Authors: Katherine Hayes, Partner & Hayley Nankivell, Law Graduate
In December 2019, the Office of the Australian Information Commissioner (OAIC) released the latest of several reports tracking data breaches under the notifiable data breaches scheme, introduced in February 2018.
The reports indicate a significant increase in notifications of breaches within 18 months of the scheme’s inception, culminating in 245 notifications being made to the OAIC