ARN

812 incidents reported during first year of Notifiable Data Breaches scheme

More than 270,000 people affected so far

A total of 812 data breaches were notified to the Office of the Australian Information Commissioner (OAIC) since the Notifiable Data Breaches (NDB) scheme was introduced on 22 February 2018, an average of 67 breaches a month.

In comparison, during the 2017 financial year, the OAIC received 114 voluntary data breach notifications.

Under the Privacy Amendment, organisations have 30 days to notify the Privacy Commissioner and all affected parties if a breach occurs.

Industry experts have warned that breaches will happen.

“Any CEO who thinks their organisation is safe must rethink that thought," said Joseph Mesiti, sales director of Enosys, when speaking to ARN in 2018. "The breach will occur and, as an office holder, the CEO is ultimately accountable for that. Have the staff prepared the organisation for that?"

The vast majority of the reports made to OAIC  - more than 30 per cent - involved a "human factor", this could be sending information to the wrong person or someone’s login credentials being compromised through phishing.

Human error was responsible for the unauthorised disclosure of data of more than 270,000 people.

The health services provider industry topped every quarterly report as the industry, which reported breaches the most, a total of 163 in 12 months.

Finance came as a close second with a total of 119 reports in 12 months, followed by legal with 87 and education with 62.

“The growing number of data breaches notified to my Office is consistent with trends experienced by our counterparts overseas and indicates agencies and organisations are complying with their notification obligations,” Australian Information Commissioner and Privacy Commissioner Angelene Falk said.

“Individuals are now receiving notices so they can take action to reduce their risk of harm, which also shows the scheme is working as intended.”

Quarterly breakdown

From October to December 2018, 262 data breaches were reported to the OAIC, 54 came from the private health sector followed by finance (40); legal, accounting and management services (23); private education providers (21) and mining and manufacturing (12).

Most of the breaches reported from all sectors were originated from malicious or criminal attack (64 per cent), especially in the finance sector. With private health sector however, human error is still the main issue – 54 per cent of the breaches were a result of human error.

From July to September 2018, 45 breaches were reported by private health service providers; followed by finance (35); legal, accounting and management services (34); private education providers (16) and personal service providers (13).

Malicious and criminal attacks were the majority of security incidents (57 per cent).

From April to June 2018, 242 data breach notifications in the reported quarter with 49 from the private health sector followed by the finance sector with 36 notifications.

From January to March 2018, out of the 63 notifications received, 51 per cent "indicated" that the cause was human error, 44 per cent were the result of malicious or criminal attack and three were the result of system faults.

Some 78 per cent involved individual's contact information such as name, email address, home address or phone number, out of those, 73 per cent involved the information of less than 100 people with just over half of the notifications (59 per cent) involving the personal information of between one and nine individuals.

Also, 27 per cent of notifications under the NDB scheme involved more than 100 individuals.