In the last six months, there has been a noticeable uptick in data breaches, particularly those resulting from ransomware attacks, according to the latest report from the Office of the Australian Information Commissioner (OAIC). This report, which marks the eighth installment of the notifiable data breaches report, was released on a Friday and is available for download from the OAIC’s website.

Covering the period from January to June 2020, the OAIC received 518 data breach notifications. This figure marks a slight decrease of 3% from the 532 notifications reported in the latter half of the previous year, yet it signifies a 16% increase compared to the same timeframe in the prior year. Notably, May 2020 saw an unprecedented spike in notifications, with 124 recorded incidents – the highest for any month since the notification requirement commenced in February 2018.

Despite this rise, the OAIC could not pinpoint a specific reason for the increase, although there was a minor uptick in breaches attributed to human error, rising from 34% to 39% of the total breaches reported during this period.

The majority of the breaches, 61% or 317 notifications, were due to malicious or criminal attacks, showing a minor decrease from the previous period. These were primarily linked to various cyber incidents including phishing, malware, ransomware, brute-force attacks, and compromised or stolen credentials.

Angelene Falk, the Information and Privacy Commissioner, emphasized the significant role of malicious activities in these breaches. “Malicious actors and criminals account for three out of every five data breaches notified to us over the past six months,” she said. This includes a significant rise in ransomware attacks, which have more than doubled to 33 notifications from 13 in the previous period.

Additionally, incidents resulting from social engineering or impersonation saw a 47% increase, totaling 50 breaches. Falk expressed concern over a new trend in ransomware attacks, where attackers first export data from a network before encrypting it, complicating recovery efforts for organizations.

The impact on individuals has remained consistent with previous reports, predominantly affecting less than 100 individuals. However, there were exceptions, including two notifications impacting between one million and ten million people and another affecting over ten million.

Health service providers were the most frequently breached sector, reporting 115 incidents. They were followed by the finance sector with 75 breaches and private education providers reporting 44. The report also highlighted that while most entities detected breaches within 30 days, 47 instances took more than 61 days to recognize, and 14 entities took over a year to identify and assess a breach.