Australia’s privacy watchdog has received more than 300 data breach notifications since the introduction of new disclosure rules in February.
For the three months ended June 30, the Office of the Australian Information Commissioner (OAIC) received 242 notifications of data breaches under the Notifiable Data Breaches (NDB) scheme.
The report, released yesterday, is the first full quarterly report since the NDB came into force in February 22, requiring companies to disclose data breaches to the OAIC and notify affected individuals when a breach is “likely to result in serious harm.”
Including the first report, the OAIC has received a total of 305 breach notifications.
During the June quarter, malicious or criminal attacks were the largest source of data breaches this quarter, accounting for 59 per cent, followed by human error (36 per cent) and system faults (5 per cent).
The largest source of malicious attacks was cyber incidents (97 notifications) such as phishing, malware, ransomware, brute-force attack, compromised or stolen credentials and hacking by other means. While many cyber incidents in this quarter appear to have exploited vulnerabilities involving a human factor (such as clicking on a phishing email or disclosing passwords), the report stated.
The most common human error was sending emails containing personal information to the wrong recipient.
The vast majority of breaches reported to the OAIC only affected small numbers of people; 61 per cent of breaches involved the personal information of 100 or fewer individuals and 38 per cent impacted ten or fewer people.
One breach affected more than 1 million people and two effected between 50,000 and 100,000 people.
The private health sector reported the most data breaches under the Australian NDB scheme with 49 notifications in the quarter (the report noted these notifications do not relate to the My Health Records system), followed by the finance sector with 36 notifications.
The majority of data breaches involved ‘contact information’, such as an individual’s home address, phone number or email address. This is distinct from ‘identity information’, which refers to information that is used to confirm an individual’s identity, such as passport number, driver’s licence number or other government identifiers.
“‘Notifications this quarter show that one of the key aims of the scheme – ensuring individuals are made aware when the security of their personal data is compromised – is being met,” said Angelene Falk, acting Australian Information Commissioner and acting Privacy Commissioner.
“Notification to the OAIC also increases transparency and accountability. The report provides important information on the causes of data breaches so all entities can learn lessons and put in place prevention strategies.”