Australia’s Privacy Commissioner every six months publishes stats on the state of data breaches in the country, as part of her agency’s oversight of the Notifiable Data Breaches (NDB) scheme. The latest stats give us an insight into the full year, with a confrontational realisation that it wasn’t just Optus and Medibank that suffered in 2022.
Data breach notification to the Office of the Australian Information Commissioner (OAIC) became mandatory under the Notifiable Data Breaches scheme in February 2018.
Under the scheme, all agencies and organisations in Australia that are covered by the Privacy Act are required to notify individuals whose personal information is involved in a data breach that is likely to result in “serious harm”, as soon as practicable after becoming aware of a breach.
The Privacy Act covers most Australian government agencies.
[related_content first=”1831030″]
With that out of the way, let’s dive in.
For the six-month period, July to December 2022, there were 497 data breach notifications made to the OAIC. In the previous six months, January through June 2022, there were 396. That means that over the entire year, there was a total of 890 data breach notifications made to the OAIC.
The busiest month was December, with 92. September was next, with 87. September was also when Optus went live with admission it had fallen victim to a data breach.
Of the total 890 breaches, 150 of them targeted the healthcare sector (the reoccurring titleholder of most breached sector each and every time), but financial services wasn’t lagging too far behind. The sector that holds our money was responsible for reporting 120 data breaches to the OAIC.
About 66 per cent of all data breach notifications were due to ‘malicious or criminal attack’. In January-June, 41 per cent of all breaches were due to ‘cyber security instances’; in July-December, it was 45 per cent. Ransomware was mostly the cause, followed by compromised or stolen credentials and phishing. Human error was also to blame, about 29 per cent of all breaches were down to a mistake (hopefully just a mistake) from a human. Types of human error can be as simple as emailing your medical docs to a different person with the same first name or giving someone you haven’t authorised your diagnosis, for example. Could also be failing to use BCC when mass emailing out info to customers/patients.
While health continues to be the most breached sector, the Notifiable Data Breaches scheme stats only go so far. This number would likely be higher if we took into consideration the entire healthcare sector in Australia. But, data breaches that are notified under s75 of the My Health Records Act 2012 do not need to be notified under the NDB scheme as they have their own binding process to follow (which also lies under the umbrella of the OAIC).
But back to the stats. Overall, contact information was the most common type of personal information involved in breaches last year. And of the total 890 data breach notifications received by the OAIC, most data breaches involved the personal information of 5,000 individuals worldwide or fewer. 84 of them affected 5,000 or more Australians.
We’ll check back in with the OAIC in six months.
This article has been updated since it was first published.