OAIC wields data breach powers

The Office of the Australian Information Commissioner (OAIC) has shown how it will use its new information gathering powers provided under new legislation in 2022 to target organisations that fail to report data breaches within 30 days. 

According to the latest six-monthly Notifiable Data Breaches (NDB) Report that covers from January to June 2023, more than a quarter of organisations notifying of data breaches failed to do so within 30 days, with some taking between four and six months.

“In the event of an incident such as a cyber-attack, organisations must also be able to adequately assess whether a data breach has occurred, how it has occurred and what information has been affected,” said commissioner Angelene Falk.

“Prompt notification ensures individuals are informed and can take further steps to protect themselves, such as being more alert to scams.

“The longer organisations delay notification, the more the chance of harm increases.”

The January to June 2023 period saw 409 data breaches reported to the OAIC. While that was a 16% decrease in the number of notifications compared to the previous period, there was one breach that affected more than 10 million Australians. This is the first breach of this scale for Australians since the scheme began in 2018.

In one case the OAIC became aware of a ransomware incident that ccompromised the information of 20 health service provider clients of an IT service provider, including their patients' treatment information.

“The entity notified the impacted health service providers of the breach, presuming they would notify affected individuals if required. The entity declined to provide the health service providers’ details to the OAIC, claiming it did not have consent to disclose the information.

“In the circumstances, the Commissioner exercised her power under s 26WU(3) (The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022) to issue a written notice, requiring the entity to provide a list of the health service providers impacted by the data breach.  Following receipt of the notice, the entity provided the information required. This information enabled the Commissioner to ensure the affected individuals were notified and that all entities involved in the data breach complied with the NDB scheme.”

Cyber security incidents were the source of 42% of all breaches (172 notifications) in the first six months of 2023. The top three cyber-attack methods were ransomware (53 notifications), compromised or stolen credentials for which the method was unknown (50 notifications) and phishing (33 notifications).

Contact, identity and financial information remained the most common kinds of personal information involved in breaches.

The full report is available HERE