Lessons From The OAIC Data Breach Report: Jan–June 2024

The January to June 2024 Data Breach Report from the Office of the Australian Information Commissioner notes a 9% increase in data breaches reported in the first six months of 2024, compared to the previous period. In fact, data breaches reached their highest level since 2020. 

But beyond the increase in the number of breaches, the OAIC data breach report also provided key insights into the OAIC’s decision-making regarding whether to pursue regulatory action and its expectations from Australian organisations. With a new Privacy Commissioner, a new regulatory agenda and perspective are not unexpected.

We’ve looked further into some of the trends highlighted by the OAIC in the reporting to identify some key action items for your organisation.

“The Notifiable Data Breaches scheme is now mature, and we are moving into a new era in which our expectations of entities are higher,” Commissioner Kind said.

Key Facts and Figures From The Latest Data Breach Report

• We saw a 9% increase in the number of data breaches reported in this period from the July-December 2023 period. There were a total of 527 reported data breach. 
• Most (63%) breaches impact fewer than 100 people. But the data from this report included the MediSecure data breach, which impacted approximately 12.9 million Australians – the largest number of Australians affected by a breach since the Notifiable Data Breaches scheme came into effect.
• The Australian Government was the second highest ‘industry’ when it came to notifiable data breaches this period. It was responsible for 12% of all notifications. The Australian Government also tended to identify the breach late (after 30 days) and notify the OAIC beyond the 30-day notification period. 
• Health services providers reported the highest number of data breaches (again), totalling 19% of all notifiable data breaches for the period. The health services industry has consistently reported the most breaches in each period since OAIC started publishing this data in 2018. 
• On average, significantly more individuals are impacted by cyber criminal breaches compared to human error – averaging 107,123 while social engineering, lost devices, and insider threat breaches all averaged fewer than 5,000 affected individuals per breach. 

The OAIC’s Key Findings in its Data Breach Report 

The OAIC identified 6 key trends in its data from this reporting period:

• Mitigating cyber threats: Entities are expected to have appropriate and proactive measures in place to mitigate cyber threats and protect personal information. 
• Managing supply chain risks: Entities should implement a robust supplier risk management framework. 

• Addressing human errors: Entities should plan for human mistakes and insider threats in their system design. Human errors should no longer be regarded as ‘unexpected.’

• Cloud-Based Data Responsibility: Entities have a shared responsibility for the security of data stored in the cloud. 

• Relying on hacker promises: Entities should not rely on hacker promises when assessing risk.  They may promise not to release your data but you can’t really trust a crook, right? 
• Australian Government breaches: As outlined above, there was a sharp increase in the proportion of data breaches within the Australian government. This risks community trust, especially since individuals have less power when it comes to their choice about whether to hand over data to the government vs private entities. 

We’ll discuss some of these in more detail below, but for the full report, review the OAIC’s data breach report for January – June 2024.

Number of Data Breaches Each 6 Months Since 2020

The OAIC highlighted that this period saw the most data breach reports since July-December 2020, with an increase of 9% from July-December 2023. Given that we have historically seen more data breaches in the second half of each year, we do wonder whether this year is shaping up to be a record-breaking year in terms of reportable data breaches (which would not be good news). 

Here’s hoping we buck the second-half increase trend in 2024. 

Harm and Hacker Promises: The Relevance of Destruction Assurances Following A Breach

We thought it was worth highlighting the OAIC’s discussion around harm and hacker promises. The OAIC noted that it is seeing entities giving too much weight to the promises of hackers and other threat actors in the assessment of serious harm. 

It noted:

“In some cases involving ransomware attacks, the entity assessed it was unlikely the data breach would cause serious harm to the affected individuals based on the threat actor’s assurance they would destroy and not publish data upon ransom payment.”

Here is a non-exhaustive list of factors that should be used in the determination of whether there is a risk of serious harm: 

• the kind or kinds of information
• the sensitivity of the information
• whether the information is protected by one or more security measures
• if the information is protected by one or more security measures – the likelihood that any of those security measures could be overcome
• the persons, or the kinds of persons, who have obtained, or who could obtain, the information
• if a security technology or methodology:
  • was used in relation to the information, and;
  • was designed to make the information unintelligible or meaningless to persons who are not authorised to obtain the information
• the likelihood that the persons, or the kinds of persons, who:

• • have obtained, or who could obtain, the information, and;

• • have, or are likely to have, the intention of causing harm to any of the individuals to whom the information relates;

• • have obtained, or could obtain, information or knowledge required to circumvent the security technology or methodology

• the nature of the harm
• any other relevant matters.

So, the law does allow for consideration of the motivation of the threat actors. However, the OAIC has noted that it considers paying a ransom to a cybercriminal to not be sufficient to prevent serious harm. Moreover, any assurances from a person who is willing to exfiltrate personal information and hold it for ransom are not likely to be credible. 

“It is unlikely a reasonable person would accept that a cybercriminal is trustworthy or likely to honour any such agreement with respect to personal information. Where a cybercriminal has targeted data held by an entity, dealt with the data in an unauthorised manner and demanded a ransom under threat of further unauthorised dealings, this casts considerable doubt on the credibility of any assurances.”

