There was a 19 per cent increase in data breaches reported to the Office of the Australian Information Commissioner (OAIC) from July to December 2023.
The OAIC released its latest Notifiable Data Breach Report this month which highlighted the risk of outsourcing personal information handling to third parties.
Commissioner Angelene Falk said the OAIC continued to be notified of a high number of multi-party breaches, with most resulting from a breach of a cloud or software provider.
“The increased occurrence of incidents that affect multiple parties is a reason we are seeing data breaches grow in complexity, scale and impact,” Commissioner Falk said.
“Organisations need to proactively address privacy risks in contractual agreements with third-party service providers.
“This includes having clear processes and policies in place for handling personal information and a data breach response plan that assigns roles and responsibilities for managing an incident and meeting regulatory reporting obligations.”
There were 483 data breaches reported to the OAIC in the last six months of the year. There were an additional 121 secondary notifications, a significant increase from 29 notifications in January to June 2023.
Malicious or criminal attacks remained the leading source of data breaches, accounting for 322 notifications, and the majority of those (211 notifications) were cyber-security incidents.
“The OAIC is escalating its regulatory actions into data breaches, and we have commenced civil penalty proceedings in the Federal Court,” Commissioner Falk said.
“We are prioritising regulatory action where there appear to be serious failures to comply with the scheme’s reporting requirements and to take reasonable steps to protect personal information, and where organisations are holding onto data much longer than is necessary.
“As the guardians of Australians’ personal information, organisations must have security measures in place to minimise the risk of a data breach.
“If a data breach does occur, organisations should put the individual at the front and centre of their response, ensuring they are promptly told so their risk of harm can be minimised.”
Read the Notifiable data breaches report July to December 2023.
Share this article