OAIC Data Breach Report: July – December 2023

The Office of the Australian Information Commissioner (OAIC) has released its latest Notifiable Data Breaches (NDB) report, covering the period between July and December 2023. Australian organisations experienced a 19% increase in reported data breaches during this period, suggesting an intensification of online hacking and other cyber security attacks.  

But we dug into the numbers to uncover more about what’s actually happening in the Australian data breach landscape:  

The OAIC’s Key Findings in its Data Breach Report 

A New Trend: More Breaches in the Second Half of the Year. 

There was a 19% increase in reported data breaches compared to the prior six-month period. Interestingly, this has emerged as somewhat of a trend over the past years.  

Malicious Attacks Remain Dominant

Malicious or criminal attacks remain the primary cause of data breaches, accounting for 67% of incidents. This is a slight decrease from 70% of data breaches being attributed to malicious attacks in the January – June 2023 half (which is interesting given the rise in the total number of data breaches). 

Health and Finance Still Top Targets 

The health and finance sectors remain the most frequent reporters of data breaches. 

Most Breaches Remain Small-Scale 

While the number of breaches is increasing, the majority (65%) impacted 100 or fewer individuals. Significantly, there were no ‘mammoth’ breaches impacting over 10 million Australians reported in the July – December 2023 half. But there were two impacting 1-10 million people.  

Significant Rise in Secondary Notifications 

The number of secondary notifications (sharing of breach info between involved parties) increased dramatically – to 121. For context, there were 29 secondary notifications in the previous six-month period.  

Our Observations from the OAIC’s Data Breach Report

Data Retention in the Spotlight

Data retention practices were front and centre in this report. The OAIC highlighted the risk of poor or absent data retention processes for organisations directly and via third-party suppliers. It went on to note that the security of personal information is a regulatory priority, noting (in its regulatory priorities statement):  

The OAIC will prioritise regulatory action where there may be serious failures to take reasonable steps to protect personal information, the use of inappropriate data retention practices or failures to comply with reporting requirements of the Notifiable Data Breaches Scheme, particularly where risks and mitigations have previously been publicised by the OAIC. 

While the personal information security practices of the finance and health sectors will continue to be areas of particular focus, as the top two sectors reporting breaches, the OAIC will take an economy wide interest in data retention practices. 

If you haven’t previously prioritised implementing good data retention policies, it’s likely time.  

We also recently updated our post on data minimisation, which is incredibly timely given these findings.

 A Note About Secondary Notifications

The rise in secondary notifications indicates better information sharing, but also underscores the interconnectedness of data flows that needs to be secured and protected throughout its lifecycle to deletion or de-identification. More on this below.  

Ransomware Did Not Dominate

Ransomware was not the most common cause for cyber incidents in the most recent period – phishing was. Compromised credentials (through phishing, brute-force attacks, or unknown causes) were responsible for 58% of cyber incidents. Strong multi-factor authentication can help to reduce this risk. Again, more on this below.  

Action Items for Australian Organisations 

Prepare a data breach response plan.  

The OAIC itself outlined this key takeaway in the reporting:  

“A key takeaway from these determinations is entities should have a considered and up‑to‑date data breach response plan. The entities in both cases did not have a data breach response plan in place before the data breach occurred.” 

We suggest stress-testing your data breach response plan against the most common causes of data breaches identified in the OAIC’s data breach reporting. For instance, you might test your plan in the event of a (simulated) phishing incident (the most common malicious source of Australian data breaches in the most recent reporting) and a breach involving personal information being sent to the wrong recipient via email (the most common human error).  

Implement the Australian Signals Directorate’s Essential Eight.  

The ASD has published eight essential mitigation strategies that are critical for Australian organisations looking to protect themselves against various cyber threats. These have been identified as the most effective mitigation strategies currently available. 

You can find more information on the ASD’s explainer page but, briefly, the eight strategies are:  

  • patch applications 
  • patch operating systems 
  • multi-factor authentication 
  • restrict administrative privileges 
  • application control 
  • restrict Microsoft Office macros 
  • user application hardening 
  • regular backups. 

Malicious attacks are becoming very sophisticated. Be and stay prepared.  

We recently published a quick snapshot of a $25 million dollar payment made to cybercriminals who faked a multi-person meeting within a multinational corporation.  

The threats to Australian organisations today seem futuristic, but they’re very real. Criminals can fake your voice and pretend to be you on a video call. And Australian organisations need to be ready to face these risks.  

The ASD recommends adopting new minimum multifactor authentication standards that require:  

  • Something users have; and 
  • Something users know.  

Helpfully, this strategy can reduce the risk of compromised credentials attacks, which were the source of a quarter of all data breaches in the July – December 2023 period.  

As always, train your team.  

Human error breaches increased by 36% in this reporting period. We saw verbal disclosures, insecure disposal, loss of paperwork/devices, and failures to redact.  

Ensuring your team has thorough and thoughtful cyber security and privacy training at least annually can help to reduce your organisation’s risk.  

Make sure your third-party contracts include data retention and destruction clauses.  

The OAIC highlighted that the multi-party breaches revealed a significant lack of data retention or destruction clauses in third-party service provider contracts.  

To overcome this, we suggest auditing your existing contract to ensure each contains defined data retention periods and processes for securely destroying the data.  

Data Breach Management with Privacy 108  

Our data breach management services include:  

  • Developing an information security incident response capability;  
  • Preparing a data breach response plan;  
  • Testing and training staff in your incident response;  
  • Participating as legal advisers and/or privacy experts as part of your data breach/incident response team;  
  • Keeping you up to date with new or changing data breach notification obligations;  
  • Providing a legal opinion on your data breach notification obligations; and   
  • Participating in or leading the post-incident review process.  

For help managing and securing your organisation’s data, reach out. Our privacy team would love to assist.    

  • We collect and handle all personal information in accordance with our Privacy Policy.

  • This field is for validation purposes and should be left unchanged.

Privacy, security and training. Jodie is one of Australia’s leading privacy and security experts and the Founder of Privacy 108 Consulting.