Sergey Nivens - stock.adobe.com

Data breaches in Australia on the rise, says OAIC

Cyber security incidents were the cause of most data breaches, which rose by 26% in the second half of 2022, according to the Office of the Australian Information Commissioner

This article can also be found in the Premium Editorial Download: CW Asia-Pacific: CW APAC: Expert advice on security and threat intelligence

The latest notifiable data breaches report from the Office of the Australian Information Commissioner (OAIC) noted a 26% increase in breaches in the second half of 2022, including several large-scale breaches that impacted millions of Australians.

“Cyber security incidents continue to have a significant impact on the community and were the cause of the majority of large-scale breaches,” said Australian information and privacy commissioner Angelene Falk.

According to the OAIC, 33 of the 40 breaches affecting more than 5,000 Australians were the result of cyber security incidents. There were only 24 large-scale breaches in the first half of 2022.

High-profile breaches in the second half of 2022 included Optus, with more than 10 million customers said to be affected, and Medibank, with the personal information of 9.7 million customers, former customers and their authorised representatives being accessed by the intruders.

The Commonwealth government reacted in part by increasing penalties under the Privacy Act and granting enhanced enforcement powers to the Australian Information Commissioner, as well as initiating a review of the Act. The report of that review was published in mid-February, and the deadline for feedback is 31 March 2023.

One of the recommendations is that the small business exemption from the Privacy Act, which currently excludes most businesses with turnovers up to A$3m, should be removed, but only after an impact analysis has been undertaken along with other requirements.

While large-scale breaches understandably attracted a lot of attention, 62% of reported breaches affected no more than 100 people.

Read more about cyber security in Australia

Overall, 70% of data breaches were the result of malicious or criminal attacks, with another 25% down to human error – most commonly by sending emails to the wrong address, closely followed by unintended release or publication, with the failure to use BCC when sending emails coming in a distant third.

Consistent with the advice of security professionals, Falk said organisations should start “with collecting the minimum amount of personal information required and deleting it when it is no longer needed”.

She also called upon organisations to be vigilant, and to “have robust controls, such as fraud detection processes, in place to minimise the risk of further harm to individuals”.

And when breaches do occur, she said organisations need to provide information to individuals that is timely and accurate. “As well as setting out the kinds of information breached, the notification must include recommendations about clear steps people should take in response,” she added.

Read more on Data breach incident management and recovery