An average of 320,000 individuals were affected in each of the 172 cyber incidents reported to Australian authorities during the first half of 2023, with new figures showing fewer data breaches were reported overall – despite Australia recording its largest-ever breach.

Seven ransomware attacks, seven stolen credential attacks, and four cases of hacking were among the new breaches reported to the Office of the Australian Information Commissioner (OAIC) this year, with overall breach numbers down 16 per cent over the second half of 2022.

The OAIC’s latest half-year summary of Notifiable Data Breach (NDB) Scheme reports showed that March – during which 100 breaches were reported, including the massive hack of Latitude Financial that became Australia’s first incident to affect more than 10 million people – was the busiest month for cyber-criminal activity in at least three years.

With contact information taken in 356 of the 409 notifications received during the period, the breaches represented the theft of millions of Australians’ details – while 261 (64 per cent) involved identity information, 164 (40 per cent) financial details, and 141 (34 per cent) health information.

The risk of data theft lies not only in specific types of data being compromised, Australian Information Commissioner and Privacy Commissioner Angelene Falk said in releasing the new data, but that they are being cross-matched to build profiles of individuals that can facilitate subsequent identity theft.

“Every piece of data that is compromised can increase the likelihood of cyber actors linking together piece of information to gain insight or do harm,” she explained, warning of a ‘mosaic effect’ that “gives threat actors the ability to more easily impersonate an individual or access systems or accounts using compromised credentials.”

“Organisations need to be alert to this growing attack surface and have robust controls in place to minimise the risk of a data breach.”

Yet many companies are still fighting to implement such controls, with a recent audit slamming banks’ “inadequate” cyber security protections.

Airlines, for their part, were recently war-gaming cyber scenarios in an attempt to identify potential systemic weaknesses before cyber criminals do.

Many breaches went unnoticed for a considerable period, with 14% of the organisations reporting breaches due to system faults admitting that it took over a year for them to notice.

The figures reflect the ongoing challenges faced by companies charged with protecting customer data against a wave of cyber crime in which cyber criminals are getting faster at their work as they compromise energy companies, charities, law firms, government administrators, healthcare providers, and more.

Healthcare providers remained the most frequently hit cyber targets – with 63 breaches reported during the half-year – and finance was second, with 54 breaches.

Healthcare remains a favoured target because hospitals tend to rely on “a blend of old and new technologies,” noted Check Point Software Technologies security engineering manager Sadiq Iqbal, “many of which are either not managed or forgotten due to improper documentation.”

“This issue has only increased over time as more Internet of Things and medical devices are added, despite rarely being built securely by design…. Hackers see a high value target with a large threat surface and many potential points of entry.”

Human error continues to bite

Although the average number of individuals affected by cyber incidents (319,761) was heavily skewed by the Latitude breach, overall the OAIC received fewer reports of incidents affecting more than 5,000 individuals – just 23, compared with 42 during the previous period – reflecting a long-term trend of lower first-half breach numbers.

Human error remained a significant factor, with 107 incidents (26 per cent of all reports) attributed to mistakes by employees or other individuals – most commonly, emailing personal information to the wrong person – while 20 notifications due to rogue employees or malicious insiders.

Significantly, 77 breaches were attributed to individuals falling victim to social engineering or impersonation.

With remote working dramatically changing data protection – and impending changes to privacy laws set to increase the onus on companies – the OAIC advised companies to “embed good privacy practices into all aspects of their functions and activities. This includes designing systems and processes that anticipate and minimise the risk of human error.”

Companies should also review access security, identity management, authentication, and other protections, as well as “actively fostering a security and privacy-aware culture to ensure staff are well-equipped to identify and respond to fraud and credential stuffing attacks” – and extending breach education to customers “so customers know what to do if they are concerned they may have been the subject of an attack.”

Given that incident identification times haven’t improved appreciably since the previous period, Falk said Australian organisations need to be better prepared to manage security incidents when they happen.

“As guardians of Australians’ personal information, organisations must have the security measures required to minimise the risk of a data breach,” Falk said.

“In the event of an incident such as a cyber attack, organisations must also be able to adequately assess whether a data breach has occurred, how it has occurred and what information has been affected.”