29/04/2024
There are two words every organisation prays they never hear. Words that invoke more fear and panic than the “boogey man”. Those two words? Data breach.
Unlike the boogey man, data breaches are very real. American Express, Canberra Medical Centre, Canva, Latitude and the now infamous Optus and Medibank data breaches have dominated headlines in recent years. Data breaches are the inescapable mainstay of our newsfeeds. But are data breaches really happening more frequently? Or are organisations just being more transparent and we’re hearing about them more?
Let’s look at the stats.
OAIC Notifiable Data Breach Reports
Every 6 months the Office of the Australian Information Commissioner (OAIC) publishes their Notifiable Data Breaches Report analysing trends in the data breaches notified to the OAIC in the 6-month period prior. The most recent Report covering the July – December 2023 period confirmed there were 483 notifications made to the OAIC during the relevant period. This was up 19% from the previous period where the OAIC received 409 notifications. In July – December 2022 the number of notifications reached 497.
Figures from previous periods include:
- January – June 2022 – 396 notifications.
- July – December 2021 – 464 notifications
- January – June 2021 – 446 notifications
- July – December 2020 – 583 notifications
- January – June 2020 – 518 notifications
There is no obvious upward trend in notifiable data breaches. However, with regulatory screws tightening and community expectations around privacy rising, it may be that data breaches are becoming more “newsworthy”.
This may be in part due to the rise in data breaches caused by malicious or criminal activity. In 2018, malicious activity accounted for just over half of all notified data breaches but in recent years that figure has been as high as 70%.
Recent developments in AI, including voice spoofing and generative AI have not gone unnoticed by cyber criminals who are deploying AI tools for malicious purposes. For example, cyber criminals are using AI tools to attempt mass or repeated system infiltrations and by generating highly convincing phishing emails, enticing employees to make the ill-fated mistake of clicking a link or providing details which grants the unknown actor access to a whole host of information held by an organisation.
What is a notifiable data breach?
The Notifiable Data Breaches (NDB) Scheme was introduced into the Privacy Act in 2018. When organisations experience unauthorised access to or unauthorised disclosure of personal information that is likely to result in serious harm to one or more individuals and that risk of harm cannot be prevented, the organisation must notify the OAIC. This is considered to be an ‘eligible data breach’ for the purposes of the NDB Scheme.
Griffin Legal are privacy experts with experience providing legal advice and assistance to organisations who have suffered data breaches. We understand how upsetting and challenging a data breach can be and are committed to supporting you through every step of the process.