likely risk of serious harm from a data breach.
“Prompt notification ensures individuals are informed and can take further steps to protect themselves, such as being more alert to scams,” Commissioner Falk said.
“The longer organisations delay notification, the more the chance of harm increases.”
The January to June 2023 period saw 409 data breaches reported to the OAIC. While that was a 16% decrease in the number of notifications compared to the previous period, there was one breach that affected more than 10 million Australians. This is the first breach of this scale for Australians since the scheme began in 2018.
Cyber security incidents were the source of 42% of all breaches (172 notifications). The top three cyber-attack methods were ransomware (53 notifications), compromised or stolen credentials for which the method was unknown (50 notifications) and phishing (33 notifications).
Contact, identity and financial information remained the most common kinds of personal information involved in breaches.
“Every piece of data that is compromised can increase the likelihood of cyber actors linking together pieces of information to gain insight or do harm," Commissioner Falk said.
“This ‘mosaic effect’ gives threat actors the ability to more easily impersonate an individual or access systems or accounts using compromised credentials.
“Organisations need to be alert to this growing attack surface and have robust controls in place to minimise the risk of a data breach.”
The first half of 2023 also saw the Attorney-General’s Department release its proposed reforms to the Privacy Act 1988 in the Privacy Act review report.
“Our latest report demonstrates data breaches are still very much a factor in the digital world,” said Commissioner Falk.
“The proposed reforms to the Privacy Act will provide a stronger framework for the handling of our personal information and help to strengthen trust in the digital economy.
“Our latest Australian Community Attitudes to Privacy Survey found Australians view data breaches as the biggest privacy risk, and 89% would like the government to pass more legislation that protects their personal information.”
- The OAIC publishes regular statistics to help organisations and the public understand privacy risks identified through the Notifiable Data Breaches scheme.
- An eligible (notifiable) data breach occurs when:
- Personal information has been lost, or accessed or disclosed without authorisation.
- This is likely to result in serious harm to one or more individuals.
- The organisation has not been able to prevent the likely risk of serious harm with remedial action.
- The Privacy Act requires organisations to take reasonable steps to conduct a data breach assessment within 30 days of becoming aware there are grounds to suspect they may have experienced an eligible data breach. Once the organisation forms a reasonable belief that there has been an eligible data breach, they must notify affected individuals and the OAIC as soon as practicable.
- The OAIC has published guidance on securing personal information and data breach preparation and response, as well as advice for individuals on responding to a data breach notification.