On February 22, 2024, the Office of the Australian Information Commissioner (OAIC) announced the publication of a report on the notifications received under the Notifiable Data Breaches (NDB) scheme, considering the period from July 2023 to December 2023. In particular, the OAIC explained that the report revealed that most of the notified multi-party breaches resulted from a breach of a cloud or software provider, highlighting the risk of outsourcing personal information handling to third parties.

What are the key findings of the report?

The report noted that 483 data breaches were reported to the OAIC during the period, a 19% increase from the breaches reported in the first half of 2023. The report highlighted that there were an additional 121 secondary notifications during the period, an increase from the 29 notifications received in January to June 2023.

According to the report, malicious or criminal attacks remained the leading source of data breaches, responsible for 67% of incidents. In this regard, the report found that the top three cyber attack methods were phishing, compromised or stolen credentials, and ransomware. Further, the report stated that contact and identity information were the most common kinds of personal information involved in data breaches, followed closely by health information which was exposed in 41% of data breaches in the reporting period. The report noted that financial details were the third most common kind of personal information affected.

The report also identified the health and finance sectors as the top reporters of data breaches, with 104 breaches (22% of all notifications) and 49 breaches (10% of all notifications), respectively. However, according to the report, 65% of breaches affected 100 or fewer individuals.

You can read the press release here and the report here.