Information Commissioner releases the 6th notifiable breaches report, revealing 245 notifications between April and June 2019. She also announces moving to reporting semi annually rather than quarterly
August 29, 2019 |
The Information Commissioner has released the latest report on reported, rather than actual data breaches, for the last quarter; April – June 2019. The report highlights what has long been known, that human factors are a major cause of breaches.
The report reveals that:
- 34% of the breaches were caused by human error;
- 62% were motivated by malicious or criminal attacks
- the number of reported breaches, at 245 is statistically greater than the breaches in the January – March period of 215 but in line with the previous 2 quarters of 245 and 262.
- 1 breach affected over a million people, 21 breaches affected over a thousand but less than 5,000 people, 52 breaches affected between 100 and 1,000 and the largest category of 61 breaches affected a single person. The report does not identify which industries are affected by breaches impacting a large number of people.
- contact information was affecetd in 220 of the breaches while financial details were affected in 102 and health information on 67 occasions.
- as is commonly the case wrong email addresses were the cause of the most human errors. Most of those errors were in the health sector.
- phishing is by far and away the most common cause of cyber incidents
- the most notifications were from the health sector, 47, while finance had 42 notifications followed by lawyers and accountants, 24.
It is curious that the Commissioner has opted to go to 6 monthly reporting rather than quartely reporting. Given the Commissioner is weak on enforcement it would have been preferable to keep up more regular reporting to keep the issue at least topical, to the extent that the Commissioner elicits media coverage, which is not often.
What is also somewhat surprising is the lack of enforcement arising from some of these breaches, particularly those involving large number of people affected. There were 6 breaches involving upwards of 5,000 people, 4 of them involving more than 100,000 people. Yet no enforcement action taken? In the hands of UK or US regulators there would be a comprehensive investigation with the possibility, of not likelihood, of a major fine.
The Commissioner’s media release provides:
National figures on data breaches show about one in three data breaches last quarter were caused by compromised credentials, with log in and password information used to gain unauthorised access to personal information.
The human element continues to be a key factor in breaches, according to the latest Notifiable Data Breaches (NDB) scheme statistics report from the Office of the Australian Information Commissioner (OAIC), covering the period between 1 April and 30 June 2019.
This includes individuals clicking on a phishing email or reusing passwords across services, which allow for further data breaches.
“The fact that there is a human factor involved in so many cases demonstrates the need for staff training to increase awareness of cyber risks and to take the necessary precautions,” said Australian Information Commissioner and Privacy Commissioner Angelene Falk.
The NDB data shows that the threat of data breaches – whether by malicious or criminal attack or human error – remains real.
Malicious or criminal attacks were the largest source of data breaches in the quarter, accounting for 62 per cent of all data breaches. Of these 151 data breaches, nearly 70 per cent involved cyber incidents.
The vast majority of cyber incidents were linked to compromised credentials, either through phishing (46 notifications), by unknown methods (32 notifications) or by brute-force attack (5 notifications).
The private health and finance sectors continue to record the most data breaches out of the sectors surveyed.
The health sector was responsible for 19 per cent of data breaches and the finance sector for 17 per cent. They were followed by the legal, accounting and management services sector (10 per cent), the private education sector (9 per cent), and the retail sector (6 per cent). Overall, the total of 245 data breaches reported is consistent with previous quarters.
Ms Falk said that the NDB scheme had established itself as an effective mechanism for organisations to notify affected individuals and the Australian Information Commissioner about ‘eligible data breaches’.
“The reporting regime has been well accepted and the onus is now on organisations to further commit to best practice in combatting data breaches and improving response strategies,” she said.
“Effecting change in practices to prevent breaches is vital to the goal of protecting the community. Putting data breaches in the spotlight has heightened awareness of the privacy rights of consumers, who in turn are demanding greater security from the organisations with which they share information.”
The majority of data breaches in the period involved the personal information of 100 individuals or fewer (62 per cent of data breaches).
Ms Falk said the OAIC remained ready to exercise its enforcement powers to support the NDB scheme’s purpose of protecting consumers.
The OAIC’s statistical reporting on the NDB scheme will shift to six-monthly intervals following the latest report.