This month the Office of the Australian Information Commissioner (OAIC) has released its latest ‘Notifiable data breaches report’ for January to June 2024. It finds that there were 527 data breaches reported for the period, which is the most in a half since H2 2020, and the most since reporting began to be recorded in the first half of the year, from January to June.
That’s even more remarkable since the average sum of data breaches reported in the first half is typically 10% lower than that reported in the second half, averaging 459.3 notifiable data breaches (H1 - Jan-Jun, 2019-2024) compared to 504.5 (H2 - Jul-Dec, 2018-2023). If that trend continues, we’re also on track for the most notifiable data breaches reported in a year, since record keeping commenced back in February 2018. The previous highest total data breaches reported in a full year was in the COVID pandemic era in 2020, with 1,057 notifiable data breaches reported.
In fact, the volume of notifiable data breaches doesn’t fluctuate widely, with the average number of breaches reported each month hovering around 80 per month. 2020 was the exception, with several months in that year exceeding 100 breaches reported, and at the other end of the spectrum, January has a particularly low average of only 57 breaches reported on average between 2019 and 2024.
The relative consistency in reporting numbers, albeit with modest year on year growth, points to a larger problem, which is that many companies may not be taking their reporting obligations seriously. The main culprit being the interpretation of the requirement.
On its website, OAIC states:
‘Under the Notifiable Data Breaches scheme, an organisation or agency that must comply with Australian privacy law has to tell you if a data breach is likely to cause you serious harm.
Examples of serious harm include:
- identity theft, which can affect your finances and credit report
- financial loss through fraud
- a likely risk of physical harm, such as by an abusive ex-partner
- serious psychological harm
- serious harm to an individual’s reputation.’
The adjudication of whether a breach is ‘likely to cause you serious harm’ lies with the company that has been breached, leading many to err on not reporting.
Perhaps this stagnation in volume is partly why OAIC has flagged a slight change in direction with this report, signalling a shift towards advice and guidance for prevention and to assist companies in meeting their obligations.
Australian Privacy Commissioner, Carly Kind, remarks in the foreword:
‘You will observe this report is a little different to previous ones. Our office is evolving our approach in sharing our insights and emerging trends with Australians and the regulated community. There is still statistical information; however, we have focused on providing more succinct guidance and trend observations to help entities comply with obligations.’
Along with the carrot, there is also a stick:
‘…the NDB scheme is now mature, and we are moving into a new era in which our expectations of entities are higher, seen in our recent commencement of civil penalty proceedings against Medibank Private Limited and Australian Clinical Labs Limited. This enforcement action should send a strong message that keeping personal information secure and meeting the requirements of the NDB scheme must be priorities.
The OAIC is accelerating our shift to a more risk-based and enforcement and education-focused posture. Entities and the community can expect to see this reflected in a greater focus on directing our regulatory effort where it has the greatest impact, including areas where there is a high risk of harm to the community.’
Setting aside, the carrot or the stick, and whether the company that has experienced a breach should be the one to determine if that breach is likely to result in ‘serious harm’, let’s look at some of the report findings for this period.
527 notifiable data breaches were reported – the most for a January to June period since the NDB scheme commenced
Healthcare was the number one sector for data breach reporting – with 102 data breaches reported in the half, follow by Government and then Financial Services
63% of reported breaches affected < 100 people – however nine breaches impacted > 100 thousand people, and one breach affected > 10 million people
67% of data breaches were the result of a malicious or criminal attack – with human error and faults accounting for roughly one third of breaches
Phishing, ransomware and compromised credentials represented the vast majority of incidents – 80% in fact
You can read the full report here:
Keeping Businesses Safe and Secure
Prevention is always better than a cure, and one of the best defences is to encourage businesses to proactively boost their company’s cyber resilience levels to avoid threats landing in inboxes in the first place. The fact that a staggering 94% of malware attacks are delivered by email, makes email an extremely important vector for businesses to fortify.
No one vendor can stop all email threats, so it’s crucial to remind customers that if they are using Microsoft 365 or Google Workspace, they should also have a third-party email security specialist in place to mitigate their risk. For example, using a specialist third-party cloud email solution like MailGuard.
MailGuard provides a range of solutions to keep businesses safe, from email filtering to email continuity and archiving solutions. Speak to your customers today to ensure they’re prepared and get in touch with our team to discuss fortifying your customer’s cyber resilience.
Talk to us
MailGuard's partner blog is a forum to share information; we want it to be a dialogue. Reach out to us and tell us what your customers need so we can serve you better. You can connect with us on social media or call us and speak to one of our consultants.
Australian partners, please call us on 1300 30 65 10
US partners call 1888 848 2822
UK partners call 0 800 404 8993
We’re on Facebook, Twitter and LinkedIn.