Government was the second-most breached sector in Australia during the first six months of 2024, reporting 63 incidents in total.
The Office of the Australian Information Commissioner (OAIC) recorded 44 malicious or criminal attacks on government agencies, with the majority of these – 41 – caused by impersonation or social engineering.
One cyber incident was recorded in the six-month period and two breaches were attributed to a “rogue employee or insider threat”.
Meanwhile, the government reported 17 breaches caused by human error and two from a system fault.
The OAIC’s rules mostly apply to federal agencies, although some state and territory breaches could be present in its numbers, if a breach impacted a Commonwealth credential such as a tax file number.
For three years, the government remained absent from the OAIC’s top five breached sectors but made a return in the back half of 2023 with 38 reported breaches.
The latest OAIC figures [pdf], for the first half of 2024, represent a 65 percent increase for the government sector compared to the previous period.
The majority of breaches – around 87 percent – took more than 30 days to identify.
“Some of these delays occurred where an agency’s business area became aware of an incident and failed to promptly escalate it to the area responsible for coordinating the agency’s response to data breaches,” the OAIC said in its report.
“This delay in escalation contributed to delays by the agency in commencing an assessment and notifying the OAIC of the data breach.”
Across the board, the OAIC reported 527 notifications, up nine percent from the previous period and the highest number in three-and-a-half years.
The healthcare industry retained the top spot as the most hit sector with 102 breaches.
Notably, the MediSecure data breach in May affected approximately 12.9 million people – the largest number impacted since the notifiable data breaches scheme came into effect six years ago, the OAIC said.
Finance and insurance were the third most hit with 58 breaches; education reported 44 breaches, while retail recorded 29.
Overall, 354 malicious or criminal attacks were reported, equating to 67 percent of all reported breaches. More than half of these were cyber security incidents.
Human error accounted for 30 percent of reports or 156 incidents.
The OAIC received 34 notifications relating to data breach incidents involving more than one entity.