The OAIC also reiterated the ASD’s advice to never pay a ransom. If you’re unsure whether your organisation would pay a ransom if one were demanded, you shouldn’t be. It’s important that your data breach response plan contemplates your ransomware response and attitude towards ransom demands. 

Our Observations from the OAIC’s Data Breach Report

The OAIC’s data breach report noted that addressing the human factor is one of the key themes of the report, however it didn’t delve deeply into that topic. We’ll discuss it in more depth here, but first – here’s what the OAIC said entities should do to address this risk: 

• prioritising training staff on secure information handling practices
• holding regular training to keep staff up to date on the latest techniques used by threat actors and methods to detect phishing attempts
• minimising access to personal information to staff who require access to enable the entity to carry out its functions and activities
• proactive monitoring to identify possible unauthorised access by internal and external parties.

A quick aside: Privacy 108 offers tailored and customisable privacy awareness and security awareness training for organisations. 

Staff Clicking Phishing Links Still Prevalent Practice

The past two data breaches have shown a large increase in the number of data breaches caused by phishing. In the January-June 2024 reporting period, 12% of all breaches were caused by phishing (63 in total), which was an increase from the July-December 2023 period and a significant increase from the Jan-June 2023 period, which only saw 33 phishing-related notifications. 

As a reminder: Phishing is a hacking technique where someone tries to trick you into giving them your personal information by pretending to be someone you trust, like a bank or colleague.

So, what can organisations do to reduce the risk of staff clicking phishing emails and compromising their credentials as a result? 

• Implement strong email security: Use email filtering and anti-phishing tools to detect and block suspicious emails before they reach employees.
• Provide regular security awareness training: Educate employees about common phishing tactics, how to identify suspicious emails, and the importance of not clicking on unknown links or attachments.
• Use multi-factor authentication (MFA): Require MFA for all accounts, more on this below.
• Conduct simulated phishing tests: Periodically send simulated phishing emails to employees to assess their awareness and identify areas for improvement in training.
• Establish clear reporting procedures: Encourage employees to report any suspicious emails or activities promptly so that potential threats can be addressed quickly.

Continued Insider Threat Risk

The proportion of data breaches attributable to insider threats has fairly consistently hovered around 5-6% since 2020. While insider threats are challenging for organisations to prevent, given that the users will have access to the systems, there are technical solutions that can help, including: 

• Strict access controls
• High volume record search and/or download flagging
• Restricted copying and pasting of data 
• Monitoring uploads from work devices. 

Action Items for Australian Organisations 

In addition to the steps outlined above for managing phishing and insider threats, these action steps can help your organisation improve its privacy posture. 

Multi-Factor Authentication As Standard

MFA adds an extra layer of security to your accounts by requiring more than your username or email address, and password to log in. It is an extremely cost effective and effective way to reduce the risk of unauthorised access to your organisation’s accounts. We recommend enabling MFA wherever possible, starting with your accounts that contain the most sensitive information. 

You can learn more about MFA here, including a detailed approach for implementation.

Audit Your Processes To Identify Systemic Issues 

The OAIC noted in the January – June 2024 data breach report that it would be more likely to take regulatory action in certain instances, particularly around systemic privacy risks. 

It notes that it would be more likely to take regulatory action if there are issues that: 

• create a risk of substantial harm to individuals and the community, especially to vulnerable people and groups
• concern systemic harms or contraventions
• mean the regulatory action is likely to change sectoral or market practices or have an educative or deterrent effect
• are subject to significant public interest or concern
• will help clarify aspects of policy or law, especially newer provisions of the Acts the OAIC administers.

In response, your organisation should: 

• keep abreast of trends in regulatory enforcement around specific privacy practices, and 
• regularly audit its own practices to manage risks relating to systemic contraventions or substantial risk to individuals. 

Highlighting Supply Chain Risks

This period’s data breach reporting noted the two following issues emerging in multi-party data breach reporting: 

• the risks that exist beyond an entity’s immediate third-party suppliers – in their extended supply chains
• delays in notifications to affected individuals.

We have extensively covered managing privacy risks in the supply chain in a 17-page ebook, which outlines:

1. Why privacy matters in vendor relationships.
2. Vendor selection and onboarding.
3. Contractual agreements and privacy protocols.
4. Data security measures for vendor relationships.
5. Ongoing support.
6. Incident responses and data breach management.
7. Exit strategies and transitioning to other vendors.

You can read and download the complete guide here (no personal data required).

In the ebook, we offer access to our Vendor Privacy Review Checklist. Complete the form below to receive this resource or email us at hello@privacy108.com.au.

Data Breach Management with Privacy 108  

Our data breach management services include:  

• Developing an information security incident response capability;  

• Preparing a data breach response plan;  
• Testing and training staff in your incident response;  
• Participating as legal advisers and/or privacy experts as part of your data breach/incident response team;  
• Keeping you up to date with new or changing data breach notification obligations;  
• Providing a legal opinion on your data breach notification obligations; and   
• Participating in or leading the post-incident review process.  

For help managing and securing your organisation’s data, reach out. Our privacy team would love to assist.