Information Commissioner releases report that 537 notifiable data breaches for the last half of 2019 while worldwide the estimate of data records accessed unlawfully in 2019 reached 12.3 billion!

March 15, 2020 |

At the end of February the Australian Information Commissioner released the Report of Notifiable Data Breaches for the July – December 2019 period.  There were 537 notifications, up from 460 in the previous 6 months and making 997 for the 2019 calendar year. 

As usual health service providers top the list, with 117 notifications, followed by finance with 77 notifications.  Interestingly though less than 10% of notifications there were 40 notifications from the legal/accountancy and management services.  In terms of numbers of individuals affected 132 notifications, about 20%, affected only one person’s personal information but one breach affected more than 10,000,000. The majority of notifications, 309, affected from 2 to 1,000 individuals while 13 notifications covered between 25,000 – 10,000,000. 

Contact information was contained in 411 of the notifications while financial details were contained in 198.  Identity information was contained in 162 of the notifications.  Consistent with previous reports malicious and criminal attack made up the significant majority of breaches, 64%, but human error was a big factor as well, at 32%. 

The Executive Summary provides:

The Notifiable Data Breaches (NDB) scheme was established in February 2018 to improve consumer protection and drive better security standards for protecting personal information. It applies to agencies and organisations who are covered by the Privacy Act 1988 and are required to take reasonable steps to secure personal information.

This is the first statistical report on the NDB scheme to cover a six-month period. It shows a 19 per cent increase in the number of data breaches reported to the Office of the Australian Information Commissioner (OAIC) between July and December 2019, compared to the first half of the year.

Initially, the OAIC published statistical reports every quarter to help identify any trends and improve awareness and understanding of data breach risks and prevention. The OAIC also published a Notifiable Data Breaches Scheme 12-month Insights Report in May 2019 which examined these trends and highlighted best practice approaches to preventing and responding to data breaches.

Now that the scheme is well established as an effective reporting mechanism, this six-monthly report will continue to track the leading causes and sources of data breaches. It will also highlight emerging issues and areas for ongoing attention by entities entrusted with protecting personal information.

Comparisons are to January to July 2019

Key findings for the July to December 2019 reporting period:

    • 537 breaches were notified under the scheme, up from 460 in the previous six months
    • Malicious or criminal attacks (including cyber incidents) remain the leading cause of data breaches, accounting for 64 per cent of all notifications
    • Data breaches resulting from human error account for 32 percent of all breaches, down from 34 per cent in the last reporting period
    • The health sector is again the highest reporting sector, notifying 22 per cent of all breaches
    • Human error caused 43 per cent of data breaches in the health sector, compared to an average of 32 per cent across all notifications
    • Finance is the second highest reporting sector, notifying 14 per cent of all breaches
    • Most data breaches affected less than 100 individuals, in line with previous reporting periods
    • Contact information remains the most common type of personal information involved in a data breach.

These notifications must be regarded as the most conservative estimate of actual breaches.  Part IIIC of the Privacy Act sets out the process by which an APP entity can determine whether to make a notification.  The entity can undertake a balancing act based on factors in the legislation and decide not to notify persons whose personal information was accessed or disclosed without authorisation. It can require a quite complicated factual exercise and legal analysis to reach the point where a decision is made to notify or not.

It is also always relevant to realise that entities not covered by the Privacy Act do not have to notify the Commissioner or their customers in the event of a data breach.

The number of data breaches and the damage they inflict on organisations and individuals is growing exponentially.  According to IT Governance in 2019 12.3 billion data records were lost or stolen.  Of that number 1.3 billion were caused by cyber attack, 772 million were caused by password breach, 534 million accessed by unauthorised access/ and 8.5 billioon by internal error. 

Itgovernance reports that February was the second worst month ever for records breached, 623,000,000. 

 

Leave a Reply





Verified by MonsterInsights