The recent ‘credential stuffing’ cyber attack on Australia’s super funds sector once again highlights the growing cyber threat to business. ‘Credential stuffing’ is when usernames and passwords sourced from hacks on lower value websites or the dark web are used to gain access to higher value targets such as super fund accounts. Last month’s cyber attack on several large super funds, is reported to have resulted in the theft of at least half a million dollars. And the threat from cyber criminals continues to grow.

New statistics from the Office of the Australian Information Commissioner (OAIC) reveal 2024 was a record year for the reporting of cyber security breaches, with 1,113 data breach notifications. The largest number in a single year since since mandatory data breach notification requirements started in 2018.

First half surge

2024 represented another first. The number of cyber security incidents in the first six months of 2024 (518), exceeded the number for the final six months of 2023 (483), the first time that notifications in the first half of a year have exceeded the second half of the preceding year.

The established trend of a greater number of breaches being recorded in the second half of each year since 2018 has persisted, with a further 595 breaches between July and December 2024. The total mandatory data breach notifications since 2018 now stands at over 6,500.

Malicious and criminal attacks

The most recent data available from the OAIC, the July to December 2024 period, shows malicious or criminal attacks up 14% from the first half of the year and the largest source of data breaches at 69%. Within that, cyber security breaches accounted for the majority of the malicious or criminal attacks.

The OAIC also notes that phishing scams were the leading cause of cyber security breaches. Phishing scams are where cyber criminals pretend to be acting for reputable companies and send email or text messages designed to trick their targets into handing over personal information.

“The threat of data breaches, especially through the efforts of malicious actors, is unlikely to diminish, and the risks to Australians are only likely to increase. Businesses and government agencies need to step up privacy and security measures to keep pace.”

Carly Kind, Australian Privacy Commissioner

Close to a third of incidents reported were the result of human errors, including email blunders such as copying in the wrong e-mail address, unintended publication of data or the failure to redact sensitive information.

As a percentage of total breaches, those caused by human error in the second half of 2024 made up 29% compared to 30 % in the first half. System faults made up 2% of the notifiable data breaches in the second half down from 3% in the first.

Health sector leads on breaches 

Once again, in the July to December 2024 period the health sector had the most reported data breaches (20%), with Australian Government agencies reporting the second most (17%). This reporting period also saw a significant increase in data breaches caused by social engineering and impersonation, which is the manipulation of people into carrying out specific actions or divulging information.

A question of ‘When’ not ‘If’

The number of cyber security incidents being reported under the Notifiable Data Breaches scheme inexorably rises. As it does, the question moves towards ‘When’ rather than ‘If’ a company, which relies on collecting sensitive data, will experience a data breach.

Should a breach occur it is small comfort that the OAIC does not take regulatory action in response to every incident reported. It is looking to act where enforcement would have the greatest impact and to where there is the largest risk of harm to the community. One recent example of regulatory action in response to a data breach report is the OAIC’s acceptance of an enforceable undertaking offered by Oxfam Australia.

Against this backdrop of ever increasing cyber risk, it is more important than ever that Companies have a cyber-incident response plan in place. That plan should be regularly tested, include the advice of external advisers and incorporate a well thought out communication strategy. FIRST Advisers’ experience of crisis communications means we are well positioned to help a Company’s internal resources prepare for and manage cyber breaches.

Source: www.oaic.gov.au