Threat report from Australian Cyber Security Centre, Data Breach notification report by Information Commissioner and report of 61 million records breached worldwide in August 2021 point to cyber attacks being a growing problem

September 16, 2021 |

A confluence of reports highlights the dismal state of security preparedness in Australia in particular and throughout the developed world generally.

It governance calculates that in August there were 84 cyber attacks which results in 60,865,828 records being breached.  Of that number T Mobile suffered a hack which affected 53 million records.

Yesterday the Australian Cyber Security Centre (ACSC) released its Annual threat report for 2020 – 2021 which reports that over 67,500 cyber crime reports were made in the last 12 months. And the ACSC acknowledges that the figure could, and probably is, higher.  Probably much higher.

The statement by the Assistant Defence minister provides:

It is a useful document in that it identifies particular trends in cyber attacks.

In terms of attacks Victoria and Queensland together account for 59% of the reported incidents.  The top three forms of cyber crime are fraud, at 23%, shopping (at 17%) and online banking, at 12%.  Medium businesses are the biggest category of victims losing on average $33,442.

Ransomeware featured significantly, with a 15% increase in the number of incidents over last year.  The top targets are:

  1. Professional, Scientific and Technical Services
  2. Health Care and Social Assistance
  3. Manufacturing
  4. Education and Training
  5. State, Territory and Local Government

Business Email Compromise (BEC) is featuring as a significant category of cybercrime.  It comes to the attention of legal practitioners as clients attempt to recoup funds lost this way.  It is particularly profitable with the average reported loss per successful attack being $50,673.

COVID has given cybercriminals new opportunities to attack the health sector as new points of entry have been created and there has been stresses on the industry.

Security vulnerabilities continues to be the gift that keeps on giving for state sponsored actors and fast acting criminals who take advantage of slow responses by organisations to patching and with weak cyber security practices.  Software supply chain compromises constitute a very significant threat which are difficult to detect and defend against.

The constant prescription to each problem is for organisations to maintain minimum standards of privacy and cyber security.  Which is fairly dismal at the moment.

Given the numbers produced it is interesting to see the Office of the Australian Information Commissioner’s recent Notifiable Data Breaches Report for the period January to June 2021 where there were 446 notifications, down 16% on the previous 6 months, in the first half of 2021.  How does that tally with 67,500 reports received by the ACSC.  One possibility is that the Privacy Act only covers organisations with a turnover of over $3 million so a lot of small traders might be affected but not covered by the obligations of the Act.  As for those covered by the Act it could show that the bar set by the mandatory data breach notification legislation is too high or the weighing exercise the affected organisation has to go through often permits a decision not to notify.

What is clear is that the Report on data breach notifications bears little resemblence to reality.

As flawed as this document is it does make some interesting findings:

  • 65% of data breaches affect 100 people or fewer.
  • while most data breaches were caused by malicious attack, 289 incidents,  30%, or 134,  were due to human error.
  • ransomware made up 24% of the incidents with 30% being phishing.  Brute force attacks only accounted for 5% of incidents and hacking only 9%.
  • Contact information remains the most common type of personal information involved in data breaches.
  • the main industry affected, by a significant margin, is the health sector followed by Finance then legal accounting and management service and then in equal fifth position was the Australian Government and insurance.
  • for human error sending personal information to the wrong address was the most common means of breaching however unauthorised disclosure, while less prevalent, affected by far the most individuals some 523,998.

The Commissioner’s reports have evolved into a very detailed analysis which is a useful insight.  The flaw is that it is not even close to a reflection of what is happening in the community.

Leave a Reply

Verified by MonsterInsights