OAIC report reveals cloud, software as source of data breaches

The latest data breaches report from the Office of the Australian Information Commissioner (OAIC), has found a continuing high number of breaches involving third-parties, mostly a cloud or software provider.

The report, covering the period from July to December 2023, saw 483 reported data breaches, increasing by 19 per cent from the first half of the year. There were an additional 121 secondary notifications, up from the 29 reported to the OAIC from January to June last year.

There were 322 malicious or criminal attacks that resulted in data breaches, with 211 of those deemed cyber security incidents. The health sector recorded the most number of data breach reports (104), followed by the finance sector (49), insurance (45), retail (39) and Australian government (38).

“The increased occurrence of incidents that affect multiple parties is a reason we are seeing data breaches grow in complexity, scale and impact,” Australian Information Commissioner, Angelene Falk, said.

“Organisations need to proactively address privacy risks in contractual agreements with third-party service providers.

“This includes having clear processes and policies in place for handling personal information and a data breach response plan that assigns roles and responsibilities for managing an incident and meeting regulatory reporting obligations.”

Falk said the Notifiable Data Breaches scheme is now fully functioning, and expects organisations to comply with their requirements to report any breaches.

“The OAIC is escalating its regulatory actions into data breaches, and we have commenced civil penalty proceedings in the Federal Court,” Falk said.

“We are prioritising regulatory action where there appear to be serious failures to comply with the scheme’s reporting requirements and to take reasonable steps to protect personal information, and where organisations are holding onto data much longer than is necessary.

“As the guardians of Australians’ personal information, organisations must have security measures in place to minimise the risk of a data breach.

“If a data breach does occur, organisations should put the individual at the front and centre of their response, ensuring they are promptly told so their risk of harm can be minimised.”