Australian organisations reported 63 data breaches in the first six weeks of the Turnbull Government’s mandatory notification system, under which all major organisations must promptly report all breaches.
It that rate continues, Australia can expect to see more than 500 breaches reported across Australia by the end of the year. But that number could rise significantly as more organisations come to grips with the new regime – and discover the huge penalties for not reporting.
The 63 reports, lodged with the Office of the Australian Information Commissioner (OAIC) contrast with just 114 breaches reported in the entire 2016–17 financial year, when reporting was voluntary.
The numbers for the first six weeks of the new regime, which began on February 22, showed that health services providers were responsible for the single largest number of notifications (15), followed by businesses that supply “legal, accounting and management services”.
Organisations in the finance, education and not-for-profit sectors were also implicated.
However not all breaches were instigated by cyber criminals, the OIAC has revealed: human error in fact was listed as the most common cause.
“The majority of data breaches reported to the OAIC involved ‘contact information’, such as an individual’s name, e-mail address, home address or phone number,” the OAIC said. “This is distinct from ‘identity information’, which refers to information used to confirm an individual’s identity, such as driver licence numbers and passport numbers.”
However, some entities also reported data breaches that involved individuals’ tax file numbers, financial details, such as bank account or credit card numbers, and even health information.