OAIC Data Breach Report January–June 2022: Our Analysis

The OAIC’s Findings in its Data Breach Report January-June 2022 

The OAIC highlighted the following key findings in their January – June 2022 Data Breach Report: 

• Notifications were down 14% overall to 396. 
• The top five sectors reporting data breaches were health services providers; finance; education; legal, accounting and management services; and recruitment agencies.  
• 65% of data breaches affected 100 or fewer people.  
• Malicious or criminal attacks represent the most significant risk, resulting in 63% of notifiable data breaches during this period. Human error caused 33%, while system fault caused 4%.  
• Ransomware, phishing, and compromised or stolen credentials were behind most cyber security incidents.  
• The most common human error breaches were emailing personal information to the wrong recipient (51%) and the unintentional release or publication of personal information. You can read our guidance about what to do if you email personal information to the wrong recipient here. 

Key Findings From The OAIC’s Data Breach Report for January–June 2022 

More Data Breaches Are Impacting Larger Numbers of People 

The OAIC’s highlights revealed that 65% of breaches impacted fewer than 100 people – which is good news. However, we found their findings about the breaches impacting 5,000 or more people to be equally, if not more, significant.  

There were 24 breaches that impacted the data of more than 5,000 Australians, up from 18 in July – December 2021. Of those 24 breaches: 

• 1 impacted more than 1 million Australians (up from none in the last report); and  
• 3 impacted the data of 100,000-250,000 (up from 1 in July-December 2021). 

These figures do not include the figures from the recent Optus and Medibank breaches. Those will be recorded in the OAIC’s July-December 2022 reporting, which will be released next year. (As an aside, we note that this report took much longer to publish than in the past. We query whether this shows that the OAIC is facing issues responding to the increasing sizes of data breaches in Australia.) 

“23 of the 24 breaches that affected more than 5,000 Australians were caused by cyber incidents… Nine were ransomware incidents, 9 were due to compromised credentials, 3 were due to hacking and 2 were malware incidents.” 

 In other words, we had a higher number of breaches impacting a larger number of people. This is not a trend we want to see continue in Australia.  

Organisations should be doing more to protect the personal information they hold against ransomware attacks, compromised credentials, and other cybersecurity incidents. While the exact steps each organisation should take to protect the data will vary depending on the volume and volatility of the data collected and stored, the measures implemented should be proportionate to the risk.  

More Data Breaches Involve More Than One Entity 

The OAIC noted that it received 100% more notifications of data breaches where more than one entity holds personal information subject to a breach. When organisations share data, the responsibility to keep that data safe is also shared.  

It is crucial that organisations only share data with third parties they can trust. Read more about this in our previous coverage discussing questions to ask before sharing data with a third party. 

Data Minimisation is Essential 

In the OAIC’s press release about the report, Commissioner Falk stressed the importance of Australian organisations implementing data minimisation. She noted that the rising number of breaches impacting larger number of Australians indicated that organisations should reconsider the amount of data they collect, as well as how long they retain it for.  

“I urge all organisations to review their personal information handling practices and areas of ongoing risk identified in our report. Only collect necessary personal information and delete it when it is no longer required.” – OAIC Commissioner Falk  

For assistance managing and securing your organisation’s data, reach out. Our privacy team would love to assist.