Dynamic Business wishes to emphasise the importance of businesses maintaining reliable information handling methods and an up-to-date plan for responding to data breaches.
There appears to have been an increase in catastrophic data breaches affecting more Australians in the first half of 2022.
The Australian witnessed four major data breaches affecting 100,000 or more Australians, one of which affected over a million people. From July to December 2021, there were 24 data breaches affecting 5,000 or more Australians, compared to 18 breaches of similar magnitude.
In addition, cyber-attacks were responsible for 23 of the 24 breaches that affected more than 5,000 Australians, with the final breach coming from a system flaw. Nine occurrences involved ransomware; nine involved compromised credentials, three involved hacking, and two used malware.
In its six-month Notifiable Data Breaches Report, issued on November 10, the Office of the Australian Information Commissioner (OAIC) showed 396 notifications.
This is lower than in previous years’ reporting. Cybercriminals working for a state-sponsored operation allegedly got into Optus’ internal network earlier in September, compromising the personal data of up to 9.8 million members. According to Optus CEO Kelly Bayer, the earliest records in the hacked database could date back to 2017.
The Australian unicorn Canva experienced a significant data leak that affected 137 million users over two years before the Optus breach. A highly sophisticated cyber-attack that targeted. The year before, the Australian National University (ANU) stunned even the most seasoned Australian security specialists. Cyber intruders had access to private data affecting 200,000 people stretching back as far as 19 years.
Australia’s businesses have been subjected to a flood of cyberattacks, drawing attention to the country’s understaffed cybersecurity sector, which experts believe is ill-equipped to thwart such hacks, potentially putting millions of people’s sensitive information in danger.
Given that 2022 will be the worst year on record for significant cyberattacks, Pieter Danhieux, co-founder and CEO of Secure Code Warrior, believes that the latest OAIC Notifiable Data Breaches Report comes at a critical juncture in Australia’s cybersecurity threat landscape.
“It confirms what many in the security industry know already: that we must do more to facilitate higher prioritisation of security best practices and awareness at an organisational level.
“It is not surprising that we have mirrored the global trend of healthcare institutions seeing a sharp rise in successful breaches as threat actors look to exploit targets that represent high-value data and critical infrastructure. We only have to look to the ongoing fallout of the Medibank Private breach to see the devastation this causes at a reputational level, while civilians bear the brunt of personal violation as their data is held for ransom.
“With the government proposing to raise the potential penalty for a serious privacy breach to $50 million, the stakes are getting higher for companies to fortify their systems and protect the massive amounts of data we relinquish to their guardianship.
“However, with both general strategy and official government advice often revolving around reactive security measures and incident response, it is doubtful anything will improve until more emphasis is placed on defensive security. Every organisation can play a key role in stopping breaches and data exposure by implementing role-based security awareness training, including comprehensive developer upskilling in secure coding. It takes a village to raise standards, and we all have a hand safeguarding our digital world.”
Kinds of personal information involved in breaches
According to the report, the most common types of personal information in data breaches are contact information, identity information, and financial information. In 84 per cent of cases, contact information such as a person’s name, home address, phone number, or email address was compromised.
Identity information, which includes a person’s date of birth, passport information, and driver’s licence information, was leaked in 55 per cent of breaches. Financial information, such as bank account and credit card information, was implicated in 37 per cent of breaches.
Lesser but more dangerous attacks
From January to June 2022, the Office of the Australian Information Commissioner (OAIC) received 396 reports of data breaches, a 14 per cent decrease from July to December 2021. Despite the general drop in notifications, the data trended upward in the latter part of the period, and this upward trend has been maintained.
Furthermore, the analysis shows an increase in larger breaches and breaches that affected multiple companies over the reporting period. One hundred sixty-two notifications of breaches totalling 41 per cent, were the consequence of cyber security events. Ransomware (51 reports), phishing (42 notifications), and compromised or stolen credentials (unknown technique) were the main causes of cyber incidents (40 notifications).
According to Anthony Daniel, Regional Director for ANZ and the Pacific Islands at WatchGuard Technologies, the 14 per cent drop in reported breaches should not make Australia feel more secure because there is still much work to be done in terms of educating IT staff, putting the right cybersecurity measures in place, and—most importantly—being aware of the short- and long-term effects of a hack on businesses.
Responding to a cybersecurity incident
2018 saw the debut of Australia’s Notifiable Data Breach Scheme. Any organisation or government body subject to the Privacy Act of 1988 that suffers a data breach likely to seriously endanger one or more people must notify the OAIC and the affected individuals. During the reporting period, 71 per cent of entities reported issues to the OAIC within 30 days, down from 75 per cent in the previous reporting period.
“A key focus for the OAIC is the time taken by entities to identify, assess and notify affected individuals and use of data breaches,” Australian Information Commissioner and Privacy Commissioner Angelene Falk said.
“As the risk of serious harm to individuals often increases with time, organisations that suspect they have experienced an eligible data breach should treat 30 days as a maximum time limit for an assessment and aim to complete the assessment and notify individuals in a much shorter timeframe.”
Full report here.