Australia’s mining and manufacturing sectors are taking up to two years to notice and report cyber breaches to authorities, prompting concerns about the cybersecurity of industries critical to the nation’s economy.
New figures obtained under Freedom of Information (FOI) laws show 187 data breaches across the two sectors have exposed the personal information of up to 3.6 million people since 2018.
However, the data has been de-identified, making it impossible to know which companies have reported breaches.
The analysis, compiled by industrial cybersecurity firm Secolve, shows some companies took more than a year to detect a breach and almost two years to alert the Office of the Australian Information Commissioner (OAIC).
The OAIC’s notifiable data-breach scheme covers incidents involving personal information, but there is no fixed deadline for reporting.
Instead, there is only an obligation to do so “as soon as practicable”.
The FOI data shows one operator failed to detect an intrusion for 520 days, then waited another 84 days before notifying authorities.
Mining and manufacturing companies that detected breaches were also slow to come clean to the regulator, taking on average an extra 39 days to report incidents once detected.
Seven data breaches took more than a year to be identified and reported to the OAIC.
In other cases, businesses detected a breach on the same day it occurred but waited 30, 100 or even 300 days before informing the regulator.
Source: ABC News