Login or request a free trial

Financial services at the forefront of data breaches

Financial services companies have consistently reported among the highest number of data breaches data breaches of all industry sectors since Australia’s Notifiable Data Breach scheme was introduced in 2018, and it was no different in the Office of the Australian Information Commissioner’s latest NDB report.

The report, covering data breaches from January to June this year, shows the number of notifications falling 14 per cent to 396, compared with the previous six months.

Health service providers accounted for 79 breach notifications, financial services providers 52 notifications, education institutions 35, legal accounting and management services 26 and recruitment agencies 25.

An eligible data breach occurs when personal information has been lost, or accessed or disclosed without authorisation, and this is likely to result in serious harm to one or more individuals. The organisation is obliged to report such incidents when it has not been able to prevent the likely risk of serious harm with remedial action.

Sixty-three per cent of breaches were the result of malicious or criminal attack, 33 per cent were put down to human error and 4 per cent were due to system faults.

Contact information is the most common type of personal information involved in breaches. Identity information was included in 217 breaches and financial details in 148.

Sixty-five per cent of breaches affected 100 people or fewer. There were 11 breaches that affected more than 100,000 people and four that affected more than a million people.

The OAIC said the time taken to report breaches deteriorated during the period. Seventy-one per cent of entities notified the OAIC within 30 days of becoming aware of an incident, compared with 79 per cent in the previous period. Four entities took more than 12 months from when they became aware of the incident to notify the OAIC.

Australian Information Commissioner and Privacy Commissioner Angelene Falk said in a statement: “A key focus for the OAIC is the time taken by entities to identify, assess and notify us and affected individuals of data breaches.

“As the risk of serious hard to individuals often increases with time, organisations that suspect they have experienced an eligible data breach should treat 30 days as a maximum time limit for an assessment and aim to complete the assessment and notify individuals in a much shorter timeframe.

Falk said she welcomed measures in the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022, currently before Parliament, which would give the OAIC stronger information gathering powers and increase penalties for serious or repeated breaches.

I'm a returning subscriber

Password reset
Login

Request a free trial

  • Emailing you the news at 7am.
  • Covering core lending and funding issues, strategy, payments, regulation, risk management, IT, marketing and more.
  • Original news and summaries of major stories from other media – ditch your newspaper subscriptions.
  • Focused on banking and finance, saving you the time spent wading through newspapers and other services.
  • With reporting from former editors and senior writers from the AFR and The Australian.
  • Configured for your phone, laptop and PC.
Free trial Banking Day