Top cyber security breaches target seniors' privacy
Services crucial to seniors are the top targets for international hackers seeking to steal your confidential information. What are they?
Key points
- 396 data breaches were reported to the privacy regulator.
- Health services reported 79 data breaches.
- The notifiable data breach scheme has been in place since 2018, but critics want greater enforcement.
Healthcare and financial services are the top two targets of hackers as reported by these industries to Australia’s privacy regulator in the first half of this year.
So, it is time to strengthen your efforts to ensure your online security settings are as secure as possible. Advice on how to do this is now readily available from most service organisations, especially those in the health care and financial services sectors.
Healthcare breaches are in the news following the recent Medibank hack, which exposed extremely sensitive information about Australians.
According to a report from the Office of the Australian Privacy Commissioner (OIAC), health service providers informed the privacy commissioner of 79 data breaches, followed by finance (52) and education (35) between January and June 2022.
Under the Notifiable Data Breach (NDB) scheme, organisations must report a breach to the Office of the Australian Information Commissioner (OAIC) if the data revealed includes personal information that is likely to result in serious harm, such as date of birth or address.
Harms might include identity theft, the exposure of location details in a family violence situation or a threat to someone's reputation.
The Commissioner says 396 breaches were reported, which was 14 per cent fewer than the 460 notifications from July to December 2021.
However, there were more data breaches involving many Australians in the first half of 2022: four affected more than 100,000 Australians, compared with just one breach in the previous half.
"The number of larger scale breaches caused by cyber security incidents reiterates the importance of entities having measures in place to protect, detect and respond to the range of cyber threats in the environment," Privacy Commissioner Angelene Falk said.
Most data breaches were caused by what the OAIC calls "malicious or criminal attacks": ransomware and phishing - emails or texts designed to trick the recipient into sharing passwords or other details. It is predicted that healthcare could experience more data breaches.
The principal at the IT company, Data Synergies, says that is because it is more of a "cottage industry".
He told the media: "You think about all of the personal information about your aunt who is in a nursing home, that that nursing home has to handle to look after her wellbeing.”
A data breach could include health information in an email sent to the wrong person or even lost paperwork.
He says the potential threat in health care is significant: "There is a lot of sharing of data between individuals delivering health services, the GP, the chiropractor, the pharmacy.”
The incidence of high-profile data breaches in 2022 has led to calls for better privacy data management.
Bruce Baer Arnold from the University of Canberra law school said the current data breach reporting scheme is disappointing when it came to deterring data breaches.
"We do not have much action. We have a watchdog that is reluctant to get out of its kennel. It does not bark, and it does not bite.
"According to the OAIC report, some businesses dragged their heels on reporting at all: 71 per cent notified the agency within 30 days of becoming aware of a breach, but four per cent took more than 12 months.
Organisations are meant to report and notify affected individuals "as soon as practicable".
The consequences for a company that is not doing enough to protect customer data also remain trivial, according to Dr Baer Arnold.
The government is proposing to raise the potential penalty for a serious privacy breach to $50 million. Dr Arnold would like to see Australia mirror the US regime, where the Federal Trade Commission is now assigning personal responsibility to executives.
"This is the sort of thing that is likely to have some consequences, and we should be bringing it to Australia," he said.
Commissioner Falk welcomed measures in the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022. The Bill gives the Commissioner stronger information-gathering powers to ensure entities are reporting breaches and notifying individuals when they need to, and increased penalties for serious or repeated privacy breaches.
For further reading: OAIC and ABC
