Notifiable Data Breaches Report: July to December 2022

Regulatory approach

This reporting period, there were several large-scale data breaches that impacted millions of Australians’ personal information, as well as a 26% increase in breaches overall. The response to these incidents demonstrated the high level of community concern about the protection of individuals’ personal information.

In 2022, the OAIC welcomed the passing of the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022. This law came into effect on 12 December 2022 and, among other things:

• provides the Commissioner with new and greater powers to quickly share information with other authorities about data breaches (s 33A)
• provides the Commissioner with a new power to obtain information and documents relevant to an actual or suspected eligible data breach (s 26WU)
• enables the Commissioner to conduct an assessment of the ability of an entity to comply with the NDB scheme, including the extent to which the entity has processes and procedures in place to assess suspected eligible data breaches, and provide notice to the Commissioner and individuals at risk from such breaches (s 33C(1)(ca))
• significantly increases penalties for serious or repeated privacy breaches, which includes non-compliance with the NDB scheme (s 13G).

The OAIC continues to work with entities to facilitate voluntary compliance and to ensure best privacy practice and prevent privacy breaches, including data breaches. However, entities should be aware that these new powers are intended to strengthen the NDB scheme and enhance the Commissioner’s enforcement powers. Where appropriate, the Commissioner will use these regulatory powers to ensure compliance with the NDB scheme.

Large-scale data breaches

The January to June 2022 report noted an increase in data breaches that impacted a larger number of Australians. This trend continued into the second half of the year.

Some of the large-scale data breaches reported this period attracted significant public interest. This interest may have raised awareness of the requirement for entities covered by the Privacy Act to notify the OAIC and individuals about eligible data breaches and increased the number of notifications in the second half of the reporting period.

There were 40 breaches that affected over 5,000 Australians this period, compared with 24 last report (a 67% increase). Five of these breaches affected over 1 million Australians, compared with 1 in the previous period.

Cyber incidents continue to have a significant impact on individuals. Thirty-three of the 40 breaches that affected over 5,000 Australians were caused by cyber incidents. Of the 33 cyber incidents, 15 were caused by ransomware, 10 by compromised or stolen credentials, 7 by hacking and 1 by malware.

A further 2 incidents were caused by a rogue employee or insider threat, 2 were caused by social engineering and 1 was caused by theft of paperwork or a data storage device.

Entities must take appropriate and proactive steps to protect against and respond to a range of cyber threats. The Australian Cyber Security Centre (ACSC) considers the most effective way to defend against cyber threats is to implement the Essential Eight cyber security strategies. For further advice on protecting personal information and responding to cyber incidents, see the ACSC cyber incident response plan guidance, template and checklist and the OAIC’s guidance on securing personal information and data breach preparation and response.

Using monitoring and audit logs to quickly assess a suspected breach

Understanding data holdings can reduce the time and resources an entity requires to effectively assess a data breach and support incident response.

Entities that have sufficient audit and activity logging capabilities enabled on their networks, email servers and accounts are better prepared to assess and determine the information accessed and exfiltrated, or likely accessed and exfiltrated, by a threat actor if a data breach occurs.

The following scenarios highlight the difference that having monitoring and audit logs in place can have when dealing with a data breach incident.

Scenario

An entity experienced a phishing attack and an employee’s email account was compromised.

The entity’s preliminary review of the contents of the compromised email account indicated it contained a large quantity of personal information, ranging from contact information to picture copies of driver licences and passports.

Based on a review of audit logs, the entity determined the extent of information in the account that was accessed and that the threat actor had only sent themselves a copy of a contact list, which they attempted to hide by deleting the email from the sent folder.

The entity was therefore able to promptly notify individuals on the contact list and provide information about phishing scams and how to recognise legitimate emails from the entity.

Scenario

An employee’s email account was compromised, which resulted in a threat actor gaining unauthorised access to the entity’s database.

Cyber security specialists conducted a forensic analysis on the entity’s behalf and were unable to conclude whether the threat actor had accessed personal information in the entity’s database. This is because the entity had only retained audit logs for a limited period, which did not include the dates of the incident. This meant that valuable evidence of the breach had not been preserved.

As the entity was unable to confirm the extent of unauthorised access, it had to presume all personal information in the database was accessible to the threat actor and consequently had to notify all potentially affected individuals.

Detecting and preventing system faults

Entities should implement measures to monitor and promptly detect system faults, which can be caused by hardware malfunctions or software settings errors, or even by natural disasters and extreme weather conditions. Entities should also consider whether the software they use is sufficiently secure and has been developed to support privacy and prevent and limit the impact of data breaches.

