SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image
Australian data breach statistics revealed in OAIC report
Tue, 22nd Feb 2022
FYI, this story is more than a year old

The Office of the Australian Information Commissioner (OAIC) has released its Notifiable Data Breaches Report for July to December 2021, revealing some surprising results around breach disclosure in Australia.

Now in its fourth year of operation, the OIAC report highlights the fact that organisations should now have strong accountability measures in place to abide by strict government regulations.

The report shows the OAIC received 464 data breach notifications from July to December 2021, an increase of 6% compared with the previous period.

It was found that malicious or criminal attacks were still the leading source of data security breaches, accounting for 256 notifications (55% of the total), down 9% in number from 281.

While attacks were still the most common, human error also made up a significant majority of the breaches, increasing by 43% to 190 after a dip during the previous period.

The health sector was found to be the sector hit the hardest by breaches, accounting for 18% of all breaches, followed by finance (12%).

Time of reporting was also a significant factor in determining swift response and adherence, and there seemed to be a slight improvement with 75% of organisations notifying the OAIC within 30 days of becoming aware of an incident, compared with 72% in the previous period.

"Delays in assessment and notification reduce the opportunities for an individual to take steps to protect themselves from harm," says Australian Information Commissioner and Privacy Commissioner Angelene Falk.

"A key objective of the scheme is to protect individuals by enabling them to respond quickly to a data breach to minimise the risk of harm."

Falk also says that the more effort companies put into protecting their consumers' data, the less risk there is to face further business issues.

"Australians expect that their personal information will be handled with care when they choose to engage with a product or service and are more likely to entrust their data to organisations that have demonstrated effective privacy management."

Unfortunately, the OAIC says that some organisations are still falling short of the scheme's assessment and notification requirements.

The report highlighted a scenario in which a business or enterprise experienced a phishing attack, and an employee's email account was compromised. A preliminary review of the incident suggested a significant amount of personal information was at risk but that it would take five months to identify and tailor notifications to everyone at risk of serious harm.

In this case, the best practice would be to promptly notify individuals, providing general recommendations that applied to all individuals whose personal information was contained in the email account, rather than attempting to tailor notifications and delay the process.

Falk says the scheme is well underway and urges businesses to bolster their security to retain trust and adhere to the guidelines.

"The scheme is now mature and we expect organisations to have accountability measures in place to ensure full compliance with its requirements," she says.