Malicious data breaches have rocketed in Australia in the year since new breach notification legislation was introduced, says cyber specialist CFC Underwriting.

CFC statistics show malicious data breaches accounted for 37% of Australian cyber claims last year, compared with 14% the previous year.

“This was significantly higher than elsewhere in the world and the spike follows the introduction of the Notifiable Data Breaches scheme,” International Cyber Team Leader Lindsey Nelson told insuranceNEWS.com.au.

“We attribute this to businesses being overly cautious when it comes to notifying breaches.”

CFC, which is based in London but has 3000 policyholders in Australia, says it noted a similar trend in the UK following implementation of EU General Data Protection Regulation.

“We expect Australian claims data to revert back to previous years once it settles down,” Ms Nelson said.

Ransomware and extortion (23%) was the second biggest source of claims last year and CFC expects further growth in this area.

“Ransomware is not only increasing in frequency but also severity,” Ms Nelson said.

“There is a shift to more targeted attacks and ransom demands are increasing as a result.”

Australian cyber specialist Emergence Insurance has warned about increasing numbers of “sextortion” attacks where webcam images of people viewing inappropriate websites are used to extort funds.

Social engineering scams – manipulating people’s vulnerabilities so they surrender confidential information – are active across Australia, Emergence Head of Sales Gerry Power said.

Australian Information Commissioner Angelene Falk says the first anniversary of the Notifiable Data Breaches scheme gives companies an opportunity to reflect on progress made.

“Most of the data breaches reported to us over the past year involved a human factor, like sending information to the wrong person or someone’s login credentials being compromised through phishing or other means and used in a cyber attack,” she said.

“We expect organisations and agencies to act on the risks highlighted by these reports ― whether or not they were directly affected ― and take steps to prevent a similar breach of Australians’ personal data.”

Under the scheme, government agencies and organisations must carry out an assessment whenever they suspect there has been loss of, or unauthorised access to, personal information that they hold.

If serious harm is likely to result, they must notify affected individuals and the Office of the Australian Information Commissioner.

From the scheme’s introduction on February 22 to the end of December last year, 812 data breaches were notified.

“The growing number of data breaches notified to my office is consistent with trends experienced by our counterparts overseas and indicates agencies and organisations are complying with their notification obligations,” Ms Falk said.

“Individuals are now receiving notices so they can take action to reduce their risk of harm, which also shows the scheme is working as intended.”