Australian businesses reported 63 data breaches in the first six weeks of mandatory notification rules coming into effect, with "human error" listed as the most common cause.
The figures compare to only 114 self-reported instances for the entire 2016–17 financial year.
The Office of the Australian Information Commissioner (OAIC) has released its first quarterly report since the mandatory data breach notification scheme came into effect on February 22. [pdf]
The number of reported breaches grew from six in February to 55 breaches in March.
An even 50 percent of breaches were put down to 'human error", however malicious or criminal attack was not far behind at 44 percent.
Health Services Providers most prolific culprits
Health services providers were responsible for the single largest number of notifications (24%), followed by businesses that supply “legal, accounting and management services” (16%).
Organisations in the finance (13%), education (10%) and charity (6%) sectors were also itemised.
Contact Information most commonly breached
The OAIC said 78 percent of notifications it received impacted “contact information”, compared to 24 percent that exposed “identity information”. “Health information” was exposed in 33 percent of the cases and “financial details” in 30 percent of cases.
The majority of data breaches reported to the OAIC involved ‘contact information’, such as an individual’s name, email address, home address or phone number. This is distinct from ‘identity information’, which refers to information that is used to confirm an individual’s identity, such as driver licence numbers and passport numbers.
“Entities also reported data breaches that involved individuals’ tax file numbers, financial details, such as bank account or credit card numbers, as well as health information.”
Majority of breaches involved less than 100 people
73 per cent of eligible data breaches reported involved the personal information of under 100 individuals, with just over half of the notifications involving the personal information of between 1 and 9 individuals. 27 per cent of notifications under the NDB scheme involved more than 100 individuals.