Several large-scale data breaches impacted millions of Australians’ personal information in the second half of 2022, as part of a 26% increase in breaches overall, according to the latest Notifiable data breaches report released today.
Australian Information Commissioner and Privacy Commissioner Angelene Falk said cyber security incidents in particular can have significant impacts on individuals, and organisations need to be alert to the risks.
“We saw a significant increase in data breaches that impacted a larger number of Australians in the second half of 2022,” she said.
“Cyber security incidents continue to have a significant impact on the community and were the cause of the majority of large-scale breaches.”
Thirty-three of the 40 breaches that affected over 5,000 Australians were the result of cyber security incidents. “Organisations should take appropriate and proactive steps to protect against and respond to a range of cyber threats,” Commissioner Falk said.
“This starts with collecting the minimum amount of personal information required and deleting it when it is no longer needed.”
Commissioner Falk said organisations need to be vigilant as large-scale compromises of personal information may lead to further attacks.
“As personal information becomes increasingly available to malicious actors through breaches, the likelihood of other attacks, such as targeted social engineering, impersonation fraud and scams, can increase.
“Organisations need to be on the front foot and have robust controls, such as fraud detection processes, in place to minimise the risk of further harm to individuals,” she said.
Figures released on Wednesday by the Office of the Australian Information Commissioner show five breaches affected between 1 million and 10 million people between July and December.
The statistics do not name the entities breached or the exact size of the incidents but confirm a sharp rise in major cyberattacks and privacy breaches. The total number of incidents reported to the commissioner was up 26 per cent over the previous period, while the number of breaches that affected more than 5000 Australians rose 67 percent to 40.
The cyber incidents of 2023 exposed publicly prominent Australian companies such as Medibank and Optus, Woolworths subsidiary MyDeal disclosed a breach affecting an estimated 2.2 million people. The breaches could also be from overseas companies that affected Australians.
Criminal attacks accounted for 70 per cent of breaches, with the rest a result of problems such as human error and system faults. The healthcare, finance, insurance, professional services and recruiting industries reported the most breaches, in that order.
Data breaches have to be reported to the commissioner’s office when a company, group or government entity loses control of personal information that is likely to result in serious harm that cannot immediately be remediated.
Commissioner Angelene Falk said organisations should be auditing the amounts of data they have on people as a key step in avoiding serious hacks. “This starts with collecting the minimum amount of personal information required and deleting it when it is no longer needed.”
Her office’s report noted the increased number of incidents disclosed could also be a product of greater awareness that breaches have to be reported.
The federal government has increased fines since the Optus and Medibank breaches last year and is considering banning paying ransoms or requiring them to be reported, to stop Australia being a honeypot for hackers.
