Over 10 million people hit in single Australian data breach: OAIC

The Office of the Australian Information Commissioner's quarterly data breach report also revealed private health was again the country's most affected sector.

The latest quarterly data breach report from the Office of the Australian Information Commissioner (OAIC) has revealed over 10 million individuals had their information compromised in one single incident. The current population of Australia is around 25.4 million.

The breach was disclosed to the OAIC under the Notifiable Data Breaches (NDB) scheme between January 1, 2019, and March 31, 2019 and reported in its Quarterly Statistics Report [PDF]

While the report did not detail the origin of the breach that affected over 10 million individuals, it did show that the most number of affected individuals from a single finance-related breach was less than 500,000 and the health sector's three heaviest impacting breaches affected less than 5,000 individuals each.

In total, the OAIC received 215 data breach notifications, down from the 262 reported in the October to December 2018 period. 62 breaches were reported in January, 67 in February, and 86 in March.

Of the 215, 131 -- 61% -- were attributed to malicious or criminal attacks, while human error accounted for 75 data breaches, and nine were labelled as system faults.

The personal information most affected during the quarter was contact information, with a total of 186 breaches affecting such data. 98 NDBs were related to financial information on individuals, while 55 contained identity information.

Of those flagged as breaches due to malicious or criminal attacks, 87 were labelled as "cyber incidents", such as phishing, malware or ransomware, brute-force attacks, or compromised or stolen credentials.

Theft of paperwork or data storage devices was another source of malicious or criminal attacks, accounting for 18 breaches.

Need to disclose a breach? Read this: Notifiable Data Breaches scheme: Getting ready to disclose a data breach in Australia

Where human error was concerned, the report shows that in 23 cases, the personal information of individuals was emailed to an incorrect email address. The unauthorised disclosure, such as incorrect release or publication, accounted for 21 of the human error-related incidents -- affecting an average of 36,993 individuals per data breach.

Failure to use blind carbon copy (BCC) when sending emails impacted an average of 432 individuals per data breach, the report showed.

For system faults, the OAIC said the majority of them involved the unintended disclosure of personal information on a website due to coding bugs, or a machine fault that resulted in a document containing personal information being sent to the wrong person.

Private health providers were again the most impacted sector, with 58 NDBs received by the OAIC. Finance, which includes superannuation, accounted for 27 breaches; legal, accounting, and management services had 23 NDBs; education 19; and there were 11 from the retail sector.

Human error accounted for the majority of breaches in the health sector, while malicious or criminal activity was to blame for 16 of the finance sector's breaches. System faults only affected the health and education sectors.

Australia's NDB scheme came into effect in February last year, requiring agencies and organisations in Australia covered by the Privacy Act 1988 to notify individuals -- whenever their personal information is involved in a data breach that is likely to result in "serious harm" -- as soon as practicable after becoming aware of a breach.

Notifications made under the My Health Records Act 2012 are not included in this report however, as they are subject to specific notification requirements set out in that Act.

The continued presence of private health providers as the most breached sector is unlikely to quell concerns over Australia's centralised My Health Record system. As of February this year, more than 2.5 million Australians had opted out of the system.

The OAIC said this is the last time the office will report on the NDB Scheme quarterly, with the commissioner to move to releasing information every six months instead.

It follows concerns the OAIC is too under resourced to handle its current remit.

RELATED