No estimate of the number of people affected in Australia by this breach was ever provided by Marriott.
The OAIC only lists statistics of the breaches each quarter and said in the latest report that from 1 July onwards such reports would be issued every six months. The report was released as the OAIC marked Australian Privacy Awareness Week, which runs from 12 to 18 May.
For the March quarter, malicious or criminal attacks were the largest source of data breaches, accounting for 61% of all breaches.
Of the 215 breaches, 35% were put down to human error and 4% to system faults. There were 62 breaches reported in January, 67 in February and 86 in March.
Along with the quarterly report, the OAIC issued a report providing insights into the breaches reported since the Notifiable Data Breach act took effect on 22 February last year.
The insights report showed that:
- 964 eligible data breaches were notified to affected individuals and the OAIC from 1 April 2018 to 31 March 2019:
- 60% of breaches were traced back to malicious or criminal attacks;
- The leading cause of data breaches during the 12-month period was phishing (people tricked into revealing information such as passwords) causing 153 breaches;
- More than a third of all notifiable data breaches were directly due to human error;
- That includes personal information being emailed to the wrong recipient, which caused 97 data breaches, or one in ten;
- The remaining 5% of all notifiable data breaches involved system faults;
- 168 voluntary notifications were also received by the OAIC, where the reporting threshold or "serious harm" test was not met, or the entity was not regulated under the Privacy Act.
Australian Information Commissioner and Privacy Commissioner Angelene Falk said: “Our report shows a clear trend towards the human factor in data breaches — so training and supporting your people and improving processes and technology are critical to keeping customers’ personal information safe.
“After more than 12 months in operation, entities should now be well equipped to meet their obligations under the scheme, and take proactive measures to prevent breaches of personal information.”
Commenting on the OAIC report, Phil Kernick, co-founder and chief technology officer of cyber security specialist CQR Consulting, said: "Once again, this latest quarterly report suggests that for many organisations security can be a 'tick in the box' for compliance reasons rather than keeping data safe. A lack of rigour and respect for cyber security can undermine an organisation’s entire risk and compliance strategy yet we still see gaping holes in their protection.
"For any organisation, everyone needs to pull in the same direction when considering cyber security. Just one under-educated or negligent employee to bring down even the best security. As cyber attacks become more complex, better funded and more frequent, we should be reminded that it only takes one phishing email to be sent by an attacker using a stolen identity to effectively target a high-ranking insider and gain a foothold in a corporate network, with potentially devastating consequences."
Mark Perry, the chief technology officer of cloud security firm Ping Identity, said: "This latest report would suggest that the challenge of securing data continues to present challenges to both businesses and consumers. There is simply no reduction in the number of breaches and the resulting inherent costs to business.
"Enhanced security measures can counter the risk of a breach occurring but have historically been met with employee and management pushback, courtesy of the fact they were perceived as onerous. The positive news is that we should see the tide turning with the increasing adoption multi-factor authentication and the introduction of adaptive authentication, self service capabilities and phone-as-a-token authentication.
"Out-of-the-box APIs, SDKs and integration kits continue to reduce the expense and complexity associated with implementation and cloud-delivered solutions, which require minor oversight to run effectively, have seen infrastructure and administration costs plummet. Indeed, modern MFA solutions are a means whereby organisations can reduce the risk posed by these common forms of cyber-attack without impeding employees, partners and customers in their dealings with the enterprise. They also can support what we may eventually see is an over confidence or perhaps, complacency, in adequately protecting valuable assets from cyber attacks."
Michael Warnock, Australia country manager of security solutions firm Aura Information Security, said: "Once again, we are seeing the frequency of data breaches continuing to remain on par though slightly decreasing from what we witnessed during 2018. Hacking activity continues to flourish and those responsible continue to find new ways to infiltrate corporate networks and steal sensitive company and personal data.
"While cyber-protection software has a role to play in preventing attacks and provide a sense of comfort to a chief information security officer, human error, carelessness and gullibility allow many a hacker to slip through the cordon. This should raise alarm bells for anyone responsible for company compliance and risk management. 2019 should be a year in which information security is finally viewed as not just the remit of the IT department but an integral component of every employee’s role."
Mark Sinclair, ANZ country manager of global network security vendor WatchGuard Technologies, said: "This latest report suggests that organisations are still grappling with the problem of human error and they need to continue to invest in people, process and technology. With hacking and phishing a continuing issue, it appears that businesses need to take a rigorous approach to threats, be vigilant against attacks and privacy breaches and use tools and technologies strategically, to safeguard their IT assets and data.
"Ongoing education of staff is a vital component of any cyber-security strategy and that means mentoring staff to be more aware of the risks they face online and the things they can do to manage them."
Albert Kuo, vice-president Asia Pacific for enterprise technology company ExtraHop, said: "Once again, the quarterly OAIC Notifiable Data Breaches statistics demonstrate that cyber crime still pays. For these criminals, achieving their goals is just a numbers game – it won’t be long before they find a victim and human error within businesses only amplifies the threat of a cyber security data breach.
"Companies should assume that it is a matter of ‘when’ not ‘if’ an attacker will infiltrate their network, and take appropriate measures. Having the right mentality and tools in place can stop an attacker in their tracks before any data is extracted. If hackers are to be thwarted, it is increasingly crystal clear that those responsible for security, risk and compliance in a business must not retreat into their shells, but be willing to change their defensive mindset and capabilities."