More than 10 million people hit by one data breach

A single data breach in the first quarter of the year impacted a group of people numbering close to half of Australia’s population – that’s the glaring takeaway of the latest statistics released by the Office of the Australian Information Commissioner under the Notifiable Data Breach Scheme.

While the majority of data breaches (68 per cent) from January 1 to March 31 affected 100 people or fewer, there was one notified to the OAIC that impacted more than 10 million people. Australia’s current population is around 25 million people.

The OAIC has not published which sector the 10 million-plus breach occurred in, however the Marriott Chain data breach alone was revealed in January to have affected as many as 383 million people worldwide.

Since the statistics were published, high-profile Australian technology company Canva was hit by a data breach that saw details of nearly 140 million global users stolen by a hacker.

Marking Privacy Awareness Week recently, the OAIC urged individuals, businesses and government agencies to focus on key privacy priorities.

“Our personal information is a vital input into the economy and government agencies,” Commissioner Angeline Falk said.

“Managing this information responsibly, as organisations face increasingly complex data protection challenges, is critical.”

Some other notable observations from the latest Australian data breach statistics:

There was a dip in the number of overall breaches from 262 between October 1 and December 31, to 215 in the first three months of this year. It will be interesting to see what the next quarter brings, but if you take into account the traditional holiday period in January, then perhaps this decrease was to be expected.

Retail is the newest sector to emerge in the top-five contributors to data breaches. The retail sector had 11 breaches in the first quarter of 2019, 10 of which were the result of malicious cyber incidents. Health remains the most prolific sector, accounting for 27 per cent of all breaches.

Hacking might be an increasing concern, given it accounted for 13 per cent of all “cyber incidents” – having previously never been higher than 10 per cent.

There were no breaches relating to the use of fax machines…for the first time in six months!

We’re now officially a year into the NDBS and the AOIC has also released a report charting the first 12 months of the scheme. Some key takeaways:

Notifications up 712 per cent on the previous voluntary reporting scheme
Prior to the NDBS, the percentage of data breaches attributed to human error was 46 per cent, compared to the post-scheme figure of 35 per cent, but these pre-NDBS figures relied on self-reporting
In the past year, there were 11 multi‑party notification events, varying between two and 60 notifications per incident
There is now a promise from the OAIC to “take a proportionate and evidence‑based regulatory approach in relation to the NDB scheme” over the next 12 months.

That last pledge should serve as a reminder to businesses of the importance of their data security obligations and also the need to have a detailed communications plan in the event that information is breached.

Purple Director of Digital Jamie Wilkinson is an expert in proactively preparing communications strategies to respond to data breaches and managing communications during a data breach crisis. Email Jamie.