396 Data Breach Notifications Were Made in the First Half of 2022, so Who’s to Blame?

Australia’s Privacy Commissioner every six months publishes stats on the state of data breaches in the country. While the space has received a lot of attention lately, this report is a little tamer – it only covers January through June. The calm before the cyber storm if you will.

Data breach notification to the Office of the Australian Information Commissioner (OAIC) became mandatory under the Notifiable Data Breaches (NDB) scheme in February 2018.

Under the scheme, all agencies and organisations in Australia that are covered by the Privacy Act are required to notify individuals whose personal information is involved in a data breach that is likely to result in “serious harm”, as soon as practicable after becoming aware of a breach.

The Privacy Act covers most Australian government agencies.

With that out of the way, let’s dive in.

For the six-month period, there were 396 data breach notifications made to the OAIC. Unsurprisingly, given the state of things at the minute, ransomware was the cause of 31 per cent of them.

But, who’s to blame?

Although ransomware was the cause of 31 per cent of total breaches, ‘malicious or criminal attack’ was to blame for 63 per cent, or 250 breaches. It’s hard to pinpoint who is to blame for these malicious or criminal attacks, given the very nature of them, but what is easier to pinpoint is the cause of the breaches caused by human error.

During the six-month period, humans were to blame for 131 data breaches. It’s not necessarily humans being bad people, accidents do happen. Of these 131 breaches caused by human error, 50 of them were due to personal information being sent to the wrong email address. 31 came under ‘unauthorised disclosure’, for example, if a doctor gave your diagnosis to someone that you hadn’t authorised. The rest was a mix of personal info being mailed or faxed (yep, faxed) to the wrong person and loss of info, such as misplacing a hard drive or paperwork.

The most commonly breached data was contact info.

The healthcare sector has been top of the list since the OAIC started reporting these figures – this time, it’s no different. Of the 396 data breach notifications, 79 were from the health industry. Finance/super had 52, education had 35, legal/accounting had 25 and recruitment agencies had 25.

The most breaches occurred during May, and most data breaches (91 per cent) involved the personal information of 5,000 individuals worldwide or fewer. There was one breach that affected over 1 million people, however.

Contact information remains the most common type of personal information involved in breaches.

While 396 breaches were notified this six-month period, in the period spanning July to December 2021, 460 breaches were notified. Here’s a snapshot of breaches made since the NDB scheme kicked off.

We’ll check back in with the OAIC in six months.