Records of over 10m Australians leaked

The latest quarterly data breach report from the Office of the Australian Information Commissioner (OAIC) has revealed over 10 million individuals had their information compromised in one single incident. The current population of Australia is around 25.4 million. Almost 50% in one single breach.

The breach was disclosed to the OAIC under the Notifiable Data Breaches (NDB) scheme between January 1, 2019, and March 31, 2019 and reported in its quarterly statistics report.

While the report did not detail the origin of the breach that affected over 10 million individuals, it did show that the most number of affected individuals from a single finance-related breach was less than 500,000 and the health sector’s three heaviest impacting breaches affected less than 5,000 individuals each.

Of the 215 reported breaches this quarter, 61% were attributed to malicious or criminal attacks, while human error accounted for 35% of data breaches, with less than 5% related to as system faults.  Those statistics paint an interesting picture.

Of those flagged as breaches due to malicious or criminal attacks, 87 were labelled as “cyber incidents”, such as phishing, malware or ransomware, brute-force attacks, or compromised or stolen credentials.

Where human error was concerned, the report shows that in 23 cases, the personal information of individuals was emailed to an incorrect email address. The unauthorised disclosure, such as incorrect release or publication, accounted for 21 of the human error-related incidents — affecting an average of 36,993 individuals per data breach.

For system faults, the OAIC said the majority of them involved the unintended disclosure of personal information on a website due to coding bugs, or a machine fault that resulted in a document containing personal information being sent to the wrong person.

Private health providers were again the most impacted sector, with 58 NDBs received by the OAIC. Finance, which includes superannuation, accounted for 27 breaches; legal, accounting, and management services had 23 NDBs; education 19; and there were 11 from the retail sector.  If you’re in Healthcare, accounting, or any other professional services – stand up and take note.

Australia’s data breach scheme came into effect in February last year, requiring agencies and organisations in Australia with a turnover of above $3m AUD to report any data breach that is likely to result in “serious harm” — as soon as practicable after becoming aware of a breach.

For more information, please visit the OAIC website: https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme