The total number of reported data breaches in Australia for the 2019-20 financial year totalled 1,050, the first of two half-year reports from the Office of the Australian Information Commissioner (OAIC) has shown.
For the six months spanning January to June 2020, 518 breaches were notified under the Notifiable Data Breaches (NDB) scheme, down 3% from the 532 reported in July to December 2019.
124 of those breaches occurred during May, the most reported in any calendar month since the scheme began in February 2018.
Most of these were attributed to human error, but OAIC said it has yet to identify a specific cause for the increase, explaining in its report [PDF] it was not aware of any evidence that suggested the increase was related to changed business practices resulting from COVID-19, given that notifications across the period were otherwise broadly consistent with longer term trends.
Malicious or criminal activity accounted for 317 notifications during the reported period.
Attacks included cyber incidents such as phishing and malware, data breaches caused by social engineering or impersonation, theft of paperwork or storage devices, and actions taken by a rogue employee or insider threat, the OAIC said.
The majority of cyber incidents during the reporting period were linked to malicious actors gaining access to accounts either through phishing attacks or by using compromised account details. Compromised credentials were the case for 133 notifications, ransomware attack for 33 notifications, and "hacking" for 29.
With ransomware this year taking out beverage company Lion and logistics giant Toll, twice, the OAIC report highlighted they weren't alone, with 33 cases of ransomware reported from January to June 2020.
Data breaches resulting from human error was the case for 176 breaches from January through June, with personal information sent to the wrong recipient via email accounting for 68 of those cases. In two cases, a fax with personal information was sent to the wrong recipient.
There was a loss of paperwork or storage device on 14 of the reported occasions.
System faults accounted for 5% of data breaches during this reporting period.
The health sector is again the highest reporting sector, notifying 115 breaches, and finance is next down the line, notifying 75 breaches had occurred during the six-month period. Education reported 44, insurance 35, and legal, accounting, and management services reported 26 breaches.
Most NDBs in the period involved the personal information of 100 individuals or fewer. In one instance, the number of individuals affected was over 10 million. The OAIC noted that in counting individuals affected, it also took into consideration the global presence of the reporting entity.
In 84% of reported instances, contact information such as an individual's home address, phone number, or email address was breached, while over a third of all breaches notified during the period involved identity information such as passport number, driver licence number, or other government identifiers.
Data breaches notified in the six-month period also involved tax file numbers; financial details, such as bank account or credit card numbers; and health information.
The OAIC said there have been multiple instances of incomplete notifications of data breaches where entities may not have fully met their obligations with regard to the content of the notification to individuals affected by a data breach.