Published on the 04/02/2021 | Written by Jonathan Cotton
OAIC’s report shows human-factor accounts for 38 percent of all breaches…
The latest report from the Office of the Australian Information Commissioner (OAIC) finds data breaches in Australia on the rise and human error to blame.
According to the report – which captures the notifications made under the Notifiable data breaches (NDB) scheme between July and December last year – 539 breach notices were received, an increase of five percent.
Most data breaches notifications involved ‘contact information’, such as an individual’s home address, phone number or email address.
“Organisations need to reduce the risk of a data breach by addressing human error.”
“This is distinct from ‘identity information’ which refers to information that is used to confirm an individual’s identity, such as a passport number or driver’s licence number,” says the report.
“Identity information was exposed in 45 percent of data breaches notified during the period.”
Data breach notifications in the period also involved financial details, such as bank account or credit card numbers (40 percent), health information (26 percent) and tax file numbers (18 percent).
Overall, data breaches attributed to ‘malicious or criminal’ attacks have decreased, albeit only slightly. Nevertheless, they remain the leading source of data breaches, accounting for 58 percent of notifications, says the report. Defined as attacks ‘deliberately crafted to exploit known vulnerabilities for financial or other gain”’, they accounted for 310 breaches.
Reported attacks included ‘cyber incidents such as phishing and malware, data breaches caused by social engineering or impersonation, theft of paperwork or storage devices, and actions taken by a rogue employee or insider threat’.
Data breaches resulting from social engineering or impersonation accounted for more than a third of notifications, says the report. Actions taken by ‘a rogue employee or insider threat’ accounted for 35 notifications, up from 23. Theft of paperwork or storage devices resulted in 29 reports.
“The most common method used by malicious actors to obtain compromised credentials was email-based phishing,” says the report.
“This confirms that email-based vulnerability is one of the greatest risks to information security facing organisations. The human factor is an important element in an organisation’s overall information and cyber security posture, given these attacks rely on a person clicking on a phishing link.”
Those numbers do add up, with data breaches resulting from human error ultimately accounting for 38 percent of notifications, up 18 percent from previous numbers.
Those human errors include unauthorised disclosures (ie. unintended release or publication of information) affecting large numbers of individuals, with an average of 20,117 individuals affected per breach. Simple failure to use the BCC function when sending group emails affected an average of 19,163 individuals per breach.
System faults accounted for just five percent of data breaches.
“Organisations need to reduce the risk of a data breach by addressing human error – for example, by prioritising training staff on secure information handling practices,” says Australian information commissioner and privacy commissioner Angelene Falk.
“Being prepared for a data breach is important for all entities that handle personal information… Entities must have effective systems for detecting, containing, assessing, notifying and reviewing data breaches,” said Commissioner Falk.
“Critically, they need to provide individuals with clear and timely information about data breaches, including recommendations on steps they can take to protect themselves from harm.”
The health sector is by far the highest reporting industry sector, accounting for 23 percent of all breaches, followed by finance (15 percent), education (seven percent), then legal, accounting and management services (seven percent).
For the first time, The Australian Government entered the top five industry sectors to notify data breaches, now accounting for six percent of all breach notifications.
The NDB scheme was established in February 2018 to drive better security standards for protecting personal information in Australia. Under the scheme, any organisation or government agency covered by the Privacy Act 1988 must notify individuals affected and the OAIC when a data breach is likely to result in serious harm to an individual whose personal information is involved.