The Office of the Australian Information Commissioner (OAIC) recorded 44 malicious or criminal attacks on government agencies during the first half of 2024, with most of these incidents—41 in total—attributed to impersonation or social engineering. The number of breaches in the government sector marked a significant rise, with a 65% increase compared to the previous reporting period. Of the reported incidents, one was caused by a rogue employee or insider threat, and two were attributed to system faults. Additionally, the report highlighted that the government made a return to the top five most breached sectors after being absent for three years, driven by a total of 38 breaches in the second half of 2023.
A key finding in the OAIC’s report is that the majority of breaches—around 87%—took more than 30 days to identify. The delay in identifying these incidents was often due to a failure in promptly escalating the issue to the department responsible for coordinating responses to data breaches. This delay in escalation resulted in longer times for initiating assessments and notifying the OAIC about the breaches. The report emphasized the need for more efficient internal communication within agencies to reduce these delays.
Overall, the OAIC recorded 527 breach notifications, representing a 9% increase from the previous period, marking the highest number in three and a half years. The healthcare industry emerged as the most impacted sector, with 102 reported breaches. Among these, the MediSecure breach in May 2024, which affected approximately 12.9 million individuals, was noted as the largest breach since the implementation of the notifiable data breaches scheme. Following healthcare, the finance and insurance sectors experienced 58 breaches, while education and retail sectors reported 44 and 29 breaches, respectively.
The majority of reported breaches—354 incidents—were classified as malicious or criminal attacks, which accounted for 67% of all breaches. Cybersecurity incidents made up more than half of these malicious breaches, highlighting ongoing concerns about the sector’s vulnerability to cyber threats. Human error was responsible for 30% of all breaches, with 156 incidents attributed to mistakes or mishandling of data. Additionally, 34 notifications involved breaches affecting multiple entities, further illustrating the complex and widespread nature of data security challenges across various sectors.
Reference:
