Report on Notifiable Data Breaches From July to December of 2023

Data Breaches From July to December of 2023

The Australian Information Commissioner (OAIC) regularly releases statistics on data breaches reported under the Notifiable Data Breaches (NDB) scheme. This information helps organisations and the public stay informed about the privacy risks identified through the scheme. The rising number of data breaches suggests that organisations may not be conducting enough network penetration testing, cyber security audits and other regulatory compliances like PCI-DSS, ISO 27001, Essential 8. This report specifically focuses on data breaches reported from July 1st, 2023, to December 31st, 2023.

It’s important to note that comparisons in this report are typically made against data from the first half of 2023 (January 1st to June 30th) unless otherwise stated. Additionally, percentages in the charts might not perfectly add up to 100% due to rounding.

The source of each breach is based on what the reporting entity provides. If there are multiple possible sources, the report considers the most likely or dominant source. It’s important to remember that notifications made under the My Health Records Act 2012 are not included in this report, as they have their own specific reporting requirements defined by that legislation.

Finally, while the statistics in this report are current as of January 30th, 2024, some data breach notifications are still being assessed. This means that adjustments might be made to the related statistics, potentially impacting the data presented for the July to December 2023 period in future reports. Similarly, statistics from before July 2023 in this report might differ slightly from those published in previous reports.

data breach figure

Key findings for the July to December 2023 reporting period:

1.The number of reported breaches increased by 19 percent, rising from 407 in January to June of 2023 to a total of 483.

2.  Malicious or criminal attacks remained the leading cause (67%) of data breaches.

3. The health and finance sectors remained the top reporters of data breaches. Health reported 104 breaches (22% of all notifications) and finance 49 breaches (10%).

4. The majority of breaches (65%) affected 100 or fewer people.

Besides the 483 main notifications, the OAIC got 121 extra notifications, which was a big rise from the 29 extra notices they had between January and June of 2023.

Increased focus on Ensuring Organisations Comply With the NDB Scheme

The Australian Information Commissioner (OAIC) prioritises data security and expects businesses to have effective data breach response plans. Recent determinations and legal actions highlight the importance of:

  • Taking reasonable steps to protect personal information.
  • Having proper data retention practices.
  • Complying with data breach reporting requirements, especially when the OAIC raises concerns.
  • Conducting swift assessments of suspected data breaches.

Businesses are encouraged to review the recent determinations and consider developing their own data breach response plans.

All Industry Data Breach Notifications, July-December 2023

During this time of reporting, the OAIC got 483 notifications, which is a rise of 19% if you look at it from January to June in 2023. This follows what the OAIC has been seeing since they began the NDB scheme in February of 2018; that there are usually more notifications coming in during the last part of each year.

After a usually small count of notices, being 57 in July of the year 2023, we observed a consistent growth in the number of such notices every month. It reached its highest point with 97 notifications in December of that same year.

Reporting period

Number of notifications

January to June 2023

407

July to December 2023

483

Total

890

data graph

Chart 1: Notifications received by month from January 2022 to December 2023

data chart

Chart 2: Notifications received by month showing the sources of breaches

Number of individuals worldwide affected by breaches

During the reporting period that we are talking about, most of the data leaks (91%) involved personal details of around 5,000 people worldwide. When there were breaches that hit less than 100 persons, this was 65% of every alert made. Breaches involving between one and ten people represented 44 percent of all the reports, which is comparable to past reporting times.

data breach affect

Chart 3: Number of individuals worldwide affected by breaches.

Massive data breaches impacting Australians

In the second half of 2023, the OAIC received about the same number of data breaches that impacted over 5,000 Australians as it did in the first half of the year.

Number of Australians affected by breaches

Jan–Jun 2023

Jul–Dec 2023

5,001–10,000

11

7

10,001–25,000

5

4

25,001–50,000

3

7

50,001–100,000

3

0

100,001–250,000

1

4

250,001–500,000

0

1

500,001–1,000,000

0

1

1,000,001–10,000,000

2

2

10,000,001 or more

1

0

Total number of breaches affecting over 5,000 Australians

26

26

Cyber incidents kept being the main reason for data breaches that affected many people in Australia. Out of 26 big breaches impacting more than 5,000 Australians, cyber events were responsible for 22 of them. The primary reasons were credentials that got compromised or stolen, reported 9 times; ransomware issues, which had 8 reports; and hacking incidents with 4 reports.

