Brought to you by:

Data breach reports soar under new laws

Facebook Twitter LinkedIn Google

More than 800 data breaches were reported last year following introduction of the Notifiable Data Breaches scheme.

Australian Information Commissioner Angelene Falk says the legislation has been a success, but she urges companies to continue making progress.

“The growing number of data breaches notified to my office is consistent with trends experienced by counterparts overseas and indicates agencies and organisations are complying with their notification obligations,” Ms Falk said.

“Individuals are now receiving notices so they can take action to reduce their risk of harm, which also shows the scheme is working as intended.”

Under the scheme, government agencies and organisations must carry out an assessment whenever they suspect there has been loss of, or unauthorised access to, personal information they hold. If serious harm is likely to result, they must notify affected individuals and the Office of the Australian Information Commissioner.

From the scheme’s introduction on February 22 last year to the end of December, 812 data breaches were notified.

“Most of the data breaches reported to us over the past year involved a human factor, such as sending information to the wrong person or someone’s login credentials being compromised through phishing or other means and used in a cyber attack,” Ms Falk said.

“We expect organisations and agencies to act on the risks highlighted by these reports – whether or not they were directly affected – and take steps to prevent a similar breach of Australians’ personal data.”

Cyber specialist CFC Underwriting says malicious data breaches spiked in Australia last year.

CFC statistics show malicious breaches accounted for 37% of Australian cyber claims last year, compared with 14% the previous year.

“This was significantly higher than elsewhere in the world and the spike follows the introduction of the Notifiable Data Breaches scheme,” International Cyber Team Leader Lindsey Nelson told

“We attribute this to businesses being overly cautious when it comes to notifying breaches.”

CFC, which is based in London but has 3000 policyholders in Australia, says it noted a similar trend in the UK following implementation of EU’s General Data Protection Regulation.

“We expect Australian claims data to revert back to previous years once it settles down,” Ms Nelson said.

Ransomware and extortion (23%) was the second-biggest source of claims last year and CFC expects further growth in this area.

“Ransomware is not only increasing in frequency but also severity,” Ms Nelson said.

“There is a shift to more targeted attacks and ransom demands are increasing as a result.”

Australian cyber specialist Emergence Insurance has warned about increasing numbers of “sextortion” attacks, where webcam images of people viewing inappropriate websites are used to extort funds.

Emergence Head of Sales Gerry Power says social engineering scams – manipulating people’s vulnerabilities so they surrender information – are active across Australia.