Privacy Risks Identified in Recent OAIC Data Breaches Report

The significant impact of the recent Medibank, Optus, and Harcourts data breaches on consumers, paired with updates to maximum penalties under the Privacy Act stresses the critical nature of strong information handling practices and robust data breach response plans for Australian businesses.

The Office of the Australian Information Commissioner (OAIC)'s Notifiable Data Breach Scheme periodically publishes reports containing statistics about notifications received under the Notifiable Data Breaches (NDB) scheme, to help businesses and consumers understand privacy risks identified through the scheme.

Established to improve consumer protection and drive better security standards for protecting personal information, under the scheme, any organisation or government agency covered by the Privacy Act 1988 that experiences an eligible data breach must notify affected individuals and the OAIC.

Key findings:

 In the January to June 2022 OAIC Notifiable Data Breach Report:

• 396 breaches were reported.
• Malicious or criminal attack remains the leading source of breaches, accounting for 250 notifications (63% of the total).
• Data breaches resulting from human error accounted for 33% of the total reported (down 31%).
• Health remains the highest reporting sector, followed by the finance sector.
• Others in the top 5 reporting sectors include education, legal, accounting and management services, and recruitment agencies.
• Contact information remains the most common type of personal information involved in breaches.
• 41% of all breaches resulted from cyber security incidents. The top sources of cyber incidents were ransomware, phishing and compromised or stolen credentials.

The need for immediate action

Australian Information Commissioner and Privacy Commissioner Angelene Falk said the widespread attention on data breaches and statistics for January to June 2022 show areas that require organisations’ immediate action.

“Recent data breaches have brought attention to the importance of organisations securing the personal information they are entrusted with and the high level of community concern about the protection of their information and whether it needs to be collected and retained in the first place,” Commissioner Falk said.

“I urge all organisations to review their personal information handling practices and areas of ongoing risk identified in our report. Only collect necessary personal information and delete it when it is no longer required.

“Organisations should also ensure they have a robust data breach response plan, so in the event of a data breach, they can rapidly notify affected individuals to minimise the risk of harm,” she said.

Key changes to the Privacy Act 1988

• • $50 million
  • three times the value of any benefit obtained through the misuse of information; or
  • 30% of a company’s adjusted turnover in the relevant period.

The higher penalties outlined are said to "align privacy and consumer law penalties and help address serious privacy risks to the community."

Diamond IT can help strengthen your privacy practices

Diamond IT's Managed IT Services proactively support customers in reducing risk and aligning with best practices.  Our Business Technology Consultants are specialists in improving internal cyber security and supporting businesses to ensure robust cyber plans and practices are in place.

We offer:

• Managed Endpoint Detection & Response
• Disaster Recovery (DR) Planning 
• Policy and Procedure Development and Review
• Cyber and Data Breach Consulting and Forensic Analysis

If you need advice on how you can ensure your cyber security strategy is fit for purpose, our team of Cyber Security experts are ready to help. Contact our team on 1300 307 907 today.