Reported data breaches from ransomware incidents increased by 24% to 46 in the half-year to June, compared with the previous six months, according to the Office of the Australian Information Commissioner (OAIC).

Commissioner Angelene Falk described that as a cause for concern, particularly given the challenges which arise.

“The nature of these attacks can make it difficult for an entity to assess what data has been accessed or exfiltrated, and because of this we are concerned that some entities may not be reporting all eligible data breaches involving ransomware.

“We expect entities to have appropriate internal practices, procedures and systems in place to assess and respond to data breaches involving ransomware, including a clear understanding of how and where personal information is stored across their network,” she said.

Another matter of concern was the 35 cases data breaches resulting from impersonation fraud, where a malicious actor impersonates someone to gain access to an account, system, network or physical location.

Falk said: “The growth of data on the dark web unfortunately means that malicious actors can hold enough personal information to circumvent entities’ ‘know your customer’ and fraud-monitoring controls.

“We expect entities to notify us when they experience impersonation fraud, where there is a likely risk of serious harm.

“Entities should continually review and enhance their security posture to minimise the growing risk of impersonation fraud.”

Overall, the OAIC received 446 notifications between January and June, a 16% decrease on the previous six months and an 11% decrease on the year-ago period, the organisation’s Notifiable Data Breaches Report reveals.

The health sector remains the highest reporting segment (with 19% of all notifications), followed by finance (13%).  

Malicious or criminal attacks remain the leading source of data breaches, accounting for 65% of notifications, then human error at 30%. However, the number of notifications in that latter category fell by about half to 134 from 203.

But Falk warned against complacency. “Human error remains a major source of data breaches. Let’s not forget the human factor also plays a role in many cyber security incidents, with phishing being a good example,” she said.

“Organisations can reduce the risk of human error by educating staff about secure information handling practices and putting technological controls in place.”


PrivSec Global is back for another 2 information-packed days, featuring a series of brand new topics and themes.