Data breach notifications to the Office of the Australian Information Commissioner spiked in May, when 124 breaches were reported – the highest number reported in any month since the notification scheme started in February 2018.
The data fits with other reports that there has been an increase in scams and hacking during the COVID-19 crisis but the OAIC is not convinced the increase was pandemic-related.
It said it has “not identified a specific cause for the increase. The OAIC is not aware if any evidence to suggest the increase is related to changed business practices resulting from COVID-19.”
Over the six-month period to the end of June covered by the latest data breach report there was a 3 per cent fall in the number of breaches reported compared with the December half last year.
Of the 581 breaches, 75 were reported by financial services organisations (including superannuation funds) – the second most data breaches of any industry sector.
Health services were the source of the largest number of breaches. Other sectors that reported high numbers included education, insurance and legal, accounting and management services.
The OAIC said malicious or criminal attacks accounted for 61 per cent of notifications. Data breaches resulting from phishing are the leading source of malicious attack.
The OAIC has recommended that organisations to more training to help staff identify phishing emails.
There was a significant increase in ransomware attacks (encrypting data on affected systems).
Human error accounted for 34 per cent of breaches and system failure 5 per cent. Examples of human error include sending personal information to the wrong email recipient and unintended release of information.
Contact information is the most common type of personal information involved in a data breach. Other information commonly involved in breaches includes identity information, financial details, health information and tax file numbers.
Under the Notifiable Date Breach reporting rules, an eligible data breach is one where there is unauthorised access to or unauthorised disclosure of personal information and a reasonable person would conclude that it is likely to result in serious harm to any of the individuals whose personal information was involved.
Of the breaches that occurred in the June half, 46 per cent involved up to 10 people and 64 per cent involved up to 100. Two breaches involved more than one million people and one involved more than 10 million people.
The OAIC is concerned with what it called “incomplete notifications”. These included people not receiving full details of the personal information involved and organisations failing to include advice about what steps people should take in response to a breach.