From January to June 2024, OAIC received 527 data breach notifications, the highest number since July to December 2020. The top five sectors that notified of data breaches in this period, were Health Service Providers, the Australian government, Finance, Education, and Retail.
In a media release accompanying the Notifiable Data Breaches Report on 16 September 2024, Australian Privacy Commissioner Carly Kind said, ‘the high number of data breaches is evidence of the significant threats to Australian’s privacy.’ The reporting period included the MedicSecure data breach notification affecting nearly 13 million Australians.
So far this year, the Information Commissioner has filed civil penalty proceedings in the Federal Court against Medibank arising from its October 2022 data breach. The OAIC has also issued an intention and a direction to notify of an eligible data breach about incidents in previous reporting periods and opened an investigation into the HWL Ebsworth Lawyers 2023 data breach.
OAIC’s Data Breach Report identifies the following key themes and recommendations:
- Mitigating cyber threats – organisations need to have appropriate and proactive measures in place to mitigate cyber threats and protect the personal information they hold.
- Addressing the human factor – individuals are a significant threat to the strength of an entity’s privacy practices. Organisations need to mitigate the potential for individuals to intentionally or inadvertently contribute to the occurrence of data breaches.
- Extended supply chain risks – organisations that outsource the handling of personal information can reduce the impact of a data breach in the supply chain by implementing a robust supplier risk management framework.
- Misconfiguration of cloud-based data holdings – organisations need to be aware there is a shared responsibility for the security of data in the cloud.
- Relevance of a threat actor’s motivation in assessing a data breach – entities should not rely on assumptions. They should weigh in favour of notifying the OAIC and affected individuals when a breach occurs.
- Data breaches in the Australian Government – of all sectors, the Australian Government reported the most data breaches involving social engineering or impersonation. Organisations need to have access control measures in place to ensure only authorised persons access their systems.
Access the OAIC ‘s Data Breach Report here and the OAIC’s Guide to Securing Personal Information here.