Australians targeted in more than 300 data breaches, two ransomware attacks so far in 2018

• A total of 305 breach notifications have been reported so far this year.
• One breach impacted over 1 million Australians, the OAIC said.

Australians have been hit by more than 300 data breaches so far this year and just two ransomware attacks. The Office of the Australian Information Commissioner (OAIC)released its first quarterly update since Australia's new mandatory reporting laws - the Notifiable Data Breach scheme (NDB) - came into effect in February.

Since the notification regulation came into force, the OAIC received 242 notifications during the last quarter between April to June - a 380% increase as compared to the previous period's 63 notifications. A total of 305 breach notifications have been reported so far this year.

Among the data breaches reported to the OAIC between April and June this year, only two were ransomware attacks that affected a finance firm and a healthcare provider.

Rising data breach notifications

One breach impacted over 1 million Australians. Most of the data breaches reported involved the personal data of 100 individuals or fewer while 38% impacted between 1 and 10 individuals. Of the incidents reported, 51 saw a single person impacted in each.

Most of the data breaches involved contact information (89%) such as individuals' phone number, email address or home address while 39% saw victims' identity information including passport numbers, driver's license numbers and other government identifiers compromised.

While most of the data breaches reported this quarter (59%) were the result of malicious or criminal attacks, human error accounted for 36% of data breaches.

Among the most targeted sectors, private health service providers reported 49 breaches followed by finance (36), legal, accounting and management services (20), education (19) and business and professional organizations (15). However, the report only covered private health service providers under the NDB. Public hospitals and health services covered by the MyHealth Records Act were not included in the report.

MyHealth Record debate

The report comes as the Australian government attempts to address the fierce debate over its centralized digital health record system - MyHealth Record - amid growing concerns over data privacy and security.

"Notifications this quarter show that one of the key aims of the scheme -- ensuring individuals are made aware when the security of their personal data is compromised -- is being met," acting Australian Information Commissioner and acting Privacy Commissioner Angelene Falk said.

"The OAIC continues to work with entities to ensure compliance with the scheme, offer advice and guidance in response to notifications, and consider appropriate regulatory action in cases of non-compliance."