Types of Personal Information Involved in Breaches

Contact details and personal identity were the types of private information most frequently involved in security breaches. The majority of these incidents, about 88 percent, included elements like a person’s name, residential address, telephone number, and email. This is different from identity information, that got revealed in 63% of the breaches and has details to verify someone’s identity like when they were born, passport specifics and other government identification numbers.

In this time for reporting, health information became uncovered in 41% of the data breaches, and it went past financial details to be the third most usual type of personal information involved.

data breach charts

Chart 4: Kinds of personal information involved in breaches.

Time required to identify breaches

Quickly detecting a data breach helps an organisation to control it fast, which cuts down the damage and shortens how long hackers can get into systems. During this report period, entities noticed 64% of breaches within ten days after they happened. Around a quarter (23%) of breaches were identified over 30 days after it occurred.

data beach identify

Chart 5: Time taken to identify breaches.

Depending on where the breach originated, different entities took different amounts of time to identify it. The fastest to be identified were breaches due to human error (71% found within 10 days), followed by malicious or criminal attacks (61%).

System fault breaches were the slowest to be discovered (53% within 10 days), in line with earlier reports.

data analysis

Chart 6: Time taken to identify breaches by source of breach.

Time required to notify the OAIC of breaches

The numbers in this part show the period from when a company realised an incident occurred to when they informed the OAIC. This is not about how long it took for the company to decide if the incident was a significant data breach and then tell the OAIC.

In this time for reporting, 72% of organisations informed the OAIC within 30 days after they knew about an incident, which is close to the previous period’s figure of 74%.

data analysis

Chart 7: Time taken to notify the OAIC of breaches.

The duration for organisations to inform the OAIC differed based on where the breach came from, and there were a few changes compared to the last time period.

The duration for organisations to report breaches from criminal activities or mistakes by people was similar to the last time period. Most of the breaches due to system errors were reported to OAIC within a 30-day window after the organisation realised what happened.

OAIC of breaches

Chart 8: Time taken to notify the OAIC of breaches by source of breach.

Source of breaches

Malicious or criminal activities continue to be the main reason for data breach reports submitted to the OAIC.

In regards to proportion, the sources of the breaches were largely similar from the prior time frame:

  • 67% were caused by malicious or criminal attacks, compared to 71% the previous period.
  • 30% were caused by human error, compared to 26% the previous period.
  • 4% were caused by system faults, compared to 3% the previous period.

Chart 9: Source of data breaches

Malicious or Criminal Attacks

Cyber incidents accounted for 66% of breaches that resulted from malicious or criminal attacks. From January to June 2023, there were 171 breaches as a result of cyber incidents; this is a 23% increase in breaches. 44% of all data breaches had a cyber incident as their cause, up from 42% during the prior period.

17% of breaches caused by malicious or criminal attacks were the result of social engineering or impersonation attacks; 11% were the result of actions taken by rogue employees or insider threats; and 7% were the result of theft of documents or data storage devices.

OAIC of breaches by source of breach

Chart 9: Source of data breaches

Malicious or Criminal Attacks

Cyber incidents accounted for 66% of breaches that resulted from malicious or criminal attacks. From January to June 2023, there were 171 breaches as a result of cyber incidents; this is a 23% increase in breaches. 44% of all data breaches had a cyber incident as their cause, up from 42% during the prior period.

