Australian Information Commissioner’s biannual data breach report reveals new trend for 2023

Notifiable data breaches trended downwards in the first six months of 2023, but one of those breaches affected more than 10 million Australians – the first breach of such scale since tracking began in 2018.

New data in the Office of the Australian Information Commissioner’s biannual report released this week showed seven out of 10 NDBs were the result of malicious attacks, while the health services sector continued to report more serious breaches than any other industry.

The OAIC said it was notified of 409 breaches in the six months to June 2023, down 16 per cent compared to the previous reporting period, but that included 100 reports being made in March, a new high water mark for a month.

Alongside the breach that affected more than 10 million Australians, two of the breaches reported in this period affected more than 1 million people.

The number of breaches that affected over 5,000 people fell from 42 in the second half of 2022 to 23 in the first six months of 2023.

The majority of breaches (87%) involved contact information, including individuals’ names, home addresses or email addresses.

Identity information such as dates of birth, passport details or drivers licence details were exposed in nearly two thirds (64%) of breaches, while financial details were involved in 40% of breaches.
Malicious attacks accounted for 70 per cent of NDBs, while human error was determined to be the cause in 26 per cent of incidents. Just 4 per cent resulted from system faults.

While human error was the cause of 26 per cent of NDBs in this reporting period, the OAIC noted human error was often a factor in malicious or criminal attacks, such as ransomware attacks being preceded by a successful phishing attack that compromised credentials.

Ransomware was the top attack method used in cybersecurity incidents (53 notifications), followed by compromised or stolen credentials for which the method was unknown (50) and phishing (33). Cybersecurity incidents were the source of 42 per cent of all breaches.

Breaking down serious breaches by sector, health services made the most reports (63) across the six-month period – as it has since the OAIC started reporting NDBs in 2018 – followed by the finance and superannuation sector (54).

However, while NDBs in the health services were evenly split between malicious attacks and human error incidents, it was a different story among financial organisations, where malicious attacks were the cause of about two-thirds of serious breaches.

In August, the OAIC also released its Australian Community Attitudes to Privacy Survey which revealed that Australians view data breaches as the biggest risk to their privacy, and this week’s NDB report also highlighted some of the key findings from the privacy survey.

The privacy survey showed that clients or customers would penalise organisations that were involved in a serious data breach, with 47 per cent saying they would close an account or stop using a product or service provided by an organisation that experienced a data breach.

But prompt action to prevent further harm could make the difference in repairing that broken trust, with the privacy survey showing that most Australians are willing to remain with a breached organisation if steps in place to prevent customers experiencing further harm and improvements to security practices are made.

The survey showed that 89 per cent would like the government to pass more legislation that protects their personal information.