Cyber breach rates down overall, but breach record topples: OAIC

OAIC report cyber reporting

The Office of the Australian Information Commissioner (OAIC) has revealed a notable drop in reported cyber breaches in the six months to July this year compared to the previous six months; however, the impact of individual breaches has hit a record high, with tens of millions of records lost in a single high-profile corporate hack.

While OAIC reported a 16 per cent drop in breach reports (totalling 409 reports) compared with the July to December 2022 period (with 497 reports received), it was also the first time the agency received an individual notifiable data breach (NBD) report with more than 10 million Australians affected – revealing, perhaps, a greater willingness for cybercriminals to go after higher-profile, data-heavy businesses.

Nevertheless, there was a drop in the number of individual breaches affecting one million or more Australians – from seven breaches in the June to December 2022 period to three breaches in the most recent six-month report.

While individual NDB reports are anonymised by the information commissioner, among the reported large-scale heists are likely to be the Latitude Financial breach, with the company in March this year reporting the loss of more than 14 million customer records.

Consistent with previous reports, the Information Commissioner noted that the most common type of personal information lost was identity and financial data.

Financial details, such as bank account and credit card numbers, were involved in 40 per cent of breaches overall, representing 164 separate reported instances.

Nearly two in three (64 per cent) reports acknowledged the loss of sensitive identity details, including dates of birth, passport details and driver’s licence details.

The vast majority of breaches (87 per cent) involved the loss of contact information, including individuals’ names, addresses, phone and email addresses.

Again, consistent with the previous reporting period, around 70 per cent of breaches were the result of malicious or criminal attacks; around a quarter (26 per cent) were due to human error, while 3 per cent were blamed on system faults.

Ransomware remains the primary vector for malicious cyber breaches, accounting for around one in three (31 per cent) of attacks, while compromised or stolen credentials and phishing resulted in around 50 (representing 29 per cent) and 33 (representing 19 per cent) separate criminal breaches, respectively.

Hacking and malware both saw a modest increase over the six-month reporting period – the only two attack vectors to see an increase over the six-month period – each being the prime cause of nearly one in 10 reported cyber incidents.

Largely tracking with the overall NDB stats, most breaches impacting FSIs were the result of malicious or criminal actors, which represented 65 per cent of attacks, with around one-third the result of human error. A further one in 10 breaches were reportedly due to system faults.

FSIs still lag in identifying, reporting breaches

The financial services sector was again the second-most targeted industry segment, representing 13 per cent of attacks, closely behind the healthcare sector, which represented around 15 per cent of breach victims reporting to the NDB scheme.

The insurance sector, counted separately from FSIs, was in fifth place (after recruitment agencies, and legal accounting and management services), representing around 6 per cent of breaches.

Financial services providers (which include a diverse mix of banks, wealth managers, financial advisors, superannuation funds, and consumer credit providers) were again found to lag other sectors in identifying and reporting data breaches, the OAIC data revealed.

Only 69 per cent of breaches were identified within 30 days of their occurrence; a little over one in 10 reporting entities took between four and 12 months to spot a breach. By comparison, 97 per cent of reporting recruitment firms identified breaches within 30 days.

Insurers also appear better at spotting a breach, with 92 per cent identifying a breach within 30 days.

Only 67 per cent of FSIs reported breach incidents to the OAIC within the prescribed 30-day timeline, with one in five (20 per cent) taking between one to two months. Around one in 20 financial services businesses took up to a year to report a breach.

The insurance sector fared somewhat better, with 72 per cent reporting breaches within 30 days.

The best-performing sector, health services, had 86 per cent of businesses reporting to the OAIC within the 30-day timeframe.

While there is no strictly prescribed reporting deadline (with OAIC stating that, under the NBD scheme, notification must take place “as soon as practicable”), organisations or agencies are obligated to notify affected individuals and the Information Commission on eligible data breaches – that, a breach likely to cause serious harm to the business and customers.

Generally, an organisation or agency has 30 days – once a potential breach is identified – to assess whether the breach is likely to result in serious harm and report this to the OAIC.

Failure to report an eligible data breach could result in an entity falling afoul of Privacy Act provisions and liable for civil penalties of up to $10 million (which was previously $2.1 million before a legislative change late last year) or three times the value of the benefit, or up to $50 million for serious or repeated privacy breaches.

Australian Information Commissioner and Privacy Commissioner Angelene Falk urged organisations to promptly notify the OAIC and customers of cyber breaches, guaranteeing “individuals are informed and can take further steps to protect themselves, such as being more alert to scams”.

“The longer organisations delay notification, the more the chance of harm increases.”

“As the guardians of Australians’ personal information, organisations must have the security measures required to minimise the risk of a data breach,” Falk added.

“In the event of an incident such as a cyber-attack, organisations must also be able to adequately assess whether a data breach has occurred, how it has occurred and what information has been affected.”

The OAIC notes that the NBD scheme is designed to protect individuals, obliging organisations that hold customer data to notify when they are at likely risk of serious harm from a data breach.

The Information Commissioner has tracked and reported stats from the NBD scheme since its inception in 2018.