Key takeaways from the latest Notifiable Data Breach Scheme stats

The Office of the Australian Information Commissioner (OAIC) recently released its Notifiable Data Breaches Report for the period from January to June 2021.

The Notifiable Data Breaches (NDB) scheme was established in February 2018 to improve consumer protection and drive better security standards for protecting personal information.

Just 446 data breaches were notified to the Office of the Australian Information Commissioner (OAIC) under notifiable data breach (NDB) laws between January and June, a 16% decrease compared to the previous reporting period.

With a reduced number of malicious data attacks and data breaches compared to the previous 6-month reporting period, the numbers are looking positive.

Health sector remains highest reporting sector

Since the enactment of the NDB Scheme in 2018, the industry sector to consistently report the highest number of data breaches is health, notifying 19% of all breaches. The finance sector closely follows, notifying 13% of all breaches.

Malicious or criminal attacks largest source of data breaches

Malicious or criminal attacks were the leading source of data breaches notified to the OAIC during the latest reporting period, accounting for 289 breaches (being 65% of all breaches, up from 57% in the previous reporting period). Other major sources of breaches were human error (30%) and system faults (5%).

66% of all breaches in the malicious or criminal attack category involved cyber incidents. Other attacks in that category involved social engineering or impersonation, actions of rogue employees / insider threats, and theft of paperwork or storage devices. Those figures serve as a reminder that cyber defences need to focus on both internal and external threats.

Contact information remains most common type of personal information involved in data breaches

Contact information, identity information and financial details continue to be the most common types of personal information involved in data breaches. Most data breaches (91%) notified under the NDB scheme involved ‘contact information’, such as an individual’s name, home address, phone number or email address. This is distinct from ‘identity information’, which was exposed in 55% of data breaches and includes an individual’s date of birth, passport details and driver licence details. Financial details, such as bank account and credit card numbers, were involved in 43% of breaches.

The OAIC was notified of 35 incidents where social engineering or impersonation was used by “malicious actors” who contacted a call centre, passed the organisation’s phone-verification processes – and was then able to log into the victim’s accounts to change their personal or payment details, or conduct fraudulent transactions.

“Australians need to assume that their private information is ‘out there’, available for sale and that they should act accordingly when being contacted by an individual or organisation that they don’t recognise,” Australian Information Commissioner and Privacy Commissioner Angelene Falk said.