The Office of the Australian Information Commissioner (OAIC) recently released its Notifiable Data Breaches Report (Report) for the period from January to June 2021.

The Report, which is published by the OAIC twice-yearly, provides an overview of the data breach notifications received by the OAIC under the Notifiable Data Breaches scheme (NDB Scheme) in the Privacy Act 1988 (Cth) (Privacy Act) during the relevant reporting period, and highlights any emerging trends or issues that organisations should be aware of.

The NDB scheme, which came into force on 22 February 2018, requires organisations to report ‘eligible data breaches’ to both the OAIC and any individuals who may be potentially affected by the data breach. For more information on the NDB Scheme, see our article - Mandatory Data Breach Notification laws are coming...are you ready?. For summaries of the findings of previous Reports, please visit our Digital Hub.

In this article, we have prepared a snapshot of the key takeaways from the Report.

Total numbers are down

First, some good news. Overall, during the January to June 2021 reporting period, the OAIC received a total of 446 notifications, which reflected a 16% decrease compared to the previous 6-month reporting period. It is not clear what has resulted in this decrease, although it is perhaps no coincidence that the 2021 reporting period coincided with an uptick in workers returning to an office environment (with its increased network security) compared to the second half of 2020. (If this is the reason, we may expect to see a significant rise in numbers in the July to December 2021 reporting period).

In addition, the Report found that 93% of data breaches affected 5,000 individuals or fewer, with 65% affecting 100 individuals or fewer. 44% of breaches affected between 1 and 10 individuals only.

The OAIC noted that contact information remains by far the most common category of personal information compromised in data breaches, being impacted in 91% of data breaches.

Health and finance remain the most targeted sectors

Since the enactment of the NDB Scheme, the two industry sectors to consistently report the highest number of data breaches are health and finance. This held true in the latest reporting period, with 19% of data breaches reported by health service providers, and 13% reported by the finance sector.

Malicious or criminal attacks are the largest source of data breaches

Malicious or criminal attacks were the leading source of data breaches notified to the OAIC during the latest reporting period, accounting for 289 breaches (being 65% of all breaches, up from 57% in the previous reporting period). Other major sources of breaches were human error (30%) and system faults (5%).

This is a noteworthy departure from the findings of the earliest Reports issued in 2018, where human error (such as lost USBs and emails sent to the wrong person) was the main cause of data breaches. This highlights a worrying trend of increased activity, and increased success, by cyber criminals.  

Importantly, of all breaches in the malicious or criminal attack category, 66% involved cyber incidents. Other attacks in that category involved social engineering or impersonation, actions of rogue employees / insider threats, and theft of paperwork or storage devices. Those figures serve as a reminder that cyber defences need to focus on both internal and external threats.

The top sources of cyber incidents were phishing (30%), compromised or stolen credentials (27%) and ransomware (24%). Ransomware attacks in particular resulted in 46 notifications, up from 37 in the previous reporting period. However, as we note below, the OAIC has flagged some issues with recent approaches to reporting data breaches from ransomware attacks.

Ransomware attacks – organisations urged to err on the side of reporting

Ransomware is a type of malicious software that, once inside a device, makes the device or files within it unusable by locking or encrypting them. A ransom is then demanded to ‘unlock’ or decrypt the device or files. The monetary amount demanded varies depending on the value of the files or device, and is often demanded in cryptocurrency. We have written in more detail here about the increasing prevalence of ransomware attacks around the world.

According to the Australian Cyber Security Centre (ACSC), ransomware is a prevalent global threat and cybercriminals using ransomware pose a significant risk to Australia.

In its Report, the OAIC notes that when faced with a ransomware attack, some entities have assessed that no eligible data breach has occurred, and have not reported any breach, on the basis that there is limited evidence regarding whether data has been accessed.

The OAIC warns against this approach, suggesting that where a ransomware attack has occurred and an entity cannot confirm whether a malicious actor has accessed data, there will generally be reasonable grounds to believe that an eligible data breach may have occurred, requiring an assessment under section 26WH of the Privacy Act (Assessment of suspected eligible data breach).

Section 26WH requires that if an entity is aware of reasonable grounds to suspect that there may have been an eligible data breach, the entity must carry out a ‘reasonable and expeditious’ assessment of whether there are reasonable grounds to believe that the relevant circumstances amount to a data breach, within 30 days after becoming aware of the incident. 

Importantly, the OAIC states that it expects entities to have appropriate internal practices, procedures and systems in place to undertake a meaningful assessment under section 26WH if required. As best practice, the OAIC suggests that entities should:

• have appropriate audit and access logs;
• use a backup system that is routinely tested for data integrity;
• have an appropriate incident response plan; and
• consider engaging a cyber security expert at an early stage to conduct a forensic analysis if a ransomware attack occurs.

As noted in our previous article on ransomware, the ACSC recommends that entities take specific actions to strengthen cyber security controls against ransomware. These actions include, for example, ensuring that devices are updated, turning on multi-factor authentication, performing regular backups, implementing access controls, and turning on ransomware protection (if available). Other recommended steps include preparing a cyber emergency response plan, understanding the criticality of certain data in your business (including what can and cannot be replaced), and generally remaining informed of threats.

Businesses must remain vigilant

Given the increasing prevalence of malicious or criminal attacks, and specifically of cyber incidents, the Report serves as a timely reminder that entities must remain vigilant and establish robust safeguards against both internal and external threats to their cyber security.

Authors: Melissa Fai, Nikhil Shah and Meaghan Powell