The OAIC said in its regular release of statistics that its Notifiable Data Breaches Report for January to June 2020 showed a small fall in the number of breaches reported (518) against the previous six-month period (532), but an increase of 16% compared to the corresponding period last year.
Australian Information Commissioner and Privacy Commissioner Angelene Falk said in a statement malicious or criminal attacks, including cyber incidents, remained the leading cause of data breaches involving personal information in Australia.
“Malicious actors and criminals are responsible for three in five data breaches notified to the OAIC over the past six months,” she said. “This includes ransomware attacks, where a strain of malicious software is used to encrypt data and render it unusable or inaccessible.”
“We are now regularly seeing ransomware attacks that export or exfiltrate data from a network before encrypting the data on the target network, which is also of concern,” she said.
“This trend has significant implications for how organisations respond to suspected data breaches — particularly when systems may be inaccessible due to these attacks.
“It highlights the need for organisations to have a clear understanding of how and where personal information is stored on their network, and to consider additional measures such as network segmentation, robust access controls and encryption.”
Across the reporting period approximately 77% of notifying entities were able to identify a breach within 30 days. However, in 47 instances the entity took between 61 and 365 days to become aware and assess that a data breach had occurred, while 14 entities took more than a year.
“Organisations must be able to detect and respond rapidly to data breaches to contain, assess and notify about the potential for serious harm,” Falk said. “A number of notifications also fell short of the standards required, in failing to identify all the types of personal information involved and not providing advice to people affected on how to reduce their risk of harm.
“In these cases, we required the organisation to re-issue the notification. We will continue to closely monitor compliance with assessment and notification obligations as part of our system of oversight.”
Some notable statistics:
- The insurance industry entered the top five sectors for the first time since the report began, notifying 35 breaches;
- Health service providers continued to be the top reporting sector (115 notifications), followed by the finance and education sectors;
- The number of notifications resulting from social engineering or impersonation has increased by 47% during the reporting period to 50 data breaches; and
- Actions taken by a rogue employee or insider threat accounted for 25 notifications, and theft of paperwork or storage devices resulted in 24 notifications.
Notifications per month varied widely across the reporting period, ranging from 63 in January to 124 in May — the highest number of data breaches reported in a month since the NDB scheme began in February 2018.
While the increase coincided with widespread changes in working arrangements due to the COVID-19 outbreak, Falk said the OAIC had not found evidence to suggest the increase in May was the result of changed business practices.
“The report shows that more human error data breaches were reported in May, accounting for 39% of notifications that month, compared to an average of 34% across the reporting period,” she said.
“While no specific cause for this change has been identified, it reinforces the need for organisations and agencies to take reasonable steps to prevent human error breaches, including training for staff who handle personal information.
“Organisations must also continue to assess and address any privacy impacts of changed business practices, both during their response to the COVID-19 outbreak and through the recovery.”
Commenting on the report, Lindsay Brown, vice-president of Asia Pacific and Japan at identity provider LogMeIn, said: "Australians have had a difficult first half to 2020 and the latest OAIC Notifiable Data Breaches Report tells a similar story, having recorded an astounding 518 notifications.
"Phishing and compromised credentials remain the primary offender for cyber incidents (36%) across the top five industries which isn't all that surprising, considering many organisations were forced to address authentication and access challenges for the first time during lockdowns.
"The remote work movement has indicated the importance of practising a culture that prioritises security to keep employees productive and collaborative no matter where they are. Human error made up 34% per cent of data breaches, suggesting a focus for organisations should be equipping employees with appropriate training and tools.
"For example, the risks of credential theft, abuse and phishing can be minimised by organisations adopting password managers with single-sign-on and passwordless multi-factor authentication to thwart password-related risks.
"However, there also needs to be a larger focus on educating employees on cyber security and privacy best practices, as simple things like failure to use BCC when sending an email, also contribute to employees being many organisations' weakest link. Organisations must build a resilient future to keep employees protected and productive, and it starts with ensuring the right people are accessing the right information by addressing the known risks of credentials."
John Donovan, ANZ managing director of global security outfit Sophos, said: "In the latest NDB report, the OAIC recorded an alarming 518 notifications. Of this, 34% were attributed to human error, 61% to malicious or criminal attacks and 5% to system faults. This suggests that the frequency, sophistication and scale of cyber attacks is increasing and organisations are not adequately equipped to combat threats.
"First and foremost, Australian businesses need to start with the assumption that they will be hit by a cyber attack. Subsequently, industry leaders should invest in the right technology as their cyber security foundation. Additionally, considering 34% of the breaches were due to human error, organisations should prioritise the cyber security education of employees to create a cyber-aware culture to combat this alarming statistic.
Terry Burgess, vice-president, Asia Pacific and Japan at identity and access management software vendor SailPoint, commented: "The business challenges created by COVID-19 are extreme. Organisations have had to rapidly shift to remote working models, placing huge strain on existing systems and infrastructure. These demands have created a thriving environment for cyber crime.
"Proactivity is key here. Organisations must adopt necessary defences and foster a cyber-aware culture. We also advocate that Australian organisations adopt a 'zero trust' philosophy. This framework is defined by having zero trust in anything – or anyone – related to your organisation.
"When applied to a cyber-security strategy, it means habitually questioning who someone is and what they want to do; we can no longer blindly trust users, especially in the remote working era. This methodology facilitates a top-down approach to organisational security and provides clear visibility over risks."