Australia’s privacy watchdog has reported the highest number of data breach notifications in three-and-a-half years, posing a huge risk to the privacy of Australians.
New statistics from the Office of the Australian Information Commissioner (OAIC) show the regulator was notified of some 527 data breaches between January and June 2024 – a figure last rivalled by the 539 notifications received in July to December 2020.
According to the latest Notifiable Data Breaches report, these 527 data breaches also mark a nine per cent increase on those of the second half of 2023, which itself had increased some 19 per cent from the period prior.
Australian privacy commissioner Carly Kind said the uptick in data breaches is evidence of “significant threats” to Australians’ privacy.
“Almost every day, my office is notified of data breaches where Australians are at likely risk of serious harm,” said Kind.
“This harm can range from an increase in scams and the risk of identity theft to emotional distress and even physical harm.”
Aussies struggling to combat cyber threats
While about a third of the breaches were attributed to human error – such as failing to use BCC or sending personal information to the wrong email address – some 67 per cent were described as “malicious and criminal attacks”.
Furthermore, 60 per cent of these attacks were distinctly cyber incidents which targeted computer information systems, infrastructures, networks or PCs.
Following the release of these figures on Monday, Kind said privacy and security measures are “not keeping up with the threats facing Australians’ personal information”, and that addressing these shortcomings “must be a priority.”
Vaughan Shanks, chief executive of Melbourne-based incident response vendor Cydarm Technologies, told Information Age the report marks a “return to the high number of data breaches seen during the COVID-19 period in 2020” – during which Australians were more vulnerable to scams and business email compromises.
“This is as a result of increasing reliance on digital services, including supply chains,” said Shanks.
Shanks said the causes behind data breaches are often “unsurprising” and can largely be attributed to known threats such as phishing attacks, abuse of stolen credentials, and ransomware.
Such was the case for the unprecedented data breach at defunct electronic prescriptions company MediSecure, which in July confirmed an approximate 12.9 million Australians lost their data to hackers after a company server was hit with ransomware.
“To avoid being breached via the causes of the majority of these attacks, organisations should work on getting the basics right when it comes to authentication: using strong, unique passwords, and configuring MFA,” said Shanks.
James Greenwood, regional vice president of cyber security company Tanium, added that the OAIC data highlights a need for better work-life balance.
“As we can see from the OAIC data, Australian organisations are struggling to stay on top of cyber threats,” said Greenwood.
“This can be attributed to a lot of factors, but human error, often caused by burnout, is one of the issues that continues to hamper our cyber security efforts.”
The most impacted sectors
Organisations in health and Australian Government notified the most data breaches of all sectors, at 19 per cent and 12 per cent respectively.
This was followed by the finance sector at 11 per cent, then education and retail at 8 and 6 per cent.
Notably, the bulk of government attacks came in the form of social engineering and impersonation, accounting for 41 of 44 “malicious or criminal” attacks in the sector compared to only 3 of 66 in health.
Meanwhile, health organisations seemed particularly susceptible to phishing scams, which accounted for more than half of reported cyber incidents in the sector.
Kind said the Notifiable Data Breaches (NDB) scheme – which was launched in 2018 to enforce notification requirements around data breaches – has grown to a point of being “mature”, and the OAIC now has higher expectations of organisations.
In June, the commissioner filed civil penalty proceedings in the Federal Court against Medibank, alleging the health insurer “seriously interfered” with Australians’ privacy following its landmark 2022 data breach.
Similar proceedings were filed against pathology company Australian Clinical Labs for a cyber attack it suffered in 2022, while the OAIC has further investigations underway for the likes of Optus, Latitude Financial Services and HWL Ebsworth.
“Our recent enforcement action, including against Medibank and Australian Clinical Labs, should send a strong message that keeping personal information secure and meeting the requirements of the scheme when a data breach occurs must be priorities for organisations,” said Kind.
“Our priority is ensuring compliance with the law, and we will help organisations achieve this through education and articulating what ‘good’ looks like.”
Are privacy laws falling short?
The report comes shortly after the government introduced the Privacy and Other Legislation Amendment Bill 2024, which aims to implement agreed recommendations from the long-awaited review of the Privacy Act.
Among these recommendations is “streamlined information sharing in the case of an emergency or eligible data breach” and stronger enforcement powers for the Australian Information Commissioner.
While the bill only covers the first tranche of expected changes to the Privacy Act, experts have called out a notable lack of action on “right to be erased” measures similar to those of the EU, as well as an expansion of the definition of ‘personal information’.
Greens senator and digital rights spokesperson David Shoebridge told Information Age the increase in data breaches is “predictable” because “Australia’s privacy laws are not up to scratch”.
“The OAIC in this report highlights the importance of a privacy first approach, meanwhile the Government has completely flubbed their promised privacy reforms, leaving Australians at ongoing risk,” said Shoebridge.
Shoebridge said data hoarding had a significant role to play in Australian data breaches – noting government “unwillingness” to take on “corporations hoarding and monetising the personal information of citizens” is having “real life impacts” as scams and identity theft become more common.
“Companies are harvesting our data and then leaving the doors unlocked and the windows open to hackers because we have privacy laws written in the last century,” said Shoebridge.
“Only last week META told a Senate Committee that the reason they don’t offer Australians the same privacy protections as Europeans is because our laws are so weak that they don’t have to.”
The OAIC has meanwhile welcomed the governments “first steps” in implementing privacy reforms, noting they would “strengthen the OAIC’s enforcement toolkit” – particularly through an enhanced civil penalty regime and infringement notice powers.
“Further reform consistent with the Australian Government’s response to the Privacy Act Review is still required to improve security across the economy and enhance the NDB scheme,” the OAIC said.
