The Office of the Australian Information Commissioner is reducing the frequency of its statistical reporting on data breaches from every three months to six months, despite a steady stream of notifications in its latest report.
The sixth notifiable data breaches (NDB) scheme report [pdf], released late on Tuesday, reveals 245 notifications were received by the privacy and freedom of information authority between April and June 2019.
The figure is slightly higher than the 215 breaches reported in the three months to April 2019, but less than the record number of breaches received to date.
The majority of breaches were again attributed to malicious or criminal attacks, which accounted for 62 percent of all breaches, followed by human error (34 percent) and system faults (4 percent).
The OAIC said almost 70 percent of malicious or criminal attacks “involved cyber incidents such as phishing, malware or ransomware, brute-force attacks, or compromised or stolen credentials”.
Of the cyber incidents, the overwhelming majority (79 percent) were “linked to compromised credentials” obtained through phishing, brute-force attacks or unknown methods.
“Many incidents this quarter exploited vulnerabilities involving a human factor,” the OAIC said.
“This included individuals clicking on a phishing email or use of credentials that had been compromised or stolen by other means (such as in another data breach) to obtain unauthorised access to personal information.”
Health service providers remained the leading industry sector to be affected by data breaches - the sixth time it has topped the list - with 47 breaches (19 percent), followed by finance (17 percent) and legal, accounting and management services (10 percent).
But despite the spate of data breaches remaining largely unchanged month-to-month, the OAIC will shift reporting from quarterly intervals to every six months.
In a statement accompanying the latest report, Australian Information Commissioner and Privacy Commissioner Angelene Falk said the scheme had established itself as an effective mechanism for data breach reporting.
“The reporting regime has been well accepted and the onus is now on organisations to further commit to best practice in combating data breaches and improving response strategies,” she said.
“Effecting change in practices to prevent breaches is vital to the goal of protecting the community.
“Putting data breaches in the spotlight has heightened awareness of the privacy rights of consumers, who in turn are demanding greater security from the organisations with which they share information.”
The reduced reporting comes at a time when the OAIC’s resourcing is being forced to stretch further than ever before, with schemes like NDB and the consumer data right competing with its traditional privacy and freedom of information workloads.
The OAIC also used the report to clarify that data breach reports refer to individuals worldwide, not just Australians, after a new 10 million-plus data breach lifted the ceiling of the statistics table for the first time last quarter.
“For the band 10,000,001 or more, this figure reflects the number of individuals worldwide whose personal information was compromised in this data breach, not only individuals in Australia, as estimated by the notifying entity,” the OAIC said.
Gloss