OAIC records highest ever number of monthly data breaches

A sharp increase in the number of data breaches caused by ransomware attacks and the highest ever number of monthly notifications has been recorded over the past six months.

The findings are contained in the Office of the Australian Information Commissioner’s eighth notifiable data breaches report [pdf] released on Friday.

The report, which now covers a six-monthly period, reveals 518 notifications were received by the privacy and freedom of information authority between January and June 2020.

This represents a three percent decrease on the 532 notifications received between July and December last year, but a 16 percent increase for the same period last year.

OAIC said that the month of May saw the most data breach notifications than “in any calendar month since the scheme began in February 2018”, with 124 notifications received. 

But no “specific cause for the increase” was identified, despite a small increase in notifications attributed to human error (39 percent versus 34 percent for the overall reporting period). 

The majority of breaches continue to be the result of malicious or criminal attacks, which accounted for 317 notifications or 61 percent - a slight decrease on the previous six months.

These stemmed mostly from cyber incidents (218 notifications) resulting from “phishing, malware, ransomware, brute-force attacks and compromised or stolen credentials”.

“Malicious actors and criminals are responsible for three in five data breaches notified to the OAIC over the past six months,” information and privacy commissioner Angelene Falk said

“This includes ransomware attacks, where a strain of malicious software is used to encrypt data and render it unusable or inaccessible.”

She said ransomware was now the cause of 33 notifications, more than double the 13 notifications reported in the previous six-month period.

The number of notifications resulting from social engineering or impersonation has similarly increased by 47 percent to 50 data breaches.

“We are now regularly seeing ransomware attacks that export or exfiltrate data from a network before encrypting the data on the target network, which is also of concern,” she said.

“This trend has significant implications for how organisations respond to suspected data breaches — particularly when systems may be inaccessible due to these attacks.

The number of individuals involved in the data breaches was largely consistent with previous reports, with the majority impacting less than 100 individuals.

Two data breach notifications were said to have affected between 1 million and 10 million people, however, while another impacted more than 10 million individuals.

Health service providers remain the most likely industry sector to report data breach, with 115 notifications reported during the period, followed by finance (75) and  private education providers (44).

The report also reveals that while the majority of entities were able to identify a breach within 30 days, there were 47 instances where an entity only became aware after 61 days.

Fourteen entities took more than a year to become aware that a data breach had occurred and assess the situation.