Increased cyber attacks in Australia as more data breaches reported to OAIC

Reports of data breaches increased almost a fifth during the second half of 2023.

Reported data breaches in Australia increased 19% in the latter half of 2023, new data from the Office of the Australian Information Commissioner (OAIC) shows. A total of 483 breaches were reported between July to December 2023, bringing the during the whole year to 890. The breach reports increased steadily each month, starting at 57 in July and ending at 97 in December.

Malicious or criminal attacks remained the leading cause (67%) of all data breaches, followed by human error (30%) and system faults (3%). Most reported breaches came from the health service provider sector (104), followed by the finance (49) and insurance sectors (45).

“The OAIC is escalating its regulatory actions into data breaches, and we have commenced civil penalty proceedings in the Federal Court,” said Australian Information Commissioner Angelene Falk.

“We are prioritising regulatory action where there appear to be serious failures to comply with the scheme’s reporting requirements and to take reasonable steps to protect personal information, and where organizations are holding onto data much longer than is necessary.”

Graphic: Martina Lindberg

Increasing malicious attacks

During the second half of 2023, the OAIC saw an increase in breach reports in relation to:

  • malicious or criminal attacks – 322, up 12% from 287 reports in January-June 2023;
  • human error – 144, up 36% from 106 reports;
  • system fault – 17, up 21% from 14 reports.
Graphic: Martina Lindberg

According to Commissioner Falk, many breaches continue to be multi-party breaches, with most incidents resulting from a breach of a cloud or software provider.

“The increased occurrence of incidents that affect multiple parties is a reason we are seeing data breaches grow in complexity, scale and impact,”Falk continued. “Organisations need to proactively address privacy risks in contractual agreements with third-party service providers. This includes having clear processes and policies in place for handling personal information and a data breach response plan that assigns roles and responsibilities for managing an incident and meeting regulatory reporting obligations.” 

Most breaches were reported to affect/target solo individuals, and 100 reports where the affected number ranged between 11 and 100. Three reported breaches are said to have affected 1,000,001 to 10,000,000 people.

Affected individualsNumber of reported breaches
2 – 1075
11 – 100100
101 – 1,00093
1,001 – 5,00034
5,001 – 10,00012
10,001 – 25,0005
25,01 – 50,0009
50,001 – 100,0005
100,001 – 250,0004
250,001 – 500,0001
500,001 – 1,00,0002
1,00,001 – 10,000,0003

Most breaches were identified within 10 days, however, 23% took over 30 days to detect. Breaches due to human error were the fastest to be identified (71% identified within 10 days), followed by malicious or criminal attacks (61%). The slowest types of contraventions to identify were system fault breaches – 35% took over 30 days.

The heath service provider sector identified most breaches within 10 days (75%), followed by retail (62%) and finance (59%).The Australian Government and the insurance sectors were the slowest, with 50% and 49% respectively of the breaches taking over 30 days to identify.

Similarly to the first half of 2023, the majority of all organizations reported the breaches to OAIC within 30 of acknowledging the breach. Only 2% waited more than one year to file the report.

For the malicious or criminal attacks, the majority of 66% related to cyber incidents (211). Social engineering/impersonation came second with 54 breaches, the rogue employee/insider threats had 36 reported breaches, and finally theft of paperwork or data storage device with 21. All types of cyber incidents increased between July – December 2023. Incidences of malware, however, slightly decreased compared to January – June 20223.

Graphic: Martina Lindberg

UK and Australia sign joint memorandum

Cyber security has been a hot topic for a while in Australia, especially since December 2022,  when Home Affairs and Cyber Security Minister Clare O’Neil announced a major program to develop a new cybersecurity strategy for the country, stating an ambition to make Australia the most cyber secure country in the world by 2030.

Taking a step closer to the vision, Australia and the UK have now joined forces to advance online safety and security by creating a Memorandum of Understanding (MoU) to “help amplify the world class online safety regimes of both countries”.

“We are prioritising regulatory action where there appear to be serious failures to comply with the scheme’s reporting requirements and to take reasonable steps to protect personal information.”

Angelene Falk, Australian Information Commissioner

The MoU includes a broad range of digital online safety and security issues, including illegal content, child safety, age assurance, and technology facilitated gender-based violence. It also addresses harms caused by rapidly changing technology such as generative AI.

“This historic Memorandum of Understanding will bring our two countries closer together, ensuring greater collaboration and engagement as we deal with online harms,” said Australian Minister for Communications, the Hon Michelle Rowland MP.

“Online safety is a shared, global responsibility. We must be proactive in ensuring that our legislative frameworks remain fit-for-purpose, and continue to evolve as new harms emerge.”

The UK Secretary of State for Science, Innovation and Technology, Michelle Donelan MP, added: “The UK and Australia are at the forefront of online safety, and I am proud of our internationally pioneering approaches which are already helping to create a safer and more secure digital world, protecting our citizens and holding platforms to account.”