As lawmakers work on legislation to curb the recent surge in cyberattacks targeting Australian organizations, the Office of the Australian Information Commissioner (OAIC) last week released its notifiable data breaches report for January to June 2022. The report showed a 14% decrease in reported incidents overall, but saw a noted upswing towards the end of the period.
Breaches recorded from the notifiable breach (NDB)scheme is the healthcare sector . Throughout the January to June period, the industry has again reported the most data breaches to the privacy regulator in the first half of 2022, continuing a trend since Australia's reporting scheme began in 2018.
Kinds of personal information involved in breaches
Contact information, identity information and financial details continue to be the most common types of personal information involved in data breaches.
Most breaches (84%) involved contact information, such as an individual’s name, home address, phone number or email address.
This is distinct from identity information, which was exposed in 55% of breaches and includes an individual’s date of birth, passport details and driver licence details. Financial details, such as bank account and credit card numbers, were involved in 37% of breaches.
Technology Decisions notes that there was also an increase in larger-scale breaches and incidents impacting multiple entities. Overall, 41% of breaches resulted from cybersecurity incidents, and the top sources of these incidents were ransomware, phishing scams, and compromised or stolen credentials.
Australian Information Commissioner and Privacy Commissioner Angelene Falk stated, “Recent data breaches have brought attention to the importance of organisations securing the personal information they are entrusted with and the high level of community concern about the protection of their information and whether it needs to be collected and retained in the first place.” She advised organizations to establish a breach response plan, and urged them to collect data that is completely necessary, deleting data when it is no longer needed.
It’s worth noting that Australia’s Privacy Act 1988 requires entities conduct a data breach assessment and notify the OAIC within thirty days of learning of a suspected breach. In the reporting period, 71% of entities notified the OAIC within 30 days of becoming aware of an incident, down from 75% in the previous period. “As the risk of serious harm to individuals often increases with time, organisations that suspect they have experienced an eligible data breach should treat 30 days as a maximum time limit for an assessment and aim to complete the assessment and notify individuals in a much shorter timeframe,” Falk stated.