Shawn - stock.adobe.com

Australian data breach report highlights supply chain risks

The OAIC has called for organisations to proactively address privacy risks from outsourcing personal information handling to third parties

The Office of the Australian Information Commissioner (OAIC) has warned of a growing number of supply chain risks faced by Australian organisations in its latest data breach report.

Australian Information Commissioner Angelene Falk said that the OAIC continues to be notified of a high number of multi-party breaches, with most resulting from a breach of a cloud or software provider.

“The increased occurrence of incidents that affect multiple parties is a reason we are seeing data breaches grow in complexity, scale and impact,” said Falk. “Organisations need to proactively address privacy risks in contractual agreements with third-party service providers.

“This includes having clear processes and policies in place for handling personal information and a data breach response plan that assigns roles and responsibilities for managing an incident and meeting regulatory reporting obligations,” she added.

The July to December 2023 period saw 483 data breaches reported to the OAIC, up 19% from the first half of the year. There were an additional 121 secondary notifications, a significant increase from 29 notifications in January to June 2023.

Malicious or criminal attacks remained the leading source of data breaches, accounting for 322 notifications, and the majority of those (211 notifications) were cyber security incidents.

The health and finance sectors remained the top reporters of data breaches, with 104 and 49 notifications respectively.

Falk said the Notifiable Data Breaches scheme is now well-established and that the OAIC expects organisations to comply with their obligations.

“The OAIC is escalating its regulatory actions into data breaches, and we have commenced civil penalty proceedings in the Federal Court,” said Falk.

“We are prioritising regulatory action where there appear to be serious failures to comply with the scheme’s reporting requirements and to take reasonable steps to protect personal information, and where organisations are holding onto data much longer than is necessary.

“As the guardians of Australians’ personal information, organisations must have security measures in place to minimise the risk of a data breach. If a data breach does occur, organisations should put the individual at the front and centre of their response, ensuring they are promptly told so their risk of harm can be minimised.”

The Australian government responded to the Attorney-General Department’s review of the Privacy Act 1988 in the second half of 2023, agreeing in principle to proposals that would strengthen the Notifiable Data Breaches scheme, including changes to reporting timeframes.

The release of the Notifiable data breaches report comes shortly before the commencement of Carly Kind as privacy commissioner on 26 February 2024.

“I look forward to welcoming Commissioner Kind to the OAIC at a time when privacy and the protection of personal information have never been more crucial for the Australian community,” Falk said.

Read more about cyber security in Australia

  • Cisco is looking to tap opportunities in sustainability, AI and cyber security as it navigates Australia’s economic headwinds.
  • Australia’s new cyber security strategy will focus on building threat-blocking capabilities, protecting critical infrastructure and improving the cyber workforce, among other priorities.
  • MongoDB’s certification from Australia’s Information Security Registered Assessor Program will pave the way for federal government agencies to use its Atlas database service for protected workloads.
  • Organisations need to move away from victim blaming when cyber attacks on OT systems occur and focus on fostering collaboration to minimise downtime, among other efforts to return to business.

Read more on Data breach incident management and recovery