Latest privacy commission Notifiable Data Breaches report shines light on types of breaches occurring and issues warning to organisations to be more prompt to reporting issues
The latest Office of Australian Information Commissioner (OAIC) Notifiable Data Breach Report has been released, highlighting a rise in incidences over the last six months of 2021 as well as the need for organisations to step up their reporting game.
In all, 464 data breach notifications were received by the OAIC between July and December 2021, an increase of 6 per cent over the previous reporting period. The highest number were recorded in the month of November. Overall, 900 data breaches were reported in Australia during 2021.
Of these, 55 per cent, or 256 notifications, related to malicious or criminal attacks. These remain the leading source of breaches but were down 9 per cent over the six-month period. Within this segment, cyber incidents represented the largest share at 68 per cent, with phishing accounting for the latest percentage of this pie (32 per cent). This was followed by compromised or stolen credentials (28 per cent) and ransomware (23 per cent).
By comparison, OAIC reported a significant in breaches due to human error, increasing 43 per cent to 190 after a dip in the previous reporting period. Top causes of these breaches are personal information being sent to the wrong recipient (43 per cent), unintended release of publication (21 per cent) and loss of data storage device or paperwork (8 per cent).
The third pot of breaches are related to system faults. These were down by 18 per cent compared to the previous reporting period.
Across industries, the health sector is the largest source of data breaches at 18 per cent. This was followed by finance (12 per cent). Malicious or criminal attacks were the leading source of breaches for legal, accounting and management services (71 per cent), insurance (53 per cent) and personal services (50 per cent).
Health service providers reported an equal number of breaches resulting from malicious or criminal
attack and human error (47 per cent apiece). However, the OAIC noted unlike previous reports, human error was the leading source of breaches for the finance sector (48 per cent). Human error also caused the majority of breaches experienced by education providers (75 per cent).
The most common type of personal data impacted is contact information, such as email addresses, name, home address and phone number. The OAIC pointed out this is distinct to identity information, which encompasses date of birth, drivers licence details and passport details. Across the six-month reporting period, identity information was exposed across 40 per cent of data breaches. Financial details were also exposed in 39 per cent of data breach instances.
As to their effect, the OAIC found 96 per cent of breaches affect fewer than 5000 individuals, while 71 per cent effect fewer than 100 people.
Three in four organisations reported the data breaches within the first 30 days, considered the outside limit for notifications by the OAIC. However, 28 organisations took more than 120 days from becoming aware of the incident to reporting the data breach. System fault breaches were usually the quickest to be reported, followed by human error then malicious or criminal attacks.
Commenting on the findings, OAIC commissioner, Angelene Falk, urged organisations to put accountability at the centre of their information handling practices.
“Australians expect that their personal information will be handled with care when they choose to engage with a product or service and are more likely to entrust their data to organisations that have demonstrated effective privacy management,” Commissioner Falk said. “If organisations wish to build trust with customers, then it is essential they use best practice to minimise data breaches and, when they do occur, they put individuals at the centre of their response.”
The OAIC warned some organisations are falling short of the scheme’s assessment and notification requirements. Commissioner Falk said swift assessment and notification is required, supported by systems to detect that a breach has occurred. For example, a notable proportion of organisations that experienced system faults (11 per cent) in 2021 did not become aware of the incident for over a year.
“A key objective of the scheme is to protect individuals by enabling them to respond quickly to a data breach to minimise the risk of harm,” Commissioner Falk said. “Delays in assessment and notification reduce the opportunities for an individual to take steps to protect themselves from harm.”
The OAIC’s Notifiable Data Breach scheme has been in play for four years and introduced new obligations for Australian Government agencies and private sector organisations that have existing information security obligations under the Privacy Act. The NDB scheme replaced the voluntary data breach notification scheme that had been in operation since 2008.
You can also follow CMO on Twitter: @CMOAustralia, take part in the CMO conversation on LinkedIn: CMO ANZ, follow our regular updates via CMO Australia's Linkedin company page
In the third and final episode of our 3-part CMO50 video series exploring modern marketing and why it’s become a matter of trust, we’re delighted to be joined by Telstra’s former CMO and now digital services and sales executive, Jeremy Nicholas, and Adobe VP Marketing Asia-Pacific and Japan, Duncan Egan.
Flash back to the classic film, Willy Wonka and the Chocolate Factory. Television-obsessed Mike insists on becoming the first person to be ‘sent by Wonkavision’, dematerialising on one end, pixel by pixel, and materialising in another space. His cinematic dreams are realised thanks to rash decisions as he is shrunken down to fit the digital universe, followed by a trip to the taffy puller to return to normal size.
Why is it there is no shortage of leadership development materials, yet outstanding leadership is so rare? Despite having access to so many leadership principles, tools, systems and processes, why is it so hard to develop and improve as a leader?
As a nation united by sport, brands are beginning to learn money alone won’t talk without aligned values and action. If recent events with major leagues and their players have shown us anything, it’s the next generation of athletes are standing by what they believe in – and they won’t let their values be superseded by money.
