close
close

Australia’s Alarming Data Breach Status

Posted on by darion

The latest Office of the Australian Information Commissioner’s Personal Information Breach Report has revealed a sharp increase in the number of personal information breaches across the country in the first half of 2024 – up 9% compared to the last half of 2023 and the highest number of notifications since 2020.

The report, released in September, found that recent data breaches, including the MediSecure healthcare scourge that affected 12.9 million Australians, had prompted a strong response from the OAIC, which warned it was taking a tougher stance on data privacy and breaches, emphasising that organisations must prioritise privacy in their data practices.

Which industries have seen the most data breaches?

The OAIC has released statistical information on data breach notifications since the launch of the Notifiable Data Breaches program in Australia in 2018. The latest report revealed:

  • A total of 527 notifications were received from January to June 2024, representing a 9% increase compared to the 485 notifications received from July to December 2023.
  • The last six-month period saw the highest number of notifications from July to December 2020, i.e. during the peak of the global COVID-19 pandemic.
  • The top five sectors for data breaches were healthcare providers (102 breaches), Australian government (63), finance (58), education (44) and retail (29).
The chart shows that the Australian government was the second most attacked sector in the first half of 2024.
The Australian government was the second most breached sector in the first half of 2024. Photo: OAIC
  • Malicious or criminal attacks, both external and internal, were the source of 67% of all data breaches, followed by human error (30%) and system failures (3%).
  • Malicious or criminal attacks included cyber incidents (57%), social engineering/spoofing (27%), document or storage theft (8%), and rogue threats from employees/insiders (8%).
  • The majority of reported breaches (63%) affected 100 people or fewer, but there were eight large-scale breaches that affected more than 100,000 people, including the “largest ever” MediSecure breach in Australia.

SEE: Australian organisations experience highest rate of data breaches

Cyber ​​incidents dominate malicious and criminal attacks in Australia

Cyber ​​incidents continue to be a common cause of data breaches, accounting for 38% of all breaches. Cyber ​​incidents were defined as those involving phishing, ransomware, compromised or stolen credentials (method unknown), brute force attacks, hacking, and malware—but not social engineering-style attacks.

Chart showing that the most common cause of data breaches was credentials stolen through phishing.
The most common cause of data breaches was compromised credentials from phishing. Image: OAIC.

Among the various malicious or criminal attacks, cyber incidents had the greatest impact on individuals. An average of 107,123 people were affected by 201 cyber incidents, while an average of 4,709 people were affected by incidents caused by rogue employees or insider threats.

In the report, Australian Privacy Commissioner Carly Kind said the continued rise in cyber incidents in the total number of data breaches reported to the OAIC was due to “our increasing reliance on digital tools and online services, which make our data more likely to be exposed to cybercriminals.”

However, human error still accounts for 30% of reported data breaches. The main categories of human error are:

  • Personally identifiable information was sent to the wrong email recipient (38%).
  • Unauthorized disclosure of information or unintentional disclosure or publication of information (24%).
  • Not using BCC (blind carbon copy) when sending emails (10%).

A surge in data breaches puts Australian government agencies under the spotlight

The OAIC noted that the Australian government reported the second-highest number of data breaches of any sector, its highest ever, although it had previously been in the top five breached sectors. According to the report:

  • Government agencies reported 63 data breaches between January and June 2024, representing 12% of all data breach reports in Australia.
  • Governments accounted for the largest number of social engineering or impersonation-style data breaches, accounting for 42% of such incidents. According to the OAIC, these breaches typically involved a threat actor impersonating a customer to gain access to an account using legitimate credentials.
  • Government has also been slower to respond: the largest percentage of notifications (87%) involved an agency identifying an incident within 30 days of its occurrence, while 78% of government notifications were made within 30 days of the agency learning about the incident.

SEE: Is Australia’s public sector prepared for a major cybersecurity incident?

How can organizations prevent data breaches?

Security experts are constantly reminding organizations that many data breaches or cyberattacks can be prevented by implementing basic cybersecurity measures. The OAIC has made several recommendations based on trends in data breach data.

Mitigating cyber threats

The OAIC recommended implementing multi-factor authentication as a priority to stop cyber threats, or strong password management policies and practices if MFA is unavailable. The agency also recommended:

  • Implementing layered security controls to avoid a single point of failure.
  • Enforcing levels of access to information based on roles and responsibilities.
  • Using security monitoring to detect, respond, and report incidents or unusual activity.

The OAIC cited frameworks such as the Australian Essential Eight standard, the Australian Signals Directorate’s information security manual, the US National Institute of Standards and Technology’s cybersecurity framework, and the International Organization for Standardization’s ISO 27001 and ISO 27002 information security management standards as resources that could help improve practices.

Extended Supply Chain Risk

According to the OAIC, some large-scale data breaches are caused by supply chain breaches, such as the MediSecure breach and another incident involving Outabox. The agency added that outsourcing the processing of personal data to third parties remains a common risk.

The agency said companies should consider the risks of outsourcing personal data handling at the earliest stages of the procurement process, including to cloud service providers. It also recommended that organizations implement a robust vendor risk management framework as well as more robust security measures.

Dealing with the human factor

The OAIC stressed that individuals continue to pose significant risks to the effectiveness of privacy practices. These risks include breaches caused by human error or employees being deceived by phishing.

Chart showing that the most common form of data breach caused by human error is sending data to the wrong email address.
The most common form of data breach due to human error is sending data to the wrong email address.

The agency urged organizations to implement technical measures to reduce errors and emphasized that staff education is essential to ensure they understand their privacy and security obligations. It also recommended prioritizing staff training on secure information practices.

Incorrect configuration of cloud data resources

Some organisations are “overlooking” cloud security as they embark on digital transformation, the OAIC found. Multiple data breaches occurred this quarter when an Australian entity misconfigured security settings due to human error, leaving personal data vulnerable to unauthorised access or public disclosure.

The OAIC said organisations should not assume that cloud security is the responsibility of the provider. The agency said cloud security and governance should be a priority, emphasising the importance of measures such as secure access controls via MFA, IP access controls and encryption.