As revealed by OAIC’s Notifiable Data Breaches Report.
Australian organisations have seen close to a 25 percent increase in data breaches resulting from ransomware incidents according to the latest report from the Office of the Australian Information Commissioner (OAIC).
The latest Notifiable Data Breaches Report showed the agency received 446 data breach notifications from January to June 2021, 43 percent of which were from cyber security incidents.
Data breaches arising from ransomware incidents in particular increased by 24 percent, up from 37 notifications last reporting period to 46.
Australian Information Commissioner and Privacy commissioner Angelene Falk said the increase in ransomware incidents was cause for concern, particularly due to the difficulties in assessing breaches involving ransomware.
“We know from our work and from the Australian Cyber Security Centre that ransomware attacks are a significant cyber threat,” Falk said.
“The nature of these attacks can make it difficult for an entity to assess what data has been accessed or exfiltrated, and because of this we are concerned that some entities may not be reporting all eligible data breaches involving ransomware.
“We expect entities to have appropriate internal practices, procedures and systems in place to assess and respond to data breaches involving ransomware, including a clear understanding of how and where personal information is stored across their network.”
The report also revealed that other data breaches were a result of impersonation fraud, where an attacker would impersonate an authorised user to gain access to an account, system, network or physical location.
Breaches caused by human error accounted for 30 percent of notifications, down from 203 to 134, 74 percent of which were Australian Government agencies.
“Human error remains a major source of data breaches. Let’s not forget the human factor also plays a role in many cyber security incidents, with phishing being a good example,” Falk said.
“Organisations can reduce the risk of human error by educating staff about secure information handling practices and putting technological controls in place.”
The highest reporting industry sector was health with 19 percent of all notifications, followed by finance at 13 percent. Most of the breaches, 93 percent, affected organisations with 5,000 employees or fewer, with 65 percent affecting those with 100 employees or fewer. Out of that, 44 percent of breaches affected between 1 and 10 employees.