Key insights from the latest NDB data breach report

5 minute read  19.09.2023 Maria Rychkova, Susan Kantor, Paul Kallenbach

The OAIC recently published its latest NDB report, providing key insights into Australian data breaches during the first half of 2023.


Key takeouts


  • Nearly 20% of data breaches stemmed from social engineering or impersonation, heightening the risk of the 'mosaic effect' due to increased large-scale breaches in previous years.
  • The Commissioner was critical of the delay in reporting notifiable data breaches by some organisations, highlighting the purpose of notification is to assist individuals to take steps to lessen or prevent harm.
  • The Commissioner emphasised the need for entities to establish robust information security practices and processes for prompt response and adherence to the scheme's requirements during data breaches.

The Office of the Australian Information Commissioner (OAIC) publishes statistical information on a half-yearly basis in relation to data breaches that have been reported to the OAIC under the NDB scheme. The latest Notifiable Data Breaches Report (NDB Report), published on 5 September 2023, provides an overview of the NDBs that occurred in the first half of this year.
NDB Report findings

In the first half of 2023, data breach notifications received by the OAIC between January and June decreased by 16% compared with the previous six months, with 409 incidents reported compared with 486. While there was an overall decrease in data breaches, one data breach affected a record 10 million individuals (which, based on public reports, likely refers to the Latitude Financial data breach).

Malicious or criminal attacks remain the leading cause for 70% of data breaches. The cause of these data breaches is further broken down as follows:

  • 60% caused by cyber incidents;
  • 27% caused by social engineering or impersonation; and
  • 7% caused by rogue employees; and
  • 7% caused by theft of paperwork or data storage devices.

As has consistently been the case since the NDB scheme was introduced, the healthcare sector reported the highest number of data breaches, Figure 1. This was followed by financial services, recruitment and legal, and accounting and management services respectively.

The time taken for organisations to notify a breach was a key focus in this report. Encouragingly, 78% of organisations overall took less than a month to notify the OAIC. Breaches relating to human error were the fastest to be reported, while those that occur as a result of a system fault were the slowest. Concerningly, 14% of organisations took more than a year to report such incidents.

In a breakdown of time to report by sector, outlined in Figure 2, the financial services sector had the slowest average outcome, with only 67% of data breaches being reported to the OAIC within 30 days. By comparison, the health sector reported data breaches to the OAIC 86% of the time within 30 days.


OAIC's NDB Report key commentary and insights

Alongside the breakdown of data breach statistics, the Commissioner provided guiding commentary and case studies that serve as useful insights and takeaways.

With more power comes greater expectations

Established in February 2018, the NDB scheme is now considered a 'mature' model by the OAIC. The Commissioner outlined her expectations that entities must now have strong information security practices in place as well as 'processes to ensure a timely response and compliance with the requirements of the scheme should a data breach occur.'

The amendments to the Privacy Act introduced in in December 2022 have given the Commissioner new and increased regulatory powers. Amongst the changes, the Commissioner now has the power to compel the provision of information and documents related to a suspected or actual eligible data breach (s 26WU). In the NDB Report, the Commissioner referred to the fact these powers have already been used in the first half of the year.

Time is of the essence

Section 26WH of the Privacy Act requires entities to take all reasonable steps to complete suspected eligible data breach assessments within 30 days. The Commissioner observed that 26% of entities did not meet this target. Delayed reporting times were attributed to entities adopting a 'fixed method' or 'sequential' approach to assessing and responding to data breaches. Businesses should take a flexible and adaptive approach to conducting 'reasonable' and 'expeditious' assessments. Steps to action a data breach plan are recommended to be taken in parallel or in quick succession. Businesses should also perform dynamic assessments of whether every step is necessary, or whether some stages can be combined or re-ordered for the most efficient assessment process.

Remain vigilant

Almost 1 in 5 of all data breaches over the past 6 months were the result of social engineering or impersonation. The Commissioner warned that the increased number of large-scale data breaches from previous years elevates the risk of the 'mosaic effect'. This is where small pieces of information from different data breaches provide significant information about an individual when aggregated from across different sources, including the dark web. This enables cyber criminals to impersonate individuals and access a number of systems of accounts, through the use of old passwords or even a predictable pattern of password updates. Businesses must foster a security and privacy aware culture through information governance, training and implementing multiple forms of identity management and authentication for both customer and staff accounts.

When in doubt play it safe and report

The Commissioner emphasised that the NDB scheme is designed to promote notification. When unable to confirm the extent of unauthorised access or whether data has been exfiltrated, businesses should take a cautious approach and report. When unable to verify the extent of a data breach, businesses are expected to work from the assumption that all personal information stored on affected systems has been compromised. It is also important to remember that notification must be undertaken (to the OAIC as well as affected individuals) promptly after the organisation has reasonable grounds to believe that a data breach has occurred.

Key takeaways for businesses

The OAIC now expects organisations to have a well established data breach plan in place, with the training and expertise to activate this expeditiously and flexibly in the case of a data breach. If there is uncertainty as to the extent of the breach and whether it falls under the NDB scheme, guidance should be sought MinterEllison provides full-service IT legal and consultancy services with extensive experience in privacy, cyber and data breach preparation and response.

Contact

Tags

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1laWQiOiIxODAwYzE2Yy1kY2Q2LTQ0N2UtODUzZC02MDUxNzE1OTE1ZDUiLCJyb2xlIjoiQXBpVXNlciIsIm5iZiI6MTcyODY3MjIxNiwiZXhwIjoxNzI4NjczNDE2LCJpYXQiOjE3Mjg2NzIyMTYsImlzcyI6Imh0dHBzOi8vd3d3Lm1pbnRlcmVsbGlzb24uY29tL2FydGljbGVzL2tleS1pbnNpZ2h0cy1mcm9tLXRoZS1sYXRlc3QtbmRiLWRhdGEtYnJlYWNoLXJlcG9ydCIsImF1ZCI6Imh0dHBzOi8vd3d3Lm1pbnRlcmVsbGlzb24uY29tL2FydGljbGVzL2tleS1pbnNpZ2h0cy1mcm9tLXRoZS1sYXRlc3QtbmRiLWRhdGEtYnJlYWNoLXJlcG9ydCJ9.-VBo44plgu3qJvjEw4n7SNRc3ArtPJBqtTxh1kI2vFA
https://www.minterellison.com/articles/key-insights-from-the-latest-ndb-data-breach-report