The Office of the Victorian Information Commissioner ('OVIC') published, on 28 March 2022, its incident insights report for the period of July to December 2021. In particular, the OVIC highlighted that the report provides a summary and analysis of the information security incident notifications received by OVIC between 1 July 2021 to 31 December 2021. Further to this, the OVIC noted that its observations and take-outs in this report are based on comparing the statistics published in previous reports with the notifications received by the OVIC under the scheme. Moreover, the OVIC stated that it received 343 notifications between 1 July 2021 to 31 December 2021 (inclusive), which is a 57% increase in the number of notifications compared to the last (January 2021 to June 2021) reporting period (218 notifications).

Furthermore, the report highlights that the OVIC received the highest number of notifications in October 2021 (80) and November 2021 (101). In this regard, the report states that notifications continue to steadily increase as awareness of the scheme increases across the Victorian public sector. Further to this, the report notes that the increase in notifications in October 2021 and November 2021 may reflect organisations undertaking increasing administration activities before the end of year and does not necessarily reflect more incidents occurring. In light of this observation, the report adds that caution should therefore be observed when drawing conclusions from month-to-month comparisons.

Notably, the report observes that, of the 343 notifications received by OVIC, the majority come from the justice sector, specifically from the Department of Justice and Community Safety, and the transport sector, specifically from the Transport Accident Commission ('TAC'). Furthermore, the report clarifies that the increase of notifications from the transport sector from eight in the last reporting period to 81 this period is a result of the TAC notifying OVIC, rather than more incidents occurring.

In addition, the report confirms that incidents involving phishing and ransomware are published daily in the news and are some of the top sources in the current threat environment. Further to this, the report states that approximately 55% of incidents affected electronic information related to emails, and that these incidents predominantly involved sending emails to the incorrect recipient. In this regard, the report adds that the Office of the Australian Information Commissioner's Notifiable Data Breaches Report noted 54% of cyber incidents were from phishing and ransomware.

You can read the report here.