The Office of the Australian Information Commissioner (OAIC) has released its latest statistics report, finding that breaches caused by ransomware attacks and impersonation had increased over the past six months.
The Office said its Notifiable Data Breaches (NDB) Report for January to June 2020 showed a slight fall in the number of eligible breaches reported (518) against the previous six-month period (532), but an increase of 16 per cent compared to the same period last year.
Australian Information Commissioner and Privacy Commissioner, Angelene Falk said malicious or criminal attacks including cyber incidents remained the leading cause of data breaches involving personal information in Australia.
“Malicious actors and criminals are responsible for three in five data breaches notified to the OAIC over the past six months,” Commissioner Falk said.
“This includes ransomware attacks, where a strain of malicious software is used to encrypt data and render it unusable or inaccessible,” she said.
Commissioner Falk said the report showed that the number of data breaches caused by ransomware rose from 13 in the previous six-month period to 33 between January and June.
She said her Office was now regularly seeing ransomware attacks that exported or exfiltrated data from a network before encrypting the data on the target network, which was also of concern.
“This trend has significant implications for how organisations respond to suspected data breaches — particularly when systems may be inaccessible due to these attacks,” she said.
“It highlights the need for organisations to have a clear understanding of how and where personal information is stored on their network, and to consider additional measures such as network segmentation, robust access controls and encryption.”
Commissioner Falk said that across the reporting period approximately 77 per cent of notifying entities were able to identify a breach within 30 days of it occurring.
She said some organisations were required to reissue breach notifications because the original notification fell short of the standards required, failing to identify all the types of personal information involved and not providing advice to people affected on how to reduce their risk of harm.
OAIC’s 28-page Report can be accessed at this PS News link.
