The Office of the Australian Information Commissioner’s (OAIC) latest Notifiable Data Breaches Report (January to June 2024) presents a critical reflection on the rising tide of data breaches. This period saw a substantial increase in the number of reported data breaches, as more businesses and government entities were caught off guard by cyberattacks, human errors, and system faults. That’s why a recent surge in the demand for vulnerability assessment or cybersecurity testing has been observed across organisations of different sectors. This post will offer key insights from the report, focussing on the causes of breaches, emerging trends, and how organisations can bolster their defences against these threats.
1. The Rising Numbers and Alarming Trends
According to the report, there were 527 data breach notifications from January to June 2024, marking a 9% increase compared to the previous six months. The healthcare sector, Australian Government, finance, education, and retail sectors were the top five industries to report breaches.
While 63% of the breaches affected 100 people or fewer, one significant incident impacted over 10 million Australians—making it the largest breach since the Notifiable Data Breaches (NDB) scheme was introduced in 2018. This record-setting event underscores the importance of preventive measures for both public and private sectors, especially with the growing reliance on digital infrastructure.
2. The Triple Threat: Cyberattacks, Human Errors, and System Faults
The report categorises data breaches into three primary causes:
Cyberattacks: Responsible for 38% of breaches, cyberattacks remain the dominant threat, with phishing, ransomware, and credential theft leading the way. Phishing campaigns alone accounted for 31% of cyber incidents. Additionally, ransomware attacks, which encrypt systems and demand ransom for recovery, constituted a significant 24% of breaches.
Human Error: Accounting for 30% of breaches, human error is a persistent issue. Common mistakes include sending personal information to the wrong recipient via email and failing to use the “BCC” field. Human error breaches can expose sensitive information, especially in high-risk sectors like healthcare and finance.
System Faults: Although less frequent, system faults were responsible for 3% of breaches. These typically result from unintended access or public release of data, often due to misconfigurations in cloud-based systems.
Read our latest post on The Silent Heist: Cybercriminals Use Information Stealer Malware to Compromise Corporate Networks Advisory
3. Cybersecurity and the Human Factor
Organisations face the dual challenge of technical vulnerabilities and the “human factor”. Despite sophisticated security measures, insider threats and human error continue to open doors to data breaches. For instance, a notable scenario highlighted in the report involves an employee accessing and disclosing the personal information of over 20,000 individuals without authorisation for financial gain.
Phishing attacks have also evolved. The report discusses incidents of “quishing,” a variant of phishing involving QR codes. By scanning malicious QR codes, employees bypassed multi-factor authentication (MFA) protocols, leading to unauthorised access. This scenario emphasises the need for ongoing cybersecurity training and heightened awareness among employees.
4. The Role of Cloud Misconfigurations
With more organisations migrating to cloud storage, the misconfiguration of cloud-based data holdings is a growing concern. Several breaches were attributed to entities inadvertently leaving sensitive data publicly accessible due to improper configuration settings. A key lesson from the report is the shared responsibility between organisations and cloud service providers. While providers offer security tools, organisations must ensure proper configuration, access controls, and regular audits to protect stored data.
5. Extended Supply Chain Risks
The complexity of supply chains introduces new vulnerabilities, as entities outsource data handling to third-party providers. Supply chain breaches were a significant trend in the first half of 2024. The OAIC report illustrates cases where data breaches occurred due to a third-party mishandling data or subcontracting tasks to poorly monitored developers. This highlights the need for strong supplier risk management frameworks, which should include robust vetting processes, security audits, and defined roles for breach notifications.
6. The Importance of Timely Reporting
Despite improvements in identifying and containing breaches, delays in reporting to the OAIC remain an issue. The report notes that 31% of notifications took more than 30 days from the time of breach discovery to reporting. Delayed reporting can expose individuals to prolonged risks, especially when sensitive information like health records, financial details, or identity data is involved.
7. A Strategic Approach to Data Breach Management
The OAIC report emphasises that entities are required to take “reasonable steps” to secure personal information, as outlined in the Australian Privacy Principles (APPs). These include measures like:
- Multi-factor authentication (MFA) for accessing systems.
- Regular audits of third-party providers and cloud configurations.
- Proactive monitoring for suspicious activity.
- Implementing the Essential Eight—a set of baseline cybersecurity controls recommended by the Australian Cyber Security Centre (ACSC).
In the face of evolving threats, privacy must be integrated into the design of business processes, ensuring that security and compliance are embedded throughout the information lifecycle—from data collection to destruction.
Also, read our post on How Companies Are Benefiting from Cybernetic GI Virtual CISO Services in a Tight Economy
Final Thoughts
The Notifiable Data Breaches Report (January to June 2024) serves as a reminder that cybersecurity is a moving target. As threat actors become more sophisticated, entities must stay vigilant, continuously updating their defences against both technical and human vulnerabilities. Strong risk management frameworks, timely reporting, and comprehensive training are essential components in safeguarding personal information and maintaining public trust.
If you are looking for a leading cybersecurity firm that can help increase your defence against cyber-attacks, contact Cybernetic Global Intelligence today. Our vulnerability assessment and penetration testing services will detect the weak points in your networks and systems and guide you in developing a strong defence wall against cyber-attacks.