Entities can assess personal information security risks by conducting a privacy impact assessment and an information security risk assessment, and regularly reviewing personal information security controls. These practices will help entities ensure they are aware of the variety of security risks and the possible impacts and can address them in designing and implementing any new or changed way of handling personal information. This will assist entities to integrate privacy considerations into risk management strategies.

The importance of timely notification

Failure to notify individuals affected by a data breach in a timely manner undermines an entity’s relationship with its customers or clients as it reduces their ability to take steps to mitigate risks arising from the data breach. Proactive, timely and helpful notification to affected individuals builds confidence that an entity has systems and processes in place to identify and quicky respond to data breaches and prioritises the needs of its customers or clients.

Where there are reasonable grounds to believe an eligible data breach of an entity has occurred, the Commissioner may issue a notice under s 26WR of the Privacy Act, directing an entity to prepare a statement about the data breach, provide it to the Commissioner and notify affected individuals.

The Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 gave the Commissioner further powers under s 26WU to obtain information and documents regarding an actual or suspected eligible data breach of an entity and the entity’s compliance with the NDB scheme. This new provision supports the OAIC’s regulatory role to facilitate timely notification to affected individuals and ensure compliance with the NDB scheme.

Notifying individuals while events unfold

The Privacy Act requires entities to notify individuals about an eligible data breach, including certain information about the incident, as soon as practicable. There are 3 options for notifying individuals:

• The entity can notify each individual whose personal information was involved in the eligible data breach.
• The entity can notify only those individuals who are at risk of serious harm.
• If neither option is practicable, the entity can publish a statement on the eligible data breach on its website and publicise the statement.

A key objective of the NDB scheme is to promote notification to individuals. The information in a notification needs to be timely, trustworthy and easy for individuals to action. Regardless of the method of notification, entities should seek to ensure the information they provide to individuals is accurate and reliable.

Where an eligible data breach is unfolding, there can be challenges in ensuring the notification to individuals is both timely and accurate. In this situation, entities may wish to consider:

• Including in their data breach response plan a strategy for when and how to communicate information about data breaches to individuals. This can assist with making decisions on notification when an incident occurs.
• When notifying individuals directly as well as providing information on their website, seeking to ensure consistent information is provided and updates are communicated clearly.
• Where an entity is unable to complete its assessment promptly and within 30 days, and there are grounds to suspect an eligible data breach may have occurred, consider erring on the side of caution and notifying affected individuals and the OAIC.

A data breach response plan ensures a timely response

The Privacy Act is clear that an entity responding to a data breach must:

• carry out a reasonable and expeditious assessment of whether there are reasonable grounds to believe that the incident amounts to an eligible data breach, and take all reasonable steps to complete the assessment within 30 days
• notify affected individuals and the OAIC as soon as practicable after becoming aware there are reasonable grounds to believe an eligible data breach occurred.

Entities should have a data breach response plan that incorporates the requirements of the NDB scheme. A data breach response plan enables an entity to identify and respond to a data breach quickly. By responding quickly using an existing data breach response plan, an entity can decrease the impact of a breach on affected individuals, reduce the costs associated with dealing with a breach and reduce the potential reputational damage that can result.

Scenario

An entity became aware of unauthorised access to its Microsoft 365 environment. Due to the time it took to appoint a specialist forensic investigator, the entity did not commence an investigation to determine the extent of breach until 2 months later. As a result of this delay in identifying and assessing the breach, there were substantial delays in notifying the breach.

Had the entity had a data breach response plan incorporating the requirements of the NDB, it may have enabled the entity to:

• identify appropriate escalation points
• ensure remedial steps were taken immediately
• commence an investigation at an earlier stage or to take more rapid steps to appoint a specialist, so that the assessment and notification could be completed sooner.

Evidence of cyber incident data breaches

During this reporting period, some entities indicated they considered there to be a lower risk of serious harm to affected individuals either because their investigation of a data breach did not find evidence that data had been exfiltrated, or because their perceived understanding of the threat actor’s motivations led them to believe individuals were unlikely to be harmed.

In some instances, these entities later became aware of information or events that meant these assessments were inaccurate. Moreover, their initial assessment meant individuals were not notified promptly.

Entities should take a holistic approach to their assessment of whether a data breach is likely to result in serious harm to individuals. Among the factors entities should consider are:

• the likelihood that any security measures protecting the information could be overcome
• the kinds of persons who have obtained, or who could obtain, the information (s 26WG).

Whether serious harm to individuals is likely is to be determined from the perspective of a reasonable person. In determining this, entities should be cautious about relying on:

• A lack of evidence that data has been exfiltrated. In many cases, an eligible data breach can occur based on access to information alone. Moreover, some threat actors are careful to delete evidence of their actions within a system, limiting the reliability of a lack of evidence, particularly where an entity does not have adequate audit and activity logs. Finally, not locating the data on the dark web does not mean it has not been disclosed.
• A perceived understanding of a threat actor’s motivations. Entities need to consider the reliability or credibility of the presumed or purported motivation of a threat actor.

Practical strategies for preventing impersonation attacks

During this reporting period, there were a number of breaches that resulted in large‑scale compromises of personal information. As personal information increasingly becomes available through large‑scale breaches, the likelihood of other attacks, such as targeted social engineering, impersonation fraud, phishing and scams, can increase.

Impersonation fraud involves a malicious actor impersonating another individual to gain access to an account, system, network or physical location. In most cases, the impersonator already possessed some, if not all personal information required to circumvent an entity’s identity verification process.

Entities are advised to have robust controls and identity verification processes in place to minimise the risk of impersonation fraud or social engineering, including:

• training staff about identity verification processes and how to report and escalate fraud
• automatically notifying customers when there are changes to their account or failed authentication attempts, or when their account is accessed from a new device or location
• a data breach response plan that sets out clear lines of authority for escalation and decision-making in the event of any actual or suspected data breach incidents.

Where practicable, entities should also consider:

• masking personal information within customer accounts to reduce risk should the account be accessed without authorisation
• temporarily disabling online accounts that have been subjected to failed verification attempts
• hiding webform responses, for example, to ensure a login or password reset form does not reveal the validity of information entered
• enhancing capabilities to detect and prevent unusual or suspicious logins from internet service provider addresses and geolocations
• increasing the frequency of internal audit and quality assurance activities
• providing privacy training to new staff on commencement and all staff at least annually.

Entities should also be aware that a social engineering incident can constitute an eligible data breach, even if a threat actor leveraged personal information they had already obtained (for example, through another data breach) to circumvent or exploit an entity’s security and identity verification processes.

Breaches that involve third-party service providers

When more than one entity holds personal information that is subject to a data breach, all affected entities have obligations under the NDB scheme. To meet these obligations, only one of the affected entities needs to conduct an assessment of the suspected eligible data breach under s 26WH of the Privacy Act and notify affected individuals and the OAIC. If no affected entity complies with the NDB scheme requirements, then all affected entities will be considered non‑compliant.

Although only one entity is required to notify a data breach affecting multiple entities, the number of secondary notifications (notifications relating to the same data breach incident) continued to increase; 42 secondary notifications were received this period compared to 22 in January to June 2022 (a 91% increase). Moreover, 8 of the 40 large-scale data breaches that affected over 5,000 Australians this period involved a service provider relationship.

This indicates the significant data breach risks that can arise in the handling of personal information where there is a service provider or contractor relationship.

Where an entity receives services from a third-party that involve the handling of personal information, or itself provides such services to other entities, it is recommended entities:

• Work together to ensure the requirements of the NDB scheme are met. In some instances, the entity with the most information about the data breach will not be the entity with the most direct relationship with affected individuals. It may be that the entity with the most information about the data breach can most effectively complete the assessment, and the entity (or entities) with the most direct relationship with affected individuals is best placed to notify affected individuals.
• Establish and implement data breach response plans to support a timely and efficient response. Where an entity deals with other entities in handling personal information, this could include strategies for managing breaches and set out roles and responsibilities, acknowledging these information flows.
• Have a service agreement or contractual arrangement in place and ensure it addresses the handling of personal information and steps to respond to a data breach. Agreements of this kind can enable multiple entities impacted by a single data breach to respond quickly and ensure affected individuals and the OAIC are notified as soon as practicable. It can be especially beneficial to have such an agreement in place where an entity handles personal information for or on behalf of a business that is not covered by the Privacy Act.

Scenario

An information technology (IT) service provider experienced a ransomware attack. Its systems were accessed by a threat actor, data was exfiltrated and a subset of the data was uploaded on a public forum.

As the IT provider had a detection and data breach response plan in place, it was able to quickly identify the breach and stop it from impacting other environments. In line with its data breach response plan, the IT provider assessed the impact of the breach, establishing the kinds of personal information involved, quickly after becoming aware of the breach.

The IT provider notified the OAIC and informed its client organisations of the incident. It also took proactive measures to ensure affected individuals were notified by the client organisations, including:

• emailing client organisations and having follow-up telephone discussions in some instances
• informing the OAIC of the client organisations impacted by the incident
• publishing a statement on its website
• directly notifying the affected individuals on behalf of certain client organisations.

These steps reduced the impact the breach had on the operation of the IT provider and its client organisations’ businesses and prevented any delays in the client organisations notifying affected individuals.