NSW government agencies, councils and universities are being urged to undertake “cyber security uplifts” after collectively reporting 52 data breaches in the seven months to June 2024.
The numbers relate to a mandatory data breach notification scheme now operating in the state and represent the first reporting period.
The Information and Privacy Commissioner (IPC) NSW called the number of breaches “moderate”, although monthly breach numbers effectively doubled in May and June, compared to previous months.
“The IPC strongly encourages leaders across the sectors to engage with the risks arising from cyber security,” it said in its inaugural trends report. [pdf]
“Investment to uplift ICT security and staff capability are key to improving the safety and security of personal information held by agencies.”
Of the 52 reportable data breaches, 34 impacted government agencies, and there were nine each at councils and universities respectively.
In government – local and state – about 80 percent of incidents were caused by human error, with the remainder due to malicious or criminal attacks.
That differed in the university sector, where 44 percent of data breaches were due to cyber incidents.
Three of the nine university breaches reported impacted over 5000 people.
The only concern for state government agencies is that for about one-third of breaches, notification to the IPC took between one and six months.
Though agencies can take more than 30 days to assess a data breach, there needs to be a written record of the extension submitted to the IPC.