Federal government departments and agencies recorded 14 encounters with ransomware last year and a further three in 2022, according to a spreadsheet [pdf released under freedom of information.
The spreadsheet highlights a total of 257 breaches that were reported by federal government to the Office of the Australian Information Commissioner (OAIC) between February 2020 until February 2024.
These are figures that until now had remained outside of public view, as government drifted outside the top five sectors for data breaches under the OAIC’s notifiable data breaches (NDB) scheme.
The FOI redacts the names of the impacted departments and agencies but shows the majority of breaches impacting federal government between 2020 and 2024 - 160 in total - occurred due to human error.
A further 70 were attributed to malicious or criminal attacks; 38 of these escalated to level three cyber incidents, and 17 blamed ransomware as the threat vector responsible.
The largest ransomware attack, reported in November 2023, caused a potential data breach that affected between 1000 and 5000 people.
No ransomware attacks that turned into data breaches were reported between 2020 and 2021.
States under attack
The spreadsheet also contains some limited data on breaches from state and territory governments, as well as at a local government level.
This data is likely to be a snapshot of breaches, as state and local governments are under no obligation to report data breaches to the federal NDB scheme unless a Commonwealth credential such as tax file number is impacted.
According to the FOI document, all state governments, bar Western Australia, made several reports between 2020 and 2024.
Five unnamed local governments reported ransomware attacks, all of which affected between 100 and 1000 people. Two were hit by phishing breaches and one experienced a hacking.
Across all states and local governments collectively, 11 incidents were attributed to human error and two to system failure, the latter of which NSW recorded in February 2024.