The insurance industry remains among the top-five list of sectors with the most data breaches, according to the Office of the Australian Information Commissioner (OIAC).

OAIC says the industry reported 32 breaches for the half-year to December, sharing fifth spot with education. The insurance industry emerged for the first time in the top-five list in 2020.

Health service providers topped the list (83), followed by finance (56), legal, accounting & management services (51) and personal services (36), the OAIC’s Notifiable Data Breaches (NDB) Report said.

About 53% of the data breaches reported by the industry were blamed on malicious or criminal attacks and the remaining were caused by human error.

The OAIC numbers did not surprise industry experts, who say insurers are targeted because of the valuable data in their possession.

Sparke Helmore Lawyers Partner Commercial Insurance Mark Doepel says the key issue to note is that the majority of breaches sustained by insurers come about through malicious and criminal attacks.

“These attacks are focused attacks, with a specific and deliberate target,” Mr Doepel told insuranceNEWS.com.au. “In this regard, insurance companies are a veritable treasure trove of the types of data that malicious hackers are after.”

He says the industry presents a “potential Aladdin’s cave of highly desirable information” if one takes into account all aspects of the operations of an insurance company and the information which will be collected, from underwriting and policy distribution, through investment and claims issues.

The data they hold such as identity information and financial details “are all very highly prized on the dark web”, Mr Doepel said.

OAIC does not provide case studies even on an anonymous basis but the half-year update gave a breakdown on the 17 malicious or criminal attack cases reported by insurance providers.

It says 13 of the malicious or criminal attacks were social engineering/impersonation, three were cyber incidents and one related to rogue employee/insider threat.

A brute-force attack, one phishing case and another involving compromised or stolen credentials make up the three cyber incidents.

The NDB scheme was established in February 2018 to improve consumer protection and drive better security standards for protecting personal information.

It provides three options for companies to notify individuals. They may notify each individual whose personal information has been involved in the eligible data breach; notify only individuals who are at risk of serious harm; and if neither of the two options are practicable, publish a statement on the eligible data breach on its website and publicise the statement.

Click here for the report.