Government data breaches have increased this year: OAIC

The Office of the Australian Information Commissioner (OAIC) has released new statistics showing the number of notified data breaches in the first half of 2024 was at its highest in three and a half years.

The OAIC was notified of 527 data breaches from January to June 2024, according to the latest ‘Notifiable data breaches report’ released on Monday. This is the highest number of notifications since July to December 2020 and an increase of 9% from the second half of 2023.

Australian Privacy Commissioner Carly Kind said the high number of data breaches is evidence of the significant threats to Australians’ privacy.

“Almost every day, my office is notified of data breaches where Australians are at likely risk of serious harm,” she said. “This harm can range from an increase in scams and the risk of identity theft to emotional distress and even physical harm.

“Privacy and security measures are not keeping up with the threats facing Australians’ personal information and addressing this must be a priority.”

The MediSecure data breach notified in the period affected approximately 12.9 million Australians — the largest number of Australians affected by a breach since the Notifiable Data Breaches scheme came into effect.

Similar to previous reports, malicious and criminal attacks were the main source of breaches (67%), with 57% of those cybersecurity incidents.

Health and the Australian Government notified the most data breaches of all sectors (19% and 12% of all breaches respectively), highlighting both the private and public sectors are vulnerable.

Australian Government agencies slow to respond

According to the report, the Australian Government for the first time reported the second most data breaches of all industry sectors, its highest position. Australian Government agencies reported 63 data breaches, 12% of all notifications.

The Australian Government also reported the most data breaches involving social engineering or impersonation (42% of all breaches of this kind). These breaches experienced by agencies typically involved a threat actor impersonating a customer and gaining access to their customer account by using legitimate identity credentials that bypassed the agency’s identity verification procedures.

The Australian Government also has significant discovery and reporting delays: it continued to have the largest proportion (87%) of notifications where the agency identified the incident over 30 days after it occurred, and continued to have the largest proportion (78%) of notifications made to the OAIC more than 30 days after the agency become aware of the incident.

The report recommends that agencies should check they have an effective and up-to-date data breach response plan for identifying, assessing, containing and notifying data breaches. They should also ensure all business areas are aware of and comply with the plan.

Commissioner Kind said six years on from the launch of the scheme, the OAIC has high expectations of organisations.

“The Notifiable Data Breaches scheme is now mature, and we are moving into a new era in which our expectations of entities are higher,” she said. “Our recent enforcement action, including against Medibank and Australian Clinical Labs, should send a strong message that keeping personal information secure and meeting the requirements of the scheme when a data breach occurs must be priorities for organisations.”

The OAIC will continue to take a proportionate approach to enforcement and is also focused on providing guidance to help organisations comply with their obligations, reflected in changes to the latest report.

“Our priority is ensuring compliance with the law, and we will help organisations achieve this through education and articulating what ‘good’ looks like.”

Strengthening the law

The report’s release comes in the wake of the Australian Government introducing the Privacy and Other Legislation Amendment Bill 2024. The Bill would strengthen the OAIC’s enforcement toolkit, including through an enhanced civil penalty regime and infringement notice powers. It would also provide important clarification to the scope of existing security obligations by amending Australian Privacy Principle 11 to expressly require organisations to implement technical and organisational measures (such as encrypting data, securing access to systems and premises, and undertaking staff training) to address information security risks.

The OAIC has welcomed these and other measures contained in the Bill as an important step in strengthening Australia’s privacy framework. However, further reform consistent with the Australian Government’s response to the Privacy Act Review is still required to improve security across the economy and enhance the Notifiable Data Breaches scheme.

“We would like to see all Australian organisations be required to build the highest levels of security into their operations to protect Australians’ personal information to the maximum extent possible,” Kind said.

The ‘Notifiable data breaches report: January to June 2024’ can be read here.

Image credit: iStock.com/matejmo