Notifiable Data Breaches Report from July to December 2021

The Office of the Australian Information Commissioner (OAIC) has published its latest Notifiable Data Breaches Report covering notifications made under the Notifiable Data Breaches (NDB) scheme from 1 July to 31 December 2021.

Key findings for the July to December 2021 reporting period include:

  • 464 breaches were notified under the scheme, an increase of 6% compared with 436 notifications in January to June 2021;
  • Malicious or criminal attacks remain the leading source of breaches, accounting for 256 notifications (55% of the total), down 9% in number from 281;
  • Data breaches resulting from human error accounted for 190 notifications (41% of the total), up 43% in number from 133;
  • The health sector remains the highest reporting industry sector notifying 18% of all breaches, followed by finance (12%);
  • Contact information remains the most common type of personal information involved in breaches;
  • 96% of breaches affected 5,000 individuals or fewer, while 71% affected 100 people or fewer.
    75% of entities notified the OAIC within 30 days of becoming aware of an incident.

Time to identify data breaches

The Report says that the time it takes entities to identify data breaches has tended to vary significantly depending on the source of the breach. A notable proportion of entities that experienced system faults (11%) did not become aware of the incident for over a year.

Time to notify breach

In the reporting period, 75% of organisations notified the OAIC within 30 days of becoming aware of an incident, compared with 72% in the previous period. Twenty-eight organisations took longer than 120 days from when they became aware of an incident to notify the OAIC.

There was some variance by source of breach in the time taken to notify the OAIC after an incident
was identified. For system fault breaches, 89% of entities notified the OAIC within 30 days compared
with 78% for human error breaches and 71% for breaches caused by malicious or criminal attacks

The report includes the following scenario relating to delayed and partial notifications:

An entity experienced a phishing attack and an employee’s email account was compromised.

The entity’s preliminary review of the contents of the compromised email account indicated
that the account contained a large quantity of personal information, ranging from contact
information to clients’ bank account details and picture copies of their driver licences and/or
passports.

As the mailbox contained a large amount of documents, the entity determined it would take
over 5 months to conduct a manual review of all documents contained in the mailbox to
identify and tailor notifications to each individual at risk of serious harm.

On this basis, rather than taking additional time to tailor its notifications, the entity proceeded
to promptly notify all affected individuals, providing general recommendations that applied to
everyone whose personal information was contained in the mailbox.

Cyber incident breaches

In the reporting period, 37% of all breaches (173 notifications) resulted from cyber security incidents.
The top sources of cyber incidents were phishing (55 notifications), compromised or stolen
credentials (method unknown) (48 notifications) and ransomware (40 notifications).
Almost two-thirds (65%) of cyber incidents involved malicious actors gaining access to accounts using
compromised or stolen credentials.
Ransomware incidents accounted for 40 notifications, down 11% from 45.

Human error breaches

Human error was the leading source of breaches for the finance sector (48%).

Human error includes:

  • Unauthorised disclosure (unintended release or publication)
  • Failure to use BCC when sending email 
  • PI sent to wrong recipient (email) 
  • Loss of paperwork/data storage device 
  • PI sent to wrong recipient (mail) 
  • PI sent to wrong recipient (other) 
  • Unauthorised disclosure (failure to redact) 
  • Unauthorised disclosure (verbal).

If you found this article helpful, then subscribe to our news emails to keep up to date and look at our video courses for in-depth training. Use the search box at the top right of this page or the categories list on the right hand side of this page to check for other articles on the same or related matters.

David Jacobson

Author: David Jacobson
Principal, Bright Corporate Law
Email:
About David Jacobson
The information contained in this article is not legal advice. It is not to be relied upon as a full statement of the law. You should seek professional advice for your specific needs and circumstances before acting or relying on any of the content.

 

Your Compliance Support Plan

We understand you need a cost-effective way to keep up to date with regulatory changes. Talk to us about our fixed price plans.