The insurance sector reported 25 data breaches in the six months to June, placing it among the top five sectors to notify the Office of the Australian Information Commissioner (OAIC) of a cyber incident.

Malicious or criminal attack made up 52% of insurance sector notifications, while two breaches were reported as due to system fault and two due to unintended release or publication.  

Australia-wide, the OAIC received 409 notifications in the first-half, down 16% from 486 a year earlier. Malicious or criminal attacks was behind 70% of data breaches, the leading cause.

Healthcare organisations dominated with 63 data breaches, followed by finance on 54, recruitment agencies on 33, and legal, accounting and management services on 26.

One breach affected more than 10 million Australians -- the first of this scale – and the OAIC says ongoing vigilance is essential and organisations are expected to have “robust and proactive” procedures to protect the personal information they hold.

“In the event of an incident such as a cyber-attack, organisations must be able to adequately assess whether a data breach has occurred, how it has occurred and what information has been affected,” OAIC Commissioner Angelene Falk said.

“Every compromised piece of data can increase the likelihood of cyber actors linking together pieces of information to gain insight or do harm. This ‘mosaic effect’ gives threat actors the ability to more easily impersonate an individual or access systems or accounts.

“Organisations need to be alert to this growing attack surface and have robust controls in place to minimise the risk of a data breach.”

Almost two thirds of the reported incidents impacted 100 or fewer people, though 23 impacted more than 5000 people and two affected more than a million.

The top three cyber-attack methods were ransomware, compromised or stolen credentials for which the method was unknown, and phishing.

Contact, identity and financial information remained the most common kinds of personal information involved in breaches, with 64% involving loss of identity information such as passport and driver licence details and dates of birth. 

Financial information such as bank account details and credit card numbers was lost in 40% of breaches.

Australian entities must report data breaches to the OAIC when a breach involves unauthorised people accessing personal information or losing personal information, and where the breach is likely to cause harm.