Australia has been ranked fifth globally in Risk Based Security’s Mid-Year 2018 Data Breach QuickView report, which showed there have been a staggering 2,308 publicly disclosed data breaches in the first half of 2018.
Key findings of the report
The US topped the report with more than 1,000 data breaches in the first half of the year, followed by the UK (62 breaches), Canada (48 breaches), India (45 breaches) and Australia (24 breaches). The remaining data breaches were spread across the world, hitting other Asia-Pacific countries such as Vietnam, the Philippines and China.
Australia also ranked fifth in the number of exposed records by country at a whopping 20,035,981 – an average of 834,833 exposed records per breach.
The report examined all the data breaches worldwide and found:
- Hacking was the most common type of data breach (1261), followed by skimming (255), web (128) and phishing (102).
- 45% of breaches exposed email addresses, 41% passwords and 34% names.
- The business sector accounted for 40% of data breaches, followed by medical (8%), government (8%) and education (4%).
- Five breaches exposed 100 million or more records, which accounted for approximately 2 billion exposed records.
“2018 has been a curious year. After the wild ride of 2017, we became accustomed to seeing a lot of breaches, exposing extraordinary amounts of information. 2018 is remarkable in that the number of public disclosed breaches appears to be levelling off while the number of records exposed remains stubbornly high,” said Inga Goddijn, executive vice president for Risk Based Security.
Data breaches in Australia
2018 has seen Australia hit by a number of high-profile data breaches, including PageUp HR software company hit by malware in May, the Australian National University breached by Chinese hackers in July, and July’s Timehop data breach, which is likely to have affected 200,000 Australians.
Australian organisations must comply with the Privacy Act 1988, a federal law that regulates the use of personal information.
The Privacy Act was amended in February 2017 to include the NDB (Notifiable Data Breaches) scheme, applying to organisations that have personal information security obligations under the Act. This includes Australian Government agencies, business and not-for-profit organisations with an annual turnover of $3 million or more, among others.
Under the NDB scheme, organisations must inform individuals of incidents in which unauthorised access to, or loss or disclosure of, their personal information is likely to result in serious harm to them that cannot be prevented with remedial action.
The OAIC (Office of the Australian Information Commissioner) must also be informed.
Data breach reporting
The OAIC recommends a response in line with the requirements of the NDB scheme. Download the OAIC data breach response summary >>
Australian organisations that monitor the behaviour of, or offer goods and services to, EU residents’ personal data must also consider the requirements of the GDPR (General Data Protection Regulation) when responding to a data breach. Similar to the OAIC process, IT Governance also recommends six key steps organisations must take in response to a data breach:
- Situational analysis: Tell the supervisory authority as much as you can about what happened, what went wrong and how it happened.
- Assessing the affected data: What categories of personal data have been affected and how many records?
- Describing the potential consequences: Describe the possible impact on data subjects.
- Reporting on staff training and awareness: If a staff member was involved in the breach, had they received data protection training in the last two years?
- Preventive measures and taking action: Describe the actions you have taken, or propose to take, as a result of the breach.
- Oversight: The data protection officer, or the senior person responsible for data protection in your organisation.