Data breaches drop 16 percent between January and June 2023: OAIC

For the first six months of 2023, the amount of data breaches reported in Australia dropped by 16 percent.

In its twice-yearly notifiable data breaches report, the OAIC highlighted that there were 409 data breaches notified to the commissioner.

Despite the decrease, there was one breach that affected more than 10 million Australians. This is the first breach of this scale for Australians since the scheme began in 2018.

Cybersecurity incidents were the source of 42 percent of all breaches. The top three cyber-attack methods were ransomware, compromised or stolen credentials for which the method was unknown and phishing.

Contact, identity and financial information remained the most common kinds of personal information involved in breaches.

Health service, finance and recruitment agencies were the top sectors impacted by data breaches.

Angelene Falk, commissioner at the OAIC said she expects organisations to have robust and proactive procedures in place to protect the personal information they hold.

“As the guardians of Australians’ personal information, organisations must have the security measures required to minimise the risk of a data breach,” she explained.

“In the event of an incident such as a cyber-attack, organisations must also be able to adequately assess whether a data breach has occurred, how it has occurred and what information has been affected.”

The Notifiable Data Breaches scheme aims to protect individuals by requiring that they are notified when they are at likely risk of serious harm from a data breach.

Falk said prompt notification ensures individuals are informed and can take further steps to protect themselves, such as being more alert to scams.

“The longer organisations delay notification, the more the chance of harm increases,” Falk said.

“Every piece of data that is compromised can increase the likelihood of cyber actors linking together pieces of information to gain insight or do harm. This ‘mosaic effect’ gives threat actors the ability to more easily impersonate an individual or access systems or accounts using compromised credentials.”

She added, “Organisations need to be alert to this growing attack surface and have robust controls in place to minimise the risk of a data breach.”

The first half of 2023 also saw the Attorney-General’s Department release its proposed reforms to the Privacy Act 1988 in the Privacy Act review report.

“Our latest report demonstrates data breaches are still very much a factor in the digital world,” Falk explained.

“The proposed reforms to the Privacy Act will provide a stronger framework for the handling of our personal information and help to strengthen trust in the digital economy.

“Our latest Australian community attitudes to privacy survey found Australians view data breaches as the biggest privacy risk, and 89 percent would like the government to pass more legislation that protects their personal information.”