Information Commissioner releases report of data breaches for July to December 2023. A 19% increase of notifications, to 483, over the previous 6 month period. The Report Highlights the problems of data breaches by third parties

February 27, 2024 |

The Information Commissioner has released its semi annual data breach report, this time for the period July to December 2023. There was a steady increase in the reported breaches, 57 in July, 68 in August, 79 in September, 86 in October, 96 in November and 97 in December.  

Interesting issues arising from the report:

  • the health sector still remains the most affected by data breaches;
  • 65% of data breaches affect organisations of 100 people or fewer;
  • 67% of the data breaches were caused by malicious or criminal attacks.  There were 322 incidents, up 12%. 
  • while human error was responsible for 30% of data breaches, that was an increase of 36% over the previous period
  • 423 incidents involved Contact Information
  • 306 incidents involved identity information
  • 197 incidents involved health information
  • ‘193 involved financial details
  • 64% of the data breaches were identifed in 10 or fewer days
  • 23% of data breaches were identified in 30 days or more
  • 56 of the 211 notificatons involved ransomware while 59 involved phishing

Relevant extracts are:

Cyber incidents continued to be the leading cause of data breaches that impacted a large number of Australians. Of the 26 breaches that affected over 5,000 Australians, 22 were caused by cyber incidents. The top causes were compromised or stolen credentials (9 notifications), ransomware (8 notifications) and hacking (4 notifications).

Entities need to continually review whether appropriate controls and processes are in place to defend against and mitigate data breaches caused by cyber incidents. The Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) has developed prioritised mitigation strategies – the Strategies to Mitigate Cyber Security Incidents– to help entities protect themselves against various cyber threats. The most effective of these mitigation strategies is the Essential Eight.

Topically the Commissioner raised concerns about data retention:

Recent data breaches have highlighted the risks of retaining personal information for longer than needed. The more personal information an entity holds, the greater the possible scale and complexity of a data breach.

Entities should be mindful of their obligations under Australian Privacy Principle (APP) 11.2 to take reasonable steps to destroy or de?identify personal information unless:

    • the entity needs the information for any purpose for which it may be used or disclosed by the entity under the APPs
    • the information is contained in a Commonwealth record
    • the entity is required by or under an Australian law, or a court/tribunal order, to retain the information.

Entities may have similar obligations to destroy or de-identify credit reporting information, credit eligibility information, tax file number information or Consumer Data Right data.

APP 1.2 also requires an entity to take reasonable steps to implement practices, procedures and systems relating to its functions or activities that will ensure it complies with the APPs, including APP 11.2. Entities should ensure they have systems and processes in place to regularly review whether it is still necessary to retain personal information.

For example, entities may find it useful to establish and implement a data retention policy. A data retention policy can assist an entity in identifying the different kinds of personal information it holds and determining appropriate retention periods that comply with APP 11.2. This helps to ensure that any information that is no longer required is promptly and securely destroyed. Entities should ensure data retention policies are adhered to, regularly audited and updated as required.

Regarding compromised or stolen credentials the Commissioner stated:

Compromised or stolen account credentials caused a quarter (25%) of all data breaches in the reporting period.

Entities must remain vigilant as the increased occurrence of large-scale data breaches in recent years has heightened the risks of cyber incidents that involve the use of compromised credentials, such as credential stuffing attacks.

The OAIC strongly encourages entities to uplift their access security and ICT security measures, including identity management and authentication.

The ASD’s ACSC recommends entities implement the Essential Eight cyber security strategies as a baseline defence against cyber threats. One of these mitigation strategies is multi-factor authentication.

Multi-factor authentication is one of the most effective ways entities can protect against unauthorised access. However, multi-factor authentication that is not implemented or configured properly can create security vulnerabilities that could be leveraged by malicious actors.

Entities should also encourage employees and customers to use strong passphrases to protect their accounts. Each account should have a unique passphrase, as reusing a passphrase makes each account that uses it more vulnerable.

Regarding risks associated with outsourcing personal information the Commissioner stated:

Where a single data breach affects multiple entities, the OAIC may receive multiple notifications relating to the same incident, although only one entity is required to notify a data breach affecting multiple entities.

Notifications relating to the same incident are counted as a single notification in this report to avoid information being duplicated. However, the volume of secondary notifications may be indicative of the level of multi-party breach reporting.

There was a significant increase in the number of secondary notifications (121 notifications) from the previous reporting period (29 notifications).

Most of these multi-party breaches involved a data breach of a cloud or software provider, which then impacted the clients who had outsourced their personal information handling to those providers. This highlights the significant data breach risks that can arise from outsourcing personal information handling.

In this reporting period, multi-party breaches involving contracted service providers highlighted 2 issues:

    • the lack of data retention or destruction clauses in contractual agreements following the cessation of services
    • the lack of clearly defined responsibilities should a data breach occur, including who should assess and/or notify the breach.

In our increasingly interconnected economy, where services are commonly contracted out and involve the handling of personal information, it is imperative that entities proactively mitigate privacy risks in contractual agreements with third-party service providers. This is an important step in demonstrating an entity’s compliance with APP 11 (securing personal information) and the NDB scheme.

Prior to using the services of third-party providers:

    • Entities should ensure the third-party provider has baseline security and operational controls to prevent the compromise of systems that hold personal information, such as monitoring   and logging capabilities for their customer infrastructure.
    • Entities should ensure service agreements or contractual arrangements address:
      • the handling of personal information, including defined data retention periods and processes for destroying or de-identifying data
      • data breach response requirements,including assigning roles and responsibilities for managing a data breach and meeting regulatory reporting obligations. This should specifically address which entity is to assess a data breach should one occur and which entity is responsible for notifying affected individuals. Depending on the contractual arrangement, both responsibilities could lie with one entity or be separated between them.
    • Entities should set out expectations for communication when suspicious activity is detected on systems that hold personal information.

The Commissioner noted that the data breaches in the public sector was a significant factor in this period:

Before this report, the Australian Government had not been in the top 5 sectors by notifications since the January to June 2021 reporting period.

Australian Government agencies reported 38 data breaches, 8% of all notifications during the period.

In contrast with the other sectors in the top 5, Australian Government agencies notified more data breaches caused by human error (68%) than those caused by malicious or criminal attacks (32%).

Of the 26 human error breaches experienced by Australian Government agencies: 13 involved personal information being sent to a wrong person; 11 were a result of unauthorised disclosure of personal information; and 2 involved the loss of paperwork or a data storage device.

Human error breaches generally result from a failure of process or procedure. Entities should assume human error will occur and design systems and processes to minimise the risk. The risk of human error can also be reduced by educating staff about secure information handling practices (such as sending documents containing personal information via mechanisms that provide additional security controls) and putting controls in place (such as email filtering).

Of the top 5 sectors, the Australian Government had the largest proportion (50%) of notifications where the agency identified the incident over 30 days after it occurred. The Australian Government also had the largest proportion (55%) of notifications made to the OAIC more than 30 days after the agency become aware of the incident.

These statistics suggest Australian Government agencies should check they have effective systems for detecting, assessing, responding to and notifying data breaches. Such systems are fundamental to an agency’s ability to meet the NDB scheme’s requirements.

Leave a Reply

Verified by MonsterInsights