In total, 497 notifiable data breaches were reported between July and December 2022, a 26 per cent increase in the year’s first half.
The latest Notifiable data breaches report released today reveals that several major data breaches occurred during the second half of 2022, compromising millions of Australians’ personal information. These breaches contributed to a 26 per cent increase in overall data breaches compared to the previous reporting period.
According to the Australian Information Commissioner and Privacy Commissioner, Angelene Falk, cyber security incidents can seriously affect individuals and organisations. As a result, it is imperative for businesses and organisations to remain vigilant about potential risks and take necessary measures to safeguard their sensitive information.
With the growing prevalence of cyber-attacks and data breaches, it has become increasingly important for individuals and organisations to prioritise cybersecurity as a fundamental aspect of their operations. Failure to do so can result in significant financial and reputational damage, as well as irreparable harm to affected individuals.
The Notifiable data breaches report indicates that cyber security incidents were responsible for 33 out of 40 breaches that impacted over 5,000 Australians during the second half of 2022. This represents a significant increase compared to previous years, highlighting the growing prevalence and sophistication of cyber attacks.
Cybersecurity incidents can take many forms, including phishing attacks, ransomware, and malware. These incidents can result in the theft or compromise of sensitive personal and financial information, including names, addresses, social security numbers, and credit card details.
- The Notifiable data breaches report for the period of July to December 2022 has revealed a 26 per cent increase in the number of data breaches to 497 breaches being reported.
- The report also indicates a significant increase of 41 per cent in the number of data breaches resulting from malicious or criminal attacks.
- The health sector reported the highest number of breaches (71), followed closely by the finance sector (68).
- Interestingly, most (88 per cent) breaches affected 5,000 individuals or fewer.
Murray Mills, Manager – Cyber Security, Tecala
“In the latest OAIC update, we continue to see the majority of incidents reported involving employees and compromised identities. This trend is expected to continue and increase as the distribution of PII and credentials is distributed amongst threat actors, enhancing the success of phishing attempts, ransomware campaigns, and malware.
“We recommend that organisations continue to focus on protecting identity, ensuring employees are across the latest attack techniques via cyber security training. In addition, businesses need to consider the layered defences they have in place to protect all their critical assets, including employees. They should also look to penetration testing, vulnerability management and cyber assessments as a critical way of understanding their business risks. A cybersecurity strategy encompassing all these components has never been so important.”
Anthony Daniel, Regional Director – Australia, New Zealand and Pacific Islands, WatchGuard Technologies
“This latest data suggests that aside from planning their response to a potential attack, businesses should ensure that they maintain a keen eye on staff cybersecurity training and awareness across their operations. In addition, they need to keep their prevention and detection technologies top of mind by ensuring that they have the appropriate protective controls in place.
“While we must, unfortunately, assume compromises will occur, and while it only takes one cybercriminal to cause untold damage. A properly configured security solution that provides full visibility into the environment with robust automated response capability can help fortify an enterprise’s cybersecurity posture and thwart bad actors before a breach can take hold.”
Scott Hesford, Director Solutions Engineering APAC at BeyondTrust
“Recent high profile data breaches have highlighted the impact that stolen credentials can have on organisations and their customers. The latest OAIC Notifiable Data Breaches report shows the extent to which the problem exists: 59 per cent of cyber incidents reported in the period of July-December 2022 involved compromised or stolen credentials.
“Often stolen credentials have associated privileges beyond what is needed allowing attackers to inflict more damage – accessing sensitive data or installing malicious code, for example – than what they would be able to do if the privileges were removed or reduced.
“In addition, password re-use, particularly between breached personal accounts and corporate accounts, compound the issue and highlight the importance of credential rotation for privileged accounts.
“The ACSC’s Essential Eight calls for organisations to implement application control, restrict admin privileges and harden user applications, all of which would reduce the severity of breaches.”
Martin McGregor, CEO and Co-Founder, Devicie
“While the reports are becoming increasingly useful when characterising reported breaches, it’s important to be aware these statistics are only just scratching the surface of data breaches that occur in Australia.
“We need to see greater education and enforcement of the privacy principles, to ensure organisations know exactly where citizen data is stored and they maintain methods of detecting unauthorized access to it, which according to the report, represented the greatest cause for data breaches. Still, the overwhelming majority of organisations that hold and depend on sensitive citizen data in Australia don’t sufficiently track their sensitive data, let alone have the capacity to detect data breaches, far from having the ability to report it — as we continue to see in the media when breaches are discovered when criminal groups publicly expose these offenders.
“Too many organisations are acting like victims of cyber-attacks instead of understanding their customers are the victims and they are failing to meet their obligations to them.”
The Privacy Legislation Amendment Act 2022
“During the reporting period, the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 came into effect, bringing with it a number of important changes. One such change is that it grants the Commissioner greater powers to share information with other authorities regarding data breaches. Additionally, the Commissioner has been given a new power to request information and documents that are relevant to actual or suspected data breaches.
“The Act also enables the Commissioner to evaluate an entity’s ability to comply with the Notifiable Data Breaches scheme, including assessing the entity’s processes and procedures for identifying suspected eligible data breaches and notifying both the Commissioner and affected individuals. This provides the Commissioner with greater oversight, ensuring that organisations meet their obligations under the scheme.
“Another significant change introduced by the Act is the increased penalties for serious or repeated privacy breaches, including those related to non-compliance with the Notifiable Data Breaches scheme. These penalties are designed to act as a deterrent, encouraging organisations to take data breaches seriously and prioritise the protection of personal information.”