This included phishing incidents which made up roughly 15% of the total. The OAIC defines phishing as, "An attack in which the target is contacted by email or text message by someone posing as a legitimate institution to lure individuals into providing personal information, sensitive information or passwords".
The OAIC said in a report issued on Friday that health service providers were again the leading industry sector reporting data breaches, accounting for 22% of the 537 reports. This does not include breaches reported under the My Health Records Act.
Given the prevalence of data breaches in this industry, the OAIC said it had drafted a plan for the sector to contain and manage breaches.
Australian Information Commissioner and Privacy Commissioner Angelene Falk said the report highlighted the danger of storing sensitive personal information in email accounts.
“The accidental emailing of personal information to the wrong recipient is the most common cause of human error data breaches,” she said.
“Email accounts are also being used to store sensitive personal information, where it may be accessed by malicious third parties who breach these accounts.
“Organisations should consider additional security controls when emailing sensitive personal information, such as password-protected or encrypted files.
“This personal information should then be stored in a secure document management system and the emails deleted from both the inbox and sent box.”
Other salient features of the report:
- Human error remained a key factor in data breaches, causing 32% of NDBs
- Finance is the second highest reporting sector, notifying 14% of all breaches
- Most data breaches affected less than 100 individuals, in line with previous reporting periods.
Commenting on the report, Gary Jackson, the APAC vice-president of security firm Tenable, said: "The OAIC’s latest bi-annual breach figures give us a glimpse into the scale of cyber threats across Australia.
"Since the Notifiable Data Breach Scheme was introduced two years ago, the number of breaches reported has steadily increased – and this report is no different. It’s clear that Australian businesses are still struggling to combat the cyber attacks.
“This report, from July to December 2019, shows 537 breaches have been reported, with the majority of these attributed to health service providers (117), followed by finance (77) and education (49).
"The healthcare sector naturally has a target on its back, particularly with the rollout of My Health Record, but in reality any industry that is using personal data to drive innovation and collaboration is likely to be targeted as criminals look for weaknesses across rapidly expanding attack surfaces."
Adam Biviano, director, Solution Architect, ForgeRock, said the report showed how important it was for Australian businesses to ensure their access and controls systems were secure and constantly assessed for potential faults.
"Private health was once again the country’s most affected sector. With human error causing 43% of data breaches in this sector, and access to connected care services becoming more commonplace, the report once again highlights why providers must reassess how they handle customer identity information and communicate patient data collection and use policies," he said.
"Malicious or criminal attacks also remain the leading cause of data breaches, but with human error the second leading cause, the report also highlights the need for Australian businesses to invest in consolidated identity management strategy for both customers and employees to ensure they are secure on all levels of operation.
"Organisations that take the necessary steps to safeguard customers' identity information will build brand trust, ensure compliance and help achieve their objectives. With consumer data right initiatives set to soon expand beyond sectors like finance, the mantra 'no data about me, without me', has never been more applicable.”
Graphics: courtesy OAIC