Australian organisations reported 63 data breaches in the first six weeks of mandatory notification rules coming into effect, with human error listed as the most common cause.
By contrast, when organisations only had to voluntarily reveal breaches, they only self-reported 114 instances for the entire 2016–17 financial year.
The Office of the Australian Information Commissioner (OAIC) today released the first quarterly report since the mandatory data breach notification scheme came into effect on February 22. [pdf]
The report notes that eight breach notifications were received in the six days in which the scheme operated in its launch month.
A further 55 data breach notifications were received by the OAIC in March.
Health services providers were responsible for the single largest number of notifications (15), followed by businesses that supply “legal, accounting and management services”.
Organisations in the finance, education and not-for-profit sectors were also implicated.
“The majority of data breaches reported to the OAIC involved ‘contact information’, such as an individual’s name, email address, home address or phone number,” the OAIC said.
“This is distinct from ‘identity information’, which refers to information that is used to confirm an individual’s identity, such as driver licence numbers and passport numbers.
“Entities also reported data breaches that involved individuals’ tax file numbers, financial details, such as bank account or credit card numbers, as well as health information.”
The OAIC said 78 percent of notifications it received impacted “contact information”, compared to 24 percent that exposed “identity information”.
“Health information” was exposed in 33 percent of the cases and “financial details” in 30 percent of cases.
The majority of notified breaches - 50 percent - were the result of human error, although malicious or criminal actors are believed to have been behind a further 44 percent of incidents.
Just under three-quarters of eligible data breaches (73 percent) “involved the personal information of under 100 individuals”.
Acting Australian Information Commissioner and acting Privacy Commissioner, Angelene Falk, said in a statement that “the transparency provided by the NDB scheme reinforces Australian Government agencies’ and businesses’ accountability for personal information protection and encourages a higher standard of security.”
“Over time, the quarterly reports of the eligible data breach notifications received by the OAIC will support improved understanding of the trends in eligible data breaches and promote a proactive approach to addressing security risks,” Falk said.