The Office of Information Commissioner releases the Notifiable Data Breaches Quarterly Report for 1 April – 30 June 2018
July 31, 2018 |
The Australian Information Commissioner has released another quarterly report of notified data breaches. It has grown into a 33 page document from its humbler beginnings of a single page. At the outset it is relevant to note that these figures are not the last word on actual data breaches. There is a balancing act organisations go through before deciding to notify. That is a weakness in the legislation. There is also likely to be some non compliance with the legislation. Finally many organisations are not subject to the operation of the Privacy Act and therefore will not notify because they do not have to. That said it is a valuable report.
Putting the issue of data breaches in its broader context itgovernance has calculated that there were data breaches and cyber attacks in July 2018 which resulted in unauthorised access to 139,731,894 records. And health records were a significant percentage of the records affected.
In the quarter there was 242 notifications, compared to 63 in the previous quarter, which were attributable to:
- 36% human error
- 59% malicious or criminal attacks
- 5% system faults
The number of breaches are increasing per month. That is more to do with organisations and agencies understanding their obligations more than a systemic rise in data breaches.
In terms of impact of data breaches the majority involved between 2 and 1,000 people per breach, with 55 involving 11 – 100 people and 52 involving 101 to 1,000. There was one breach which affected more than a million individuals and 2 which involved between 50,000 and 100,000. The majority of the data involved was contact details with financial details following up behind. Health information was involved in 61 breaches.
In those malicious or criminal attacks the majority of the events were cyber incidents though the theft of paperwork or data storage device was a significant cause.
Health topped the list as far as industry sector by notification. For privacy practitioners that is not surprising. The health sector has a poor reputation in maintaining data security and a culture that is resistant to change. Fifty nine per cent of the breaches were caused by human error. Breaches due to cyber incident was caused by, in equal part, hacking, phishing and stolen credentials. Ransomware and brute force attacks were lesser causes.
In that respect the Report stated:
For breaches in the Finance Sector, 36 notifications, 50% were due to human error with almost half being malicious and criminal attack.
The trick now is for the Commissioner to do something with these breaches to improve compliance with the Privacy Act. That would be nice.
The Australian has covered the story.