Data from the Office of the Australian Information Commissioner (OAIC) reveals that last year it received 812 notifications as part of the mandatory breach reporting regime.
The OAIC today released its quarterly report on the Notifiable Data Breaches regime covering reports it received in the last three months of 2018.
In the October to December period the privacy watchdog said it received 262 breach notifications — a 7 per cent rise on the tally from the prior quarter. It was the highest number of notifications that the office has received in a single quarter since the scheme commenced in late February 2018.
Close to two-thirds of the breaches were attributed to malicious or criminal attacks, while 33 per cent involved human error (3 per cent were related to system faults, according to the reports received by the OAIC).
While most breaches affected 5000 people or less, six affected more than 25,000 — including one that fell into the OAIC’s top category of 1 million to 10 million people affected.
In December, international hotel chain Marriott revealed that up to 500 million former guests had been affected by a data breach. In November, Dell said that it had reset passwords for all Dell.com accounts after intruders sought to access customer data; the computer-maker said the attackers were unsuccessful in stealing data, however.
Shipbuilder Austal in November announced that its management systems had been breached “by an unknown offender”. Austal said that some staff contact details were accessed during the incident.
The health sector retained its position as the leading source of data breaches, with the OAIC receiving 54 reports from health service providers. It was followed by the finance sector (40 notifications); legal, accounting and management services (23), education (21), and mining and manufacturing (12).
Of the 168 breaches that involved malicious or criminal attacks, 114 involved a “cyber incident” — with phishing, again, the most effective attack vector.
The NDB scheme requires the OAIC to be notified if a breach is likely to result in serious harm.
“Preventing data breaches and improving cyber security must be a primary concern for any organisation entrusted with people’s personal information,” Australian Information Commissioner and Privacy Commissioner Angelene Falk said in a statement.
“Employees need to be made aware of the common tricks used by cyber criminals to steal usernames and passwords.
“The OAIC works with the Australian Cyber Security Centre to provide prevention strategies for organisations, including regularly resetting and not reusing passwords.”