The Notifiable Data Breaches scheme was set up over a year ago when it became a legal requirement for entities to carry out an assessment whenever they suspected that there had been a data breach.
The report, which looks back over the scheme’s last 12 months, found that the finance sector had the second highest number of data breach notifications under the scheme.
In 12 months the NDB reported 964 notifications, of which 134 were made by the finance sector, with human error accounting for 41 per cent of the data breaches.
“The consistent presence of the health and finance sectors at the top of the rankings throughout the year likely reflects the scale of data holdings, volume of processing activities and/or sensitivity of the personal information held by those sectors, as well as those sectors’ higher preparedness to report data breaches,” said the report.
The scheme is clearly working given that data breach notifications went from 127 under the voluntary scheme in 2018-19 to 722 as a result of the compulsory scheme.
The report also acknowledged that the finance sector had a great financial reward for cyber criminals.
“Accordingly, a high proportion of finance sector breaches – 56 per cent – were attributed to malicious or criminal attacks,” it said.
Despite this, contact information was the most common form of personal information disclosed through data breaches, with 86 per cent of notifications.
Over half of all breaches (60 per cent) across the regulated entities were attributed to malicious or criminal attacks, with phishing continuing to be the most common method.
There was also 28 per cent of cyber incidents where credentials were obtained by unknown means as the entities had not detected any phishing-based compromise.
Fortunately, 83 per cent of breaches affected fewer than 1,000 people with most attacks affecting just one person, but there were 19 attacks where an unknown number of people were affected.
The Australian information and privacy commissioner Angelene Falk, who operates the scheme, said that many entities were actively engaged with the scheme to create better practices.
“Many entities have taken a proactive approach in engaging with the OAIC, and we have been able to work constructively with those in their response,” she said.
“As the year has progressed, some maturation has been evident in entities assessing the likely consequences of a data breach and in their subsequent notification processes.”
Moving forward, Ms Falk said that she expected entities to take proactive steps to prevent breaches.
For the finance industry, steps are already being taken with the introduction of APRA’s prudential standard on information security, which will help ensure the finance sector’s resilience to information security incidents.
“I encourage entities regulated by the Privacy Act to review the report and use the learnings to enhance their prevention and response strategies for the benefit of all Australians,” said Ms Falk.
