OAIC breach reports surge to levels not seen since Covid

Data breach reporting

The Office of the Australian Information Commissioner (OAIC) has borne a surge in data breach notices over the last year, with the OAIC’s breach reporting service recording levels not seen since the Covid pandemic.

The OAIC, in its latest half-yearly Notifiable Data Breaches (NDB) report, which coveres the six months to July 2024 period, recorded a nine per cent increase in breach reports over the previous reporting period, receiving a total of 527 reports.

This is the highest NDB reporting figure in the past three and a half years, and among the highest in the six years since the commencement of the data breach reporting scheme in 2018.

Financial services – which includes banks, wealth managers, financial advisors, superannuation funds, and consumer credit providers – made up 11 per cent of all NDB reports in the December to July report, totalling 58 NDBs, up slightly from the 54 reports received in the previous half.

Financial services fell back one place to be the third-most data breach-affected sector, after health services providers (with 102 reports) and Australian Government (with 63 reports) entities, but ahead of education (44) and retail providers (29).

The majority of breaches affecting the financial services sector were noted to be the result of malicious or criminal attacks, which represented more than two-thirds of the reports received by the OAIC. Human error made up the remaining third of NDB reports, with just a single report identifying a system fault as the cause of a breach event.

The vast majority of these malicious/criminal breaches were due to either ‘cyber incidents’ (including phishing, ransomware, stolen credentials, or brute force attacks) or ‘social engineering scams’, with 17 NDBs reported for each category.

Breaches as a result of human error – representing 20 NDBs reported by FSIs – were overwhelmingly due to the disclosure of personal data via email or ‘unintended publication’.

Financial services were among the slowest out of all the sectors, except government entities, to identify data breaches, with around half (43 per cent) of reporting entities taking more than 10 days to identify a breach. Around one in six (16 per cent) FSIs took more than 30 days to identify that a breach had occurred.

FSIs’ time to notify of a breach incident – a requirement under the NDB scheme – was also relatively slow compared to other sectors, with, again, only government entities taking longer to report.

Nearly one in three (31 per cent) NDBs were reported more than 30 days after the incident was identified, with just 16 per cent of financial services companies reporting a breach within the advised 10-day timeframe. This is considerably behind health services (43 per cent), education providers (59 per cent) and retailers (34 per cent) who filed their NDBs within 10 days.

The 2022 Medibank breach was singled out by the OAIC in its latest report, with the Commissioner in June announcing it would pursue civil action against the health insurer for the breach – one of the worst losses of PII in the digital age for an Australian corporate business.

The Information Commissioner has argued that Medibank failed to “take reasonable steps to protect the personal information it held given its size, resources, the nature and volume of the sensitive and personal information it handled, and the risk of serious harm for an individual in the case of a breach”.

The OAIC’s efforts to more actively pursue civil action, including another against Australian Clinical Labs, signal a “new era” for the agency, said Australian Privacy Commission Carly Kind, adding that expectations of entities are now considerably higher six years into the NDB scheme.

Commenting on the regrettable rise in breach reports in the half year, Kind urged businesses to address privacy and security issues as a “priority”, arguing that regulated entities are failing to keep pace with the increased threats to personal information.