Australian government back on top 5 sectors with most reported data breaches

After more than two years the Australian government is back to the top five sectors with the most reported data breaches to the Office of the Australian Information Commissioner (OAIC). The Australian government is also the only of the five sectors that had human error as the top cause of data breaches.

The Notifiable Data Breaches report is published twice a year and reports on notifications received under the NDB scheme for a six-month period. The report published today refers to data breaches notified from 1 July to 31 December 2023. The OAIC received a total of 483 notifications during the period and the top five reporting sectors were: health services providers, financial services, insurance, retail and the Australian government.

Break down of data breaches reported by the Australian government

Government agencies reported 38 data breaches during the second half of 2023, which makes only 8% of all notifications received by the OAIC. From these, 26 were caused by human error — 13 involved personal information being sent to a wrong person; 11 were the result of unauthorised disclosure of personal information; and two involved the loss of paperwork or a data storage device.

“Human error breaches generally result from a failure of process or procedure,” stated the report. “Entities should assume human error will occur and design systems and processes to minimise the risk.” The OAIC stated that this can also be reduced by educating staff on secure information handling.

The government also felt short on one of the rules under the NDB scheme which requires that the OAIC and affected individuals are notified within 30 days of becoming aware of the breach. The Australian government had the largest proportion (55%) of notifications made to the OAIC more than 30 days after the agency become aware of the incident. It also had the largest proportion (50%) of notifications where the agency identified the incident over 30 days after it occurred.

“These statistics suggest Australian Government agencies should check they have effective systems for detecting, assessing, responding to and notifying data breaches,” stated the report.

Supply chain risks remain a problem

The report highlighted the risk of outsourcing personal information handling to third parties, with Australian Information Commissioner Angelene Falk saying there is a high number of multi-party breaches being notified, with most resulting from a breach of a cloud or software provider. “Organisations need to proactively address privacy risks in contractual agreements with third-party service providers,” Falk said in a statement.

Of the 483 notifications for the six-month period malicious or criminal attacks remained the leading source of data breaches, accounting for 322 notifications, with 211 of those notifications being cyber security incidents.

The health and finance sectors remained the top reporters of data breaches, with 104 and 49 notifications respectively, followed by insurance with 45 and retail with 39 notifications.