OAIC report highlights increase in multi-party data breaches

While it’s no secret that cybersecurity attacks have posed a major threat to Australian organisations over the last few years, the nation’s leading data protection authority has released a report warning a high number of multi-party breaches continue to occur.

Prepared by the Office of the Australian Information Commissioner (OAIC), the Notifiable Data Breaches Report found that between July to December last year, 483 data breaches were reported to the agency, reflecting a 19 per cent increase compared to the six months prior.

It also found that the most targeted sectors were health and finance, making up 22 per cent and 10 per cent of reported breaches respectively. Other industries hit included insurance (9.3 per cent), retail (8 per cent) and Australian Government organisations (7.8 per cent).

Australian Information Commissioner Angelene Falk said the OAIC continues to be notified of a high number of multi-party breaches, with most resulting from the breach of a cloud or software provider.

“The increased occurrence of incidents that affect multiple parties is a reason we are seeing data breaches grow in complexity, scale and impact,” said Commissioner Falk.

“Organisations need to proactively address privacy risks in contractual agreements with third-party service providers.

“This includes having clear processes and policies in place for handling personal information and a data breach response plan that assigns roles and responsibilities for managing an incident and meeting regulatory reporting obligations.”

According to the report, the vast majority of data breaches (88 per cent) involved contact information, such as an individual’s name, home address, phone number or email address.

The OAIC notes that is distinct from identity information, which was exposed in 63 per cent of breaches and includes data that can confirm a person’s identity, some examples being date of birth, passport details and other government identifiers.

During the reporting period, 41 per cent of data breaches targeted health information, surpassing financial details (34.2 per cent) as the third most kind of personal information affected. The fourth most affected kind of data was Tax File Numbers (17.5 per cent), followed by other sensitive information (13.3 per cent).

Phishing – a tactic where hackers will send a fraudulent email to trick users into providing personal information, was one the most popular methods used to obtain information, comprising 28 per cent of breaches. This was followed by compromised credentials and ransomware attacks (27 per cent), hacking (10 per cent), malware (5 per cent) and brute-force attacks (3 per cent).

The report also found the fastest breaches to be identified were those caused by human error, with 71 per cent found within 10 days. This was followed by malicious or criminal attacks (61 per cent) and system fault breaches (53 per cent).

The majority (65 per cent) of breaches affected 100 or fewer people.

Numerous organisations across Australia have been hit was cyber security attacks over recent years, including private health insurer Medibank (ASX: MPL),fintech Latitude (ASX: LFS),specialist investors FIIG Securities, enterprise software company TechnologyOne (ASX: TNE), and more.

When it came to entities notifying the OAIC of a breach occurring, 72 per cent did so within 30 days of becoming aware of the incident, reflecting a slight two per cent dip from the previous period.

Commissioner Falk said the Notifiable Data Breaches scheme is now well established and the OAIC expects organisations to comply with their obligations.

“The OAIC is escalating its regulatory actions into data breaches, and we have commenced civil penalty proceedings in the Federal Court,” said Commissioner Falk.

“We are prioritising regulatory action where there appear to be serious failures to comply with the scheme’s reporting requirements and to take reasonable steps to protect personal information, and where organisations are holding onto data much longer than is necessary.

“As the guardians of Australians’ personal information, organisations must have security measures in place to minimise the risk of a data breach.”

The release of the report comes just before Carly Kind will take over as Privacy Commissioner on 26 February.

“I look forward to welcoming Commissioner Kind to the OAIC at a time when privacy and the protection of personal information have never been more crucial for the Australian community,” Falk said.