OAIC's Notifiable Data Breaches Report: July-December 2021
$877 million USD.
That is how much the EU General Data Protection Regulation (GDPR) fined Amazon last year. The tech giant was punished for its misleading use of cookie consent to collect and share personal data.
In a world where data-driven companies consistently outperform their competitors, the collection, use, and distribution of data becomes critical to business innovation and prosperity.
In this article, discover the key causes of data and cybersecurity breaches in Australia as well as the sectors most at risk. These breaches can be financially and reputationally disastrous. Also read about valuable advice for businesses on how to strengthen cyber resilience and mitigate risks.
The Office of the Australian Information Commissioner (OAIC) publishes twice-yearly reports about data breaches reported under the Notifiable Data Breaches (NBD) scheme in the Privacy Act 1988. These reports aim to “track the leading sources of data breaches and highlight emerging issues and areas for ongoing attention by regulated entities” (OAIC).
In its most recent report (July-Dec 2021), the OAIC received 464 breach notifications, similar to previous reporting periods.
Key findings
Malicious or criminal attacks remain the leading source of breaches (55%)
Data breaches resulting from human error accounted for 41% of notifications – 43% more than previously reported
System fault caused 4% of data breaches
The health sector remains the highest reporting industry sector (18%), followed by finance (12%)
Contact information (e.g. name, address) remains the most common type of personal information involved in breaches (85%), followed by identity information (40%) and financial details (39%)
96% of breaches affected 5000 or fewer individuals; 71% affected 100 or fewer individuals
The OAIC’s report is highly accessible, visual, and reader-friendly. You can view it below.
Responding to breaches and managing cyber risk
The cost of an incident is not merely the potential penalty imposed. Rather, it can impact the integrity and availability of an organisation’s systems and data, leading to mass disruptions and reputational harm.
Businesses should focus on preventing breaches. This can be achieved through proactive leadership and a robust risk management culture. The report offers some advice for confronting the evolving landscape of cyber threats.
Address human vulnerabilities and build cyber resilience
There has been a worrying increase in the number of breaches resulting from human error, with the top source being emailing personal information to the wrong recipient (43%). Other causes include clicking virus-riddled links, transferring funds to fraudulent accounts, and losing documents.
A strong cyber culture must be led from the top. The OAIC expects organisations to have appropriate training systems and processes in place to identify and manage data security risks. Businesses should also have an incident response plan. This will help mitigate cyber risk and ensure that all members value the importance of data ownership and protection.
Aim for continuous improvement
Organisations should continually review their internal and external risk environment, as well as their controls and processes. For guidance, businesses can refer to the Essential Eight. This is a baseline of eight essential mitigation strategies provided by the Australian Cyber Security Centre (ACSC). It provides progressive targets and implementation guides for multi-factor authentication, patch applications, and more.
Additionally, companies should monitor legal and policy changes that may affect their cyber security and data protection obligations.
Reach out for assistance
The OAIC offers guidance and advice for data breach preparation and response. Please see below.
It is difficult for businesses to develop data and cyber controls entirely on their own, especially if they are just beginning to address these risks.
Certex has proudly supported clients with data and privacy security for many years. As experienced professionals, we help organisations benefit from a risk-based approach when improving their systems. Certex’s iSuite of risk management programs include iPrivacy and iCyber.
Click the buttons below to explore our data privacy and cyber security assessments, or contact us.