Written by staff writer.
The Office of the Australian Information Commissioner (OAIC) says healthcare organisations were the most likely to report a data breach in the first half of 2023. However, the Australian Government agency says entities reported 15% fewer data breaches in 1H 2023 than in 2H 2022.
The OAIC regularly releases snapshots of reported data breaches over half-year periods, and this week, its latest report says it received 409 notifications in the six months to June 30, compared to 486 in the six months to December 31, 2022.
Human error was responsible for 26% of the data breaches, system faults 4%, and malicious or criminal attacks accounted for 70% of breaches. The healthcare sector reported the most breaches, followed by the finance industry; workplace recruitment sector; legal, accounting and management services; and the insurance industry.
The top three malicious or criminal breaches were ransomware (30%), compromised or stolen credentials for which the method remains unknown (29%), and phishing (19%).
The top causes of human error breaches were personal information inadvertently sent to the wrong email address (46%), inadvertent disclosure or publication of information (18%), and the loss of physical paperwork or storage devices (9%).
OAIC Commissioner Angelene Falk said the report highlighted the need for organisations to shore up their cyber defences to ensure the integrity and security of data held. “As the guardians of Australians’ personal information, organisations must have the security measures required to minimise the risk of a data breach,” she said, adding that contact, identity and financial information remained the most common kinds of personal information involved in breaches.
“Every compromised piece of data can increase the likelihood of cyber actors linking together pieces of information to gain insight or do harm,” Falk said. “This ‘mosaic effect’ gives threat actors the ability to more easily impersonate an individual or access systems or accounts using compromised credentials.”
Australian entities must report data breaches to the OAIC when a breach involves unauthorised people accessing personal information or losing personal information, and where the breach is likely to cause harm. After notification, the OAIC is empowered to investigate the breach.
While headline breaches in the first half of 2023 include the cyber attack on law firm HWL Ebsworth and financial services provider Latitude, the OAIC says most data breaches are relatively small, with 63% of the reported incidents impacting 100 or fewer people.
However, 23 breaches impacted more than 5,000 people, two affected more than one million people, and one impacted more than ten million people – the largest since the notification scheme began in 2018.
Most breaches (80%) involved the loss of contact information, such as an individual’s name, home address, phone number or email address. The OAIC stresses that this differs from identity information, which includes more sensitive data, such as passport details, driver licence numbers, and dates of birth. Nonetheless, 64% of breaches did involve the loss of this kind of information, while financial information, such as bank account details and credit card numbers, was lost in 40% of breaches.
“Organisations need to be alert to this growing attack surface and have robust controls in place to minimise the risk of a data breach,” said Falk. “The longer organisations delay notification, the more the chance of harm increases.”