After more than two years the Australian government is back to the top five sectors with the most reported data breaches to the Office of the Australian Information Commissioner (OAIC). The Australian government is also the only of the five sectors that had human error as the top cause of data breaches.
The Notifiable Data Breaches report is published twice a year and reports on notifications received under the NDB scheme for a six-month period. The report published today refers to data breaches notified from 1 July to 31 December 2023. The OAIC received a total of 483 notifications during the period and the top five reporting sectors were: health services providers, financial services, insurance, retail and the Australian government.
Break down of data breaches reported by the Australian government
Government agencies reported 38 data breaches during the second half of 2023, which makes only 8% of all notifications received by the OAIC. From these, 26 were caused by human error — 13 involved personal information being sent to a wrong person; 11 were the result of unauthorised disclosure of personal information; and two involved the loss of paperwork or a data storage device.
“Human error breaches generally result from a failure of process or procedure,” stated the report. “Entities should assume human error will occur and design systems and processes to minimise the risk.” The OAIC stated that this can also be reduced by educating staff on secure information handling.
The government also felt short on one of the rules under the NDB scheme which requires that the OAIC and affected individuals are notified within 30 days of becoming aware of the breach. The Australian government had the largest proportion (55%) of notifications made to the OAIC more than 30 days after the agency become aware of the incident. It also had the largest proportion (50%) of notifications where the agency identified the incident over 30 days after it occurred.
“These statistics suggest Australian Government agencies should check they have effective systems for detecting, assessing, responding to and notifying data breaches,” stated the report.