Need to know
- The second half of 2022 saw a 26% rise in data breaches reported to the Office of the Australian Information Commissioner
- 350 of the 497 reported breaches were malicious or criminal attacks, a 41% increase
- Five of the breaches affected over one million Australians, compared with a single breach of this size in the first half of 2022
Cybercriminals got busy as 2022 drew to a close, with 92 data breaches reported to the Office of the Australian Information Commissioner (OAIC) in December alone.
The second half of 2022 saw a 26% rise in data breaches reported to OAIC compared to the first half of the year, including well-publicised mega-breaches involving Optus and Medibank.
Of the 497 breaches that were reported to OAIC between July and December 2022, 350 were malicious or criminal attacks, a 41% increase in this type of breach compared to the January to June period.
... five of the breaches affected over one million Australians, compared with a single local breach of this size in the first half of 2022
The rest were either human error (123) or systems faults (24). The latter category saw a 60% increase compared to the first half of 2022.
While most of the breaches reported from July to December 2022 (88%) affected 5000 or fewer people worldwide, five of the breaches affected over one million Australians, compared with a single local breach of this size in the first half of 2022.
The major breaches included the theft of the names, dates of birth, addresses, phone numbers and email addresses of around 5.1 million current and former Medibank customers and the theft of the passport numbers, home and email addresses, dates of birth and drivers licence numbers of as many as 9.8 million Optus customers.
Thirty-three of the forty breaches that affected over 5000 Australians were classified as cyber incidents, caused by ransomware, compromised or stolen credentials, hacking or malware.
A total of 890 breaches were reported to OAIC in all of 2022.
OAIC calls for proactive protections
OAIC commissioner Angelene Falk says the high number of cyber security incidents between July and December 2022 – where cybercriminals found their way into company systems – indicates companies should be doing a better job of protecting the personal information of their customers.
Achieving that goal "starts with collecting the minimum amount of personal information required and deleting it when it is no longer needed," Falk says.
It also involves taking "appropriate and proactive steps to protect against and respond to a range of cyber threats".
Failing to do so can have long-term consequences for victims, especially if their data ends up on the dark web.
OAIC commissioner Angelene Falk says companies should be doing a better job of protecting the personal information of their customers.
"As personal information becomes increasingly available to malicious actors through breaches, the likelihood of other attacks, such as targeted social engineering, impersonation fraud and scams, can increase," Falk says.
"Organisations need to be on the front foot and have robust controls, such as fraud detection processes, in place to minimise the risk of further harm to individuals."
"It is critical that our privacy laws are fit for purpose and that we ensure businesses do the right thing by their customers by placing limitations on the data they collect and what they use it for," says CHOICE consumer data advocate Kate Bower.
"It is also vitally important that the OAIC is appropriately resourced to be able to hold businesses accountable and investigate data breaches.
"The federal Attorney-General is currently reviewing the Privacy Act to bring it into the digital age. The review is an opportunity to reset the balance in favour of consumers," Bower says.
When is a breach reportable?
Under the Notifiable Data Breaches (NDB) scheme, any organisation or government agency covered by the Privacy Act that experiences an eligible data breach must notify affected individuals and the OAIC.
Eligible data breaches are defined as incidents in which personal information has been accessed, disclosed or lost that could be used to harm the affected individuals.
It is critical that our privacy laws are fit for purpose and that we ensure businesses do the right thing by their customers by placing limitations on the data they collect and what they use it for
CHOICE consumer data advocate, Kate Bower
In December 2022, OAIC was granted new powers to ensure that organisations are adhering to the NDB scheme, including the power to investigate whether they have proper procedures in place to detect data breaches and report them. The new powers also allow OAIC to share information with other authorities about data breaches.
Stock images: Getty, unless otherwise stated.
