The Office of the Australian Information Commissioner (OAIC) has released its fourth quarter report of notifiable data breaches between October – December 2018…and the trend is not looking good.
The report exposed that the OAIC received 262 notifications of data breaches, which has increased from the 245 notifications that were reported the previous quarter. Below are the key findings from their report:
Summary of report:
* Private health service providers reported 54 breaches, the finance sector reported 40 breaches, professional services reported 23 breaches, private education providers reported 21 breaches and the mining and manufacturing industry has made its first appearance with a reported 12 breaches.
* 85% of data breaches involved individual’s contact details, 47% involved financial details, 36% involved identity details, 27% involved health details, 18% involved tax file numbers, and 9% involved other types of personal information.
* The sources of breach varied, with 64% of data breaches due to malicious or criminal attack, 33% due to human error, and 3% due to system faults.
* The majority of cyber incidents were linked to the compromise of credentials through phishing (49 notifications), by unknown methods (28 notifications), or by brute force attack (9 notifications).
Kinds of Information breached:
Contact information 85%
Financial details 47%
Identity information 36%
Health information 27%
Tax File Number 18%
Other sensitive information 9%
Even though 60% of the total breaches involved personal information of 100 individuals or fewer, there were a couple of notifications affecting a significantly higher number of individuals (including one that affected more than 1 million individuals). Human error breaches resulting in the unauthorised disclosure of personal information (via unintended release or publication) impacted an average more than 17,000 individuals per breach (though this average seems likely to have been skewed by some particularly large breaches), and the failure to securely dispose of personal information affected an average of 300 individuals per breach.
The highest reporting sector this quarter was the health sector (54 notifications). Of those notifications, 54 per cent of reportable data breaches resulted from human error. In contrast, notifications from the second highest reporting sector, finance, indicated that 70 per cent of its data breaches resulted from malicious or criminal attacks. The legal, accounting and management services sector and the mining and manufacturing sector also reported the majority of breaches resulted from malicious or criminal attacks. Of the top five sectors, only the finance and education sectors notified a data breach resulting from a system fault.
Malicious or criminal attacks were the largest source of data breaches this quarter, accounting for 64 per cent of all data breaches. Of these 168 data breaches, 68 per cent involved cyber incidents such as phishing, malware or ransomware, brute-force attacks, compromised or stolen credentials, and social engineering or impersonation.
Many cyber incidents in this quarter appear to have exploited vulnerabilities involving a human factor, such as clicking on an attachment to a phishing email.
Theft of paperwork or data storage devices was also a significant source of malicious or criminal attacks (15 per cent). Other sources included actions taken by a rogue employee or insider threat (12 per cent), as well as social engineering or impersonation (5 per cent).
To read the full report please go here: https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme/quarterly-statistics-reports/notifiable-data-breaches-quarterly-statistics-report-1-october-31-december-2018