Online data breaches recorded in the first six months of 2022 stress the need for organisations to have robust information handling practices and an up-to-date data breach response plan according to the Office of the Australian Information Commissioner (OAIC).
Releasing the OAIC’s Notifiable data breaches report January to June 2022, the Australian Information Commissioner and Privacy Commissioner Angelene Falk said the widespread attention on data breaches and statistics show areas that require organisations’ immediate action.
“Recent data breaches have brought attention to the importance of organisations securing the personal information they are entrusted with and the high level of community concern about the protection of their information and whether it needs to be collected and retained in the first place,” Commissioner Falk said.
“I urge all organisations to review their personal information handling practices and areas of ongoing risk identified in our Report,” she said.
“Only collect necessary personal information and delete it when it is no longer required.”
Commissioner Falk said the OAIC was notified of 396 data breaches during the reporting period, a 14 per cent decrease compared to July to December 2021.
She said despite the overall fall in notifications, the data trended upwards in the later part of the period, “which has continued”.
“The Report also draws attention to an increase in larger scale breaches and breaches affecting multiple entities in the reporting period,” the Commissioner said.
“There were 24 data breaches reported to affect 5,000 or more Australians, four of which were reported to affect 100,000 or more Australians,” she said.
“All but one of these 24 breaches were caused by cyber security incidents.”
Commissioner Falk said 41 per cent of all breaches (162 notifications) resulted from cyber security incidents.
She said the top sources of cyber incidents were ransomware (51 notifications), phishing (42 notifications) and compromised or stolen credentials through unknown methods (40 notifications).
“The number of larger scale breaches caused by cyber security incidents reiterates the importance of entities having measures in place to protect, detect and respond to the range of cyber threats in the environment,” she said.
Commissioner Falk said 71 per cent of entities notified the OAIC within the mandatory 30 days of becoming aware of an incident, compared to 75 per cent in the previous period.
The OAIC’s 33-page report can be accessed at this PS News link.
