There were 409 notifications of data breaches lodged in Australia in the six months to June, the Office of the Australian Information Commissioner (OAIC) says, down 16% from 486 in the corresponding period a year earlier.
Malicious or criminal attacks were behind 70% of data breaches – the leading cause.
The insurance sector reported 25 data breaches in the six months to June, placing it among the top five sectors to notify, but behind healthcare organisations, finance, recruitment agencies, and legal, accounting and management services.
Malicious or criminal attack made up 52% of insurance sector notifications, while two breaches were reported as due to system fault and two due to unintended release or publication.
The top three cyber attack methods were ransomware, compromised or stolen credentials for which the method was unknown, and phishing.
OAIC says ongoing vigilance is essential and organisations are expected to have “robust and proactive” procedures to protect the personal information they hold.
“Organisations must be able to adequately assess whether a data breach has occurred, how it has occurred and what information has been affected,” OAIC Commissioner Angelene Falk said.
Contact, identity and financial information remained the most common kinds of personal information involved in breaches, with 64% involving loss of identity information such as passport and driver licence details and dates of birth.
Financial information such as bank account details and credit card numbers was lost in 40% of breaches.
Australian entities must report data breaches to the OAIC when a breach involves unauthorised people accessing personal information or losing personal information, and where the breach is likely to cause harm.