Skip to main content
Privacy
  • On this page

Published:  18 Oct 2023

Malicious or criminal attacks are the leading source of data breaches notified to the OAIC. In the most recent notifiable data breaches report, covering the period January to June 2023, 70% (288) of all breaches notified to the OAIC were attributed to malicious or criminal attacks and, within this category, 60% (172 notifications) resulted from cyber security incidents.

The top sources of cyber incidents were ransomware (53 notifications), compromised or stolen credentials (method unknown) (50 notifications) and phishing (33 notifications). Just over half (52%) of cyber incidents involved malicious actors gaining access to accounts using compromised or stolen credentials.

Steps your entity can take to mitigate the risk and impact of a cyber incident

The ongoing threat and increased sophistication of cyber incidents reinforces the need for organisations to have robust information handling practices and an up-to-date data breach response plan. Steps your entity can take to mitigate the risk and impact of a cyber incident include:

  • Being prepared by:
    • having an up-to-date data breach response plan setting out timeframes and clear lines of authority and responsibility for staff.
    • having a deep understanding of what kind(s) of personal information your entity holds and where that information is stored. As part of this, you should also know what specific systems your entity uses, who has access to those systems and what privileges users have within those systems.
    • ensuring that your entity’s data is backed up frequently and stored securely.
  • Ensure your contractual arrangements with third party providers, including for cloud storage, specify accountabilities in the event of data breaches that involve multiple parties, including the responsible party for assessing harm and notification, the provision of information and other matters relevant to investigating data breaches.
  • Implement access security controls and procedures to protect against internal and external risks by ensuring that personal information is only accessed by authorised persons. This will also assist with prompt identification of risks and breaches.
  • Audit logs and access monitoring – records of system activities by internal and external users is an effective way of detecting cyber security events and investigating and determining the extent of cyber security incidents.

Steps your entity can take to minimise harm to individuals in the event of a data breach

Data breaches can cause harm to affected individuals in various ways, including financial, emotional or physical harm. Consider the following strategies for minimising harm to individuals in the event of a data breach:

  • Provide specific information to affected individuals about what information has been exposed in the breach – for example, the type or types of personal information. Under the Privacy Act it is a legal requirement to set out the particular kinds of personal information concerned, as well as recommend steps that individuals can take to minimise their risk of harm.
  • Tell affected individuals how you will engage with them about the breach, including how to recognise genuine contact from your entity and what they can do if they believe they have received or responded to fraudulent correspondence.
  • Offer identity protection and support services such as counselling to individuals affected by a breach.
    • IDCARE has identity and cyber support services available to organisations which provide affected individuals with their own IDCARE Case Manager and exclusive access to the IDCARE Client Portal where IDCARE can carry the load for individuals in seeking to address their risks.
  • Offer credit monitoring services and tell individuals how they can get a copy of their credit report and place a ban period on their credit report.
  • Where government identifiers are involved, notify the relevant Australian Government agency or department on behalf of the individuals, or provide information to individuals on how they can obtain new government issued identity documents and secure their identifiers if required. Some resources your entity can consider are:
  • Medicare cards and numbers – Contact Services Australia for information on how to request a replacement card or new Medicare number. This will prevent people from being able to use the old card details for fraud
  • Australian passports or numbers – Contact the Australian Passport Office for information on how to get a replacement passport.
  • Driver’s license or license numbers – Contact the state or territory authority which issued the licence for information:
  • Tax File numbers - Report data breaches to the Australian Taxation Office so that they can place protective measures on you, your client and customer accounts. To protect the community the ATO may apply treatment options to any files impacted by the data breach, which may include additional security measures.

Recommended steps to prevent a cyber incident

  • Implement multifactor authentication and minimum password complexity requirements and ensure that passwords are required to be regularly changed.
  • Update software and install relevant patches, which are used to correct a problem or vulnerability with a software program or a computer system.
  • Implement audit logs and access monitoring for all your systems, including email accounts. Maintaining a chronological record of system activities (by both internal and external users) is often the best way for reviewing activity on a computer system to detect and promptly investigate privacy incidents.
  • Review and update your contractual arrangements with your service providers – your contracts should include terms to deal with specific obligations about the handling of personal information and mechanisms to ensure the obligations are being fulfilled.
  • Refer to the Australian Cyber Security Centre for guidance on improving cyber resilience and protecting the personal information your entity holds from cyber threats.