New statistics from the Office of the Australian Information Commissioner (OAIC) show the number of data breaches notified to the regulator in the first half of 2024 was at its highest in three and a half years.
The OAIC was notified of 527 data breaches from January to June 2024, according to the latest Notifiable Data Breaches report released on September 16, 2024. This is the highest number of notifications since the July to December 2020 period and an increase of 9% from the second half of 2023.
Australian Privacy Commissioner Carly Kind said the high number of data breaches is evidence of the significant threats to Australians’ privacy.
“Almost every day, my office is notified of data breaches where Australians are at likely risk of serious harm,” she said. “This harm can range from an increase in scams and the risk of identity theft to emotional distress and even physical harm. Privacy and security measures are not keeping up with the threats facing Australians’ personal information and addressing this must be a priority.”
The MediSecure data breach notified in the period affected approximately 12.9 million Australians, the largest number of Australians affected by a breach since the Notifiable Data Breaches scheme came into effect.
Similar to previous reports, malicious and criminal attacks were the main source of breaches (67%), with 57% of those cybersecurity incidents.
Health and the Australian Government notified the most data breaches of all sectors (19% and 12% of all breaches respectively), highlighting both the private and public sectors are vulnerable.
Commissioner Kind said six years on from the launch of the scheme, the OAIC has high expectations of organisations. “The Notifiable Data Breaches scheme is now mature, and we are moving into a new era in which our expectations of entities are higher,” she said. “Our recent enforcement action, including against Medibank and Australian Clinical Labs, should send a strong message that keeping personal information secure and meeting the requirements of the scheme when a data breach occurs must be priorities for organisations.”
The OAIC will continue to take a proportionate approach to enforcement and is also focused on providing guidance to help organisations comply with their obligations, reflected in changes to the latest report.
“Our priority is ensuring compliance with the law, and we will help organisations achieve this through education and articulating what ‘good’ looks like,” Kind said.
The report’s release comes after the Australian Government introduced the Privacy and Other Legislation Amendment Bill 2024.
The Bill will strengthen the OAIC’s enforcement toolkit, including an enhanced civil penalty regime and infringement notice powers. It would also provide important clarification to the scope of existing security obligations by amending Australian Privacy Principle 11 to expressly require organisations to implement technical and organisational measures (such as encrypting data, securing access to systems and premises, and undertaking staff training) to address information security risks.
The OAIC says it welcomes these and other measures contained in the Bill as an important step in strengthening Australia’s privacy framework. However, further reform consistent with the Australian Government’s response to the Privacy Act Review is still required to improve security across the economy and enhance the Notifiable Data Breaches scheme.
“We would like to see all Australian organisations be required to build the highest levels of security into their operations to protect Australians’ personal information to the maximum extent possible,” added Kind.
