Data breach report highlights supply chain risks

The risk of outsourcing personal information handling to third parties is highlighted in the latest data breach statistics, released today by the Office of the Australian Information Commissioner (OAIC).

Australian Information Commissioner Angelene Falk said the OAIC continues to be notified of a high number of multi-party breaches, with most resulting from a breach of a cloud or software provider.

“The increased occurrence of incidents that affect multiple parties is a reason we are seeing data breaches grow in complexity, scale and impact,” said Commissioner Falk.

“Organisations need to proactively address privacy risks in contractual agreements with third-party service providers.

“This includes having clear processes and policies in place for handling personal information and a data breach response plan that assigns roles and responsibilities for managing an incident and meeting regulatory reporting obligations,” said Commissioner Falk.

The July to December 2023 period saw 483 data breaches reported to the OAIC, up 19% from the first half of the year. There were an additional 121 secondary notifications, a significant increase from 29 notifications in January to June 2023.

Malicious or criminal attacks remained the leading source of data breaches, accounting for 322 notifications, and the majority of those (211 notifications) were cyber security incidents.

The health and finance sectors remained the top reporters of data breaches, with 104 and 49 notifications respectively.

Commissioner Falk said the Notifiable Data Breaches scheme is now well established and the OAIC expects organisations to comply with their obligations.

“The OAIC is escalating its regulatory actions into data breaches, and we have commenced civil penalty proceedings in the Federal Court,” said Commissioner Falk.

“We are prioritising regulatory action where there appear to be serious failures to comply with the scheme’s reporting requirements and to take reasonable steps to protect personal information, and where organisations are holding onto data much longer than is necessary.

“As the guardians of Australians’ personal information, organisations must have security measures in place to minimise the risk of a data breach.

“If a data breach does occur, organisations should put the individual at the front and centre of their response, ensuring they are promptly told so their risk of harm can be minimised.”

The Australian Government responded to the Attorney-General’s Department’s review of the Privacy Act 1988 (Cth) in the second half of 2023, agreeing in principle to proposals that would strengthen the Notifiable Data Breaches scheme, including changes to the reporting timeframes.

The release of the Notifiable data breaches report comes shortly before the commencement of Ms Carly Kind as Privacy Commissioner on 26 February.

“I look forward to welcoming Commissioner Kind to the OAIC at a time when privacy and the protection of personal information have never been more crucial for the Australian community,” Commissioner Falk said.

Read the Notifiable data breaches report July to December 2023.