Privacy Commissioner sounds alarm on rising data breaches

Privacy Commissioner Michael Webster said that agencies should understand that breaches can happen to anyone, so there is no room for complacency. He also said it is important that those in charge of an organisation take a people-centric approach by putting the welfare of the people whose data may be exposed – the public and their own staff – first if they suspect their organisation has been breached, whether targeted or unintentional.

The industries that reported most serious breaches are health care and social assistance, public administration and safety, services (professional, scientific, technical, administrative and support services), education and training, and finance and insurance.

While there was a slight uptick in the percentage of serious breaches caused by malicious activity, a majority of breaches were caused by human error.

Among serious privacy breaches caused by human error, the most common types were email error and unauthorised sharing. For those caused by malicious activity, the most common type is unauthorised access. This includes phishing attacks, email system hijacking for spam or fraud, and installing malware including ransomware.

Webster reminded organisations to report a suspected breach to the OPC as soon as possible and to prioritise the victims of the breach.

“Report it. Report the breach as early as possible,” Webster said. “Notifiable privacy breaches should be reported within 72 hours of the breach being identified. We will work with you as you go through a triage response and help guide you to bring your agency through a crisis.”

Webster said that since the introduction of the Privacy Act 2020, there has been an improvement in the timelines and standard of reporting on data breaches. However, agencies must continue improving their privacy practices, especially in the digital environment where the threats to data are rapidly evolving.