17% of breaches caused by malicious or criminal attacks were the result of social engineering or impersonation attacks; 11% were the result of actions taken by rogue employees or insider threats; and 7% were the result of theft of documents or data storage devices.

criminal attacks data

Chart 10: Malicious or criminal attack breakdown

An analysis of the global average and median numbers of victims of malicious or criminal attacks

Source of breach

Number of notifications

Average number of affected individuals

Median number of affected individuals

Cyber incident

211

56,279

171

Rogue employee / insider threat

36

9,080

11

Social engineering / impersonation

54

183

4

Theft of paperwork or data storage device

21

152

48

Total

322

37,346

58

Cyber incidents

Phishing (28%, 59 notifications) surpassed ransomware (27%, 57 notifications) as the leading cause of cyber incidents during this reporting period. 58% of all cyber incidents involved compromised credentials, whether via phishing, a brute-force attack, or another technique.

Chart 11: Cyber incident breakdown

Breakdown of cyber incidents by average and median number of affected people globally

Source of breach

Number of notifications

Average number of affected individuals

Median number of affected individuals

Brute-force attack (compromised credentials)

7

803,222

95

Ransomware

56

57,900

693

Hacking

22

49,501

879

Compromised or stolen credentials (method unknown)

57

27,320

17

Phishing (compromised credentials)

59

1,951

70

Malware

10

356

9

Total

211

56,279

171

Human error

In the second half of 2023, emailing personal information to the incorrect person continued to be the most frequent source of human error breaches. The incorrect recipient receiving personal information via email, mail, or other channels was the cause of nearly half (49%) of human error breaches.

breakdown of cyber incidents

Chart 12: Human error breakdown

Around the world, a greater number of people were impacted by some types of human error breaches. In fifteen breaches, personal data was mailed to the incorrect person, affecting 2,231 people on average. Two breaches that resulted from the improper disposal of personal data, affecting an average of 1,074 people, came after this.

Source of breach

Number of notifications

Average number of affected individuals

Median number of affected individuals

PI sent to wrong recipient (mail)

15

2,231

1

Insecure disposal

2

1,074

1,074

Unauthorised disclosure (unintended release or publication)

29

299

1

Loss of paperwork / data storage device

13

193

5

Failure to use BCC when sending email

11

145

66

Unauthorised disclosure (failure to redact)

8

35

2

PI sent to wrong recipient (email)

48

29

1

Unauthorised disclosure (verbal)

11

1

1

PI sent to wrong recipient (other)

7

1

1

Total

144

348

1

System faults

In the majority of system fault breaches (59%) personal information was accidentally released or published. Misaligned or asynchronously operating systems or databases, as well as untested system or infrastructure modifications, are a few examples of problems that could cause this.

human error breakdown

Chart 13: System fault breakdown

Time taken to identify breaches – Top 5 sectors

The amount of time it took for entities to identify incidents varied significantly by sector.

In contrast to 37% of notifications from the Australian Government during the reporting period, 75% of notifications from health service providers had the incident identified within 10 days of it happening.

identify breaches

Chart 14: Time taken to identify breaches – Top 5 sectors.

Primary Breach Origins: Top 5 Sectors

The top 5 sectors reported that the most common cause of data breaches was still malicious or criminal attacks. 53% of the breaches reported by health care providers, 67% by the finance industry, 53% by the insurance industry, and 82% by the retail industry were caused by them.

 

data breach factors

Chart 15: Source of breaches – Top 5 sectors

Top 5 sectors affected by Malicious or criminal attack breaches

criminal attack breaches

Chart 16. Malicious or criminal attacks breakdown – Top 5 sectors

Top 5 sectors affected by Cyber incident breaches

sectors affected by Cyber incident breaches

Chart 17: Cyber incident breakdown – Top 5 sectors

Top 5 sectors affected by human error breaches

human error breaches

Chart 18: Human error breakdown – Top 5 sectors

Top 5 sectors affected by system fault breaches

system fault breaches

Chart 19: System fault breakdown – Top 5 sectors

Cybersecurity experts at Cybernetic Global Intelligence, a global cyber security firm, assist their clients to achieve various certifications and regulatory compliances like ISO 27001, PCI-DSS, Essential 8, SSAE 18, vulnerability assessment and Penetration testing, WAPT, information security audits.

Get in touch with Cybernetic Global Intelligence (CGI) – a cybersecurity company with years of experience in assisting various organizations involved in the uphill battle against cybercriminals!.

Source: OAIC

Post a Comment