The Australian government fell outside the top industry sectors for data breaches in the second half of 2021, despite agencies logging 28 notifications during the six-month period.
The latest notifiable data breaches report [pdf], released on Tuesday, shows there were 464 notifications in total received by the Office of the Australian Information Commissioner (OAIC) between July and December 2021, up from 446 in the first half of the year.
Health service providers again topped the list of industry sectors with 83 notifications, followed by finance (56), legal, accounting and management (51) and personal services (36).
The health and finance sectors have topped the list in each of the reporting periods since the reporting scheme began in July 2018, while personal services last appeared in 2019.
Education and insurance reported 32 notifications each, which caused the OAIC to detail six - instead of five - industry sectors in its report for the first time.
A noticeable absentee from those six industry sectors, however, is the Australian government, whose data breaches are not broken out at all.
Documents released under freedom of information laws earlier this month show the Australian government made 28 notifications during the reporting period.
This is down on the last two periods, where the government sector reported 34 notifications (January to June 2021) and 33 notifications (July to December 2020), and places them outside the top five or six sectors.
The Australian government debuted as an industry sector in July to December 2020, which coincided with a warning from Prime Minister Scott Morrison following a rise in breaches.
It refers to breaches by federal entities only.
State and territory data breaches like those experiences by the South Australian government and the NSWDepartment of Education are not required to report to the OAIC.
The latest OAIC report also shows that malicious or criminal attacks remain the leading source of data breaches (55 percent), followed by human error (41 percent) and system faults (four percent).
Phishing was responsible for 55 notifications and ransomware 40 notifications, while compromised or stolen credentials (of unknown cause) led to 48 notifications.
Unintended publication accounted for 40 notifications, each on average affecting 745 individuals, while the persistent error of using CC instead of BCC on emails led to 44 notifications.
Australian information commissioner and privacy commissioner Angelene Falk again used the report to urge organisations to assess and report data breaches more swiftly.
She cited systems faults, where 11 percent of organisatons impacted "did not become aware of the incident for over a year".
“A key objective of the [data breach notification] scheme is to protect individuals by enabling them to respond quickly to a data breach to minimise the risk of harm,” Falk said.
“Delays in assessment and notification reduce the opportunities for an individual to take steps to protect themselves from harm.”
The report shows 28 organisations took longer than 120 days to notify the OAIC of an incident after they became aware of it.
But this is not the norm; 75 percent of organisations notified the OAIC within 30 days of becoming aware of an incident, up from 72 percent in the previous report.