Secrets of Aussies exposed in ‘brute force attacks’
HUNDREDS of thousands of Australians have had their private details - including tax file numbers, bank accounts and passport details - lost or stolen by hackers in more than 300 major data breaches this year.
And more than two incidents that leave Australians exposed to "serious harm" occur per day, new figures show.
The extent and frequency of the data breaches have only been exposed now through new mandatory reporting laws that were launched on February 22.
In just four-and-a-half months since the laws were introduced, 305 major data breaches have occurred.
That's double the number on record for 2016-17 when reporting was only voluntary and companies didn't face heavy fines for keeping them secret.
In the biggest data breach this year alone, more than one million Australians had their private data lost or stolen.
Phone numbers, bank details, credit card numbers, passport information, driver's licences, addresses, sensitive health information - and even private information such as sexual orientation, religious and political views - have been lost or stolen in the breaches, which are only reported if they expose individuals to "serious harm".
Hackers or cyber criminals, using "brute force attacks" or deploying methods such as phishing, malware or ransomware, were responsible for most (59 per cent) of the data breaches.
Other criminals stole paperwork or storage devices, impersonated officials, or were "rogue" employees misusing data.
Human error, such as emailing or mailing personal details to the wrong address, accounted for another 36 per cent of breaches.
Contact information was stolen in a whopping 89 per cent of cases, financial details were lost or stolen in 42 per cent of cases, identifying data such as passport or driver's licences were exposed in 39 per cent of cases and health data exposed in 25 per cent of incidents.
The health sector was the worst hit, with 49 major data breaches. The Office of the Australian Information Commissioner specified however that the My Health Record was not involved in any of the breaches.
The finance sector was the second worst hit, with 36 major breaches.
Companies with a turnover of more than $3 million and organisations have been forced to report the breaches to the OAIC and affected individuals or face heavy fines of up to $2.1 million.
Acting Information Commissioner Angelene Falk revealed the data breach that affected more than a million Australians was at a multinational company.
But she said both large and smaller companies reported serious breaches.
No companies have been named in the OAIC's second-ever quarterly report on breaches, due to be released today.
But Ms Falk told News Corp the OAIC wasn't ruling out publishing company names in future.
She said the policy would be reviewed as the scheme progressed and it would depend on whether other jurisdictions such as the European Union began publishing the names of companies involved in breaches.
"We don't live in a risk free world," Ms Falk said.
"Ideally there would be no data breaches but we understand every system holding personal information faces risks, whether it's a filing cabinet or a storage device or an online system. "That's why we've got laws in place that require those security risks to be identified and addressed."
She did not say whether she was surprised by the large number of data breaches in Australia in just four months but said the rate was higher in other jurisdictions.