Australian data breach report highlights supply chain risks

The Office of the Australian Information Commissioner (OAIC) has warned of a growing number of supply chain risks faced by Australian organisations in its latest data breach report.

Australian Information Commissioner Angelene Falk said that the OAIC continues to be notified of a high number of multi-party breaches, with most resulting from a breach of a cloud or software provider.

“The increased occurrence of incidents that affect multiple parties is a reason we are seeing data breaches grow in complexity, scale and impact,” said Falk. “Organisations need to proactively address privacy risks in contractual agreements with third-party service providers.

“This includes having clear processes and policies in place for handling personal information and a data breach response plan that assigns roles and responsibilities for managing an incident and meeting regulatory reporting obligations,” she added.

The July to December 2023 period saw 483 data breaches reported to the OAIC, up 19% from the first half of the year. There were an additional 121 secondary notifications, a significant increase from 29 notifications in January to June 2023.

Malicious or criminal attacks remained the leading source of data breaches, accounting for 322 notifications, and the majority of those (211 notifications) were cyber security incidents.

The health and finance sectors remained the top reporters of data breaches, with 104 and 49 notifications respectively.

Falk said the Notifiable Data Breaches scheme is now well-established and that the OAIC expects organisations to comply with their obligations.

“The OAIC is escalating its regulatory actions into data breaches, and we have commenced civil penalty proceedings in the Federal Court,” said Falk.

“We are prioritising regulatory action where there appear to be serious failures to comply with the scheme’s reporting requirements and to take reasonable steps to protect personal information, and where organisations are holding onto data much longer than is necessary.

“As the guardians of Australians’ personal information, organisations must have security measures in place to minimise the risk of a data breach. If a data breach does occur, organisations should put the individual at the front and centre of their response, ensuring they are promptly told so their risk of harm can be minimised.”

The Australian government responded to the Attorney-General Department’s review of the Privacy Act 1988 in the second half of 2023, agreeing in principle to proposals that would strengthen the Notifiable Data Breaches scheme, including changes to reporting timeframes.

The release of the Notifiable data breaches report comes shortly before the commencement of Carly Kind as privacy commissioner on 26 February 2024.

“I look forward to welcoming Commissioner Kind to the OAIC at a time when privacy and the protection of personal information have never been more crucial for the Australian community,” Falk said.