Breaches of Australian healthcare provider surged during the second half of 2023, according to new Notifiable Data Breach (NDB) scheme statistics that confirmed Australian organisations saw a 19 per cent surge in data breaches during the period.

The Office of the Australian Information Commissioner (OAIC) received 104 notifications of data breaches involving health service providers between July and December 2023 – up from 63 breaches in the first half of last year and 71 during the same period a year earlier.

Finance companies, by comparison, saw the number of breaches drop from 68 during the second half of 2022 to 49 during the same period in 2023, while insurance (45 breaches), retail (39), and Australian government targets (38) rounded out the top five most targeted industries.

All told, the OAIC received notifications of 483 breaches during the half-year period – bringing the total number of reported breaches to 890 for the whole of 2023, with the number of reported breaches increasing every month from July.

The receipt of an additional 121 secondary notifications – in which organisations reported their exposure to data breaches at third-party service providers – was cause for alarm for Australian Information Commissioner Angelene Falk, who flagged the “significant increase” from 29 notifications during the first half of last year.

“The increased occurrence of incidents that affect multiple parties is a reason we are seeing data breaches grow in complexity, scale, and impact,” Falk said.

“Organisations need to protectively address privacy risks in contractual agreements with third-party service providers,” she continued, noting the importance of having “clear processes and policies in place” and a data breach response plan “that assigns roles and responsibilities for managing an incident and meeting regulatory reporting obligations.”

Two-thirds of the incidents were blamed on malicious or criminal attacks – including 28 per cent attributed to phishing, 27 per cent to compromised or stolen credentials, and 27 per cent to ransomware.

Of those malicious attacks, 211 were classified as cyber incidents, while there were 54 cases of social engineering or impersonation, 36 cases of insider threats or ‘rogue employees’, and 21 incidents in which paperwork or data storage devices were stolen.

Three of the reported breaches affected more than 1 million individuals each, while two breaches affected between 500,000 and 1 million people – contributing to the compromise of at least 5.28 million individuals during the half year alone.

The grace period is over

The figures corroborate the findings of IBM’s newly released X-Force Threat Intelligence Index 2024, which observed a 71 per cent year-on-year increase in the proportion of cyber attacks that used stolen or compromised credentials typically stolen using malware or simply downloaded off the dark web.

Noting a “pronounced surge in cyberthreats targeting identities”, the report said, the change in attack method confirms “attackers have recognised the difficult defenders have in distinguishing between legitimate identity use and unauthorised misuse.”

“Attackers have a historical inclination to choose the path of least resistance in pursuit of their objectives,” the report notes. “In this era, the focus has shifted towards logging in rather than hacking in.”

Businesses covered by the NDB scheme would be wise to take note of the surge: noting that the NDB scheme is “now well established,” Falk said the OAIC has been “escalating its regulatory actions into data breaches” as a way of reminding Australian organisations about their obligation to not only protect Australians’ data, but to promptly investigate and report data breaches when they occur.

“As guardians of Australians’ personal information,” she explained, “organisations must have security measures in place to minimise the risk of a data breach.”

Noting that compromised or stolen account credentials were responsible for one in four data breaches during the period, she said, “we are prioritising regulatory action where there seem to be serious failures to comply with the scheme’s reporting requirements… and where organisations are holding onto data much longer than is necessary.”

This included breaches where “there is the greatest risk of harm to individuals” – including where organisations are found to have had “serious failures” to protect personal information, “inappropriate” data retention practices, or failures to comply with NDB scheme reporting requirements.

Recent OAIC action against organisations such as Datateks Pty Ltd – which routinely stored sensitive personal information in email accounts that were subsequently compromised – and Pacific Lutheran College attest to the regulator’s increased scrutiny on data privacy practices, while in December the agency lodged civil penalty proceedings alleging pathology firm Australian Clinical Labs (ACL) failed to take “reasonable steps” to protect the personal data of millions of Australians.