An uptick in data breaches caused by human error places government agencies back in the ‘top five’ sectors by breach numbers for the first time in almost three years.
The Office of the Australian Information Commissioner (OAIC) recorded 38 data breaches that impacted government agencies in the back half of 2023.
While the rules mostly apply to federal agencies, some state and territory breaches could be present in the numbers, if a breach impacted a Commonwealth credential such as tax file number.
Of the 38 breaches, the majority – 26 in real terms, equating to 68 percent – were the result of “human error”.
In all other sectors in the top five – health, finance, insurance and retail – the leading cause of data breaches is “malicious or criminal intent”.
The high number of “human error” breaches at government level, together with the government’s re-entry into the top five sectors by breach number for the first time since 2021, led the OAIC to call for a stronger focus on process and procedure.
“Human error breaches generally result from a failure of process or procedure,” the commissioner said in a report released Thursday [pdf].
“The risk of human error can also be reduced by educating staff about secure information handling practices (such as sending documents containing personal information via mechanisms that provide additional security controls) and putting controls in place (such as email filtering).”
Out of the 26 human error breaches, “13 involved personal information being sent to a wrong person; 11 were a result of unauthorised disclosure of personal information; and two involved the loss of paperwork or a data storage device,” the OAIC said.
The OAIC was also broadly displeased with tardy identification of incidents occurring and notification of said incidents under the data breach scheme.
“Australian government agencies should check they have effective systems for detecting, assessing, responding to and notifying data breaches,” it said.
“Such systems are fundamental to an agency’s ability to meet the notifiable data breach scheme’s requirements.”
Across all sectors Australia-wide, 483 data breaches were reported to the OAIC in the back half of 2023, up 19 percent from the first half of the year.
In the same period, “secondary notifications” increased from 29 to 121. These are from organisations whose data is caught up in a third-party data breach, such as that of an IT or cloud provider.
About Author
