OAIC data breach report shows key privacy risks


Tuesday, 15 November, 2022

OAIC data breach report shows key privacy risks

The significant impact of recent data breaches on millions of Australians and the findings of the latest Notifiable Data Breaches report released last week stress the need for organisations to have robust information handling practices and an up-to-date data breach response plan.

Australian Information Commissioner and Privacy Commissioner Angelene Falk said the widespread attention on data breaches and statistics for January to June 2022 show areas that require organisations’ immediate action.

“Recent data breaches have brought attention to the importance of organisations securing the personal information they are entrusted with and the high level of community concern about the protection of their information and whether it needs to be collected and retained in the first place,” Falk said.

“I urge all organisations to review their personal information handling practices and areas of ongoing risk identified in our report. Only collect necessary personal information and delete it when it is no longer required.

“Organisations should also ensure they have a robust data breach response plan, so in the event of a data breach, they can rapidly notify affected individuals to minimise the risk of harm,” she said.

The Office of the Australian Information Commissioner (OAIC) was notified of 396 data breaches from January to June 2022, a 14% decrease compared to July to December 2021.

Forty-one per cent of all breaches (162 notifications) resulted from cybersecurity incidents. The top sources of cyber incidents were ransomware (51 notifications), phishing (42 notifications) and compromised or stolen credentials — method unknown (40 notifications).

Despite the overall fall in notifications, the data trended upwards in the later part of the period, which has continued. The report also draws attention to an increase in larger-scale breaches and breaches affecting multiple entities in the reporting period.

There were 24 data breaches reported to affect 5000 or more Australians, four of which were reported to affect 100,000 or more Australians. All but one of these 24 breaches were caused by cybersecurity incidents.

“The number of larger-scale breaches caused by cybersecurity incidents reiterates the importance of entities having measures in place to protect, detect and respond to the range of cyber threats in the environment,” Falk said.

The Privacy Act 1988 requires entities to take reasonable steps to conduct a data breach assessment within 30 days of becoming aware that there are grounds to suspect they may have experienced an eligible data breach. Once the entity forms a reasonable belief that there has been an eligible data breach, they must notify the OAIC and affected individuals as soon as practicable.

In the reporting period, 71% of entities notified the OAIC within 30 days of becoming aware of an incident, compared to 75% in the previous period.

“A key focus for the OAIC is the time taken by entities to identify, assess and notify us and affected individuals of data breaches,” Falk said.

“As the risk of serious harm to individuals often increases with time, organisations that suspect they have experienced an eligible data breach should treat 30 days as a maximum time limit for an assessment and aim to complete the assessment and notify individuals in a much shorter timeframe.”

Falk welcomed measures in the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022, currently before parliament, which give the commissioner stronger information gathering powers to ensure entities are reporting breaches and notifying individuals when they need to and increase penalties for serious or repeated privacy breaches.

You can find the Notifiable Data Breaches report January to June 2022 here.

Image credit: iStock.com/Black_Kira

Related News

Veeam launches updated Veeam Data Platform

The newest release of the Veeam Data Platform introduces capabilities such as a recon scanner for...

CrowdStrike to buy Adaptive Shield

CrowdStrike is augmenting its SaaS security capabilities through the acquisition of Israeli-based...

LockBit named nastiest malware of 2024

LockBit, a ransomware malware known to have been used to attack Australian targets, has been...


  • All content Copyright © 2024 Westwick-Farrow Pty Ltd