On 22 February 2017, the Parliament of Australia enacted the Australian Privacy Amendment (Notifiable Data Breaches) Act 2017 (Act). The Act replaced the country’s Privacy Act 1988 (Privacy Act), which sets out certain obligations for protecting Australians’ personal information. In so doing, the Act introduced the Notifiable Data Breaches (NDB) scheme. This framework requires organizations to notify individuals whose information might have been involved in a data breach.
Though the Act itself took effect in 2017, the NDB scheme didn’t enter into force until 22 February 2018. The results after it did have been striking. In the first few weeks that followed, the Office of the Australian Information Commissioner (OAIC) received 63 data breach notifications. That’s more than half the number of reports OAIC received in the 2016-2017 financial year.
OAIC’s findings for the second quarter of 2018 were even more remarkable.
In its Notifiable Data Breaches Quarterly Statistics Report: 1 April – 30 June 2018, Australia’s acting data protection agency tracked 242 data breach notifications, bringing the year’s total thus far to 305. A majority (59 percent) of those incidents arose from a malicious or criminal attack. Even so, human error was responsible for 36 percent of those breaches.
Of the reports received by OAIC between April and June, most of them (89 percent) involved the potential exposure of users’ contact information. This data category was followed by financial details, identity information and health records at 42 percent, 39 percent and 25 percent, respectively. By contrast, attackers exposed customers’ tax file numbers in just 19 percent of reported breaches.
Nevertheless, most of the incidents weren’t large in scale. Eighty-three percent affected at most 1,000 customers. In fact, just one breach compromised the information of more than a million people. That security event was most likely the unauthorized activity detected by HR software provider PageUp on its IT systems back in May. According to OAIC, the incident compromised as many as 10 million people’s information after unknown actors stole the personal data of some of its clients. This discovery prompted a flurry of data breach disclosures among PageUp clients in compliance with the NDB as well as with the European Union’s General Data Protection Regulation (GDPR), which took effect on 25 May 2018.
The statistics included in OAIC’s latest report suggest data breaches are becoming more prolific. But that’s not necessarily the case. Angelene Falk, acting Australian Information Commissioner and acting Privacy Commissioner, explained it signifies that organizations are now taking breach disclosure more seriously.
“Notifications this quarter show that one of the key aims of the scheme – ensuring individuals are made aware when the security of their personal data is compromised – is being met,” Falk said. “Data breach notification to individuals by the entities experiencing the data breach can equip individuals with the information they need to take steps to reduce their risk of experiencing harm, which can reduce the overall impact of a breach. Notification to the OAIC also increases transparency and accountability. The report provides important information on the causes of data breaches so all entities can learn lessons and put in place prevention strategies.”
As OAIC continues to work with organizations to comply with the NDB scheme, businesses of all sizes can take steps of their own to make sure they’re protected. To begin, they need to make sure they understand the key points of NDB. They can then invest in a solution that complies with data protection standards like GDPR and NDB.
Gemalto’s products meet the requirements of these regulations with the help of three key solution pillars: identity and access control, data encryption, and encryption key management. Using those products, Gemalto is equipped to help organizations develop their own data protection strategies.
For additional insight on NDB and how organizations can achieve compliance with it using Gemalto’s solutions, download this e-book.
*** This is a Security Bloggers Network syndicated blog from Enterprise Security – Gemalto blog authored by Graeme Pyper. Read the original post at: https://blog.gemalto.com/security/2018/09/12/oaic-received-242-data-breach-notifications-in-q2-2018/