Information Commissioner Urges Organizations to Accelerate Breach Notifications
Australia’s information commissioner urged organizations to quicken the process of notifying those affected by data breaches instead of spending months analyzing each incident. It can take anywhere from 20 days to five months to notify breach victims, putting them at risk, said Australian Information Commissioner and Privacy Commissioner Angelene Falk.
Falk said Australian organizations suffered fewer data breach incidents in the first half of 2023 than they did from July to December 2022 and did a better job of reporting them to authorities.
Falk said Australian organizations reported 409 breach incidents between January and June 2023, and malicious or criminal attacks accounted for 70% of data breaches. Australian organizations suffered 23 major breaches that affected over 5,000 Australians, and one of them affected more than 10 million Australians – an improvement over the second half of 2022.
In the first half of 2023, OAIC received reports of breaches within 30 days after they occurred from 74% of organizations, and just 5% of organization took longer than four months to report breaches. Though these figures indicate a vast majority of organizations are detecting and reporting breaches quickly, Falk said they can still do better.
“Prompt notification ensures individuals are informed and can take further steps to protect themselves, such as being more alert to scams,” she said. “The longer organizations delay notification, the more the chance of harm increases.”
According to the OAIC, one organization compromised by a ransomware attack took more than five months to notify affected customers about the breach because it chose to perform forensic investigation and assessments sequentially rather than in parallel. In contrast, another organization was able to notify affected customers within 20 days of becoming aware of the breach because it conducted an investigation of the data breach and its assessment in parallel.
Falk said organizations should prioritize their duty to inform all affected individuals as soon as possible about the breach of their personal information. She said organizations must perform assessment and investigation simultaneously and should not spend too much time assessing each incident to confirm an eligible breach has occurred.
“Conclusive or positive evidence of unauthorized access, disclosure or loss is not required for an entity to assess that an eligible data breach has occurred. An eligible data breach can occur based on unauthorized access alone and individuals’ data can be stolen by less traceable means, such as screenshots,” the OAIC said.
Detection of breaches ranges widely. The commissioner said 78% of organizations could identify breaches within 30 days. Others took up to 12 months to identify breaches. Organizations on average took much less time to identify breaches that occurred due to malicious attacks and human error than they did breaches that occurred due to system faults.
Falk said malicious actors target victims’ contact, identity and financial information and they slowly aggregate stolen information from various sources to fuel phishing scams or create false identities.
“This ‘mosaic effect’ gives threat actors the ability to more easily impersonate an individual or access systems or accounts using compromised credentials. Organizations need to be alert to this growing attack surface and have robust controls in place to minimize the risk of a data breach,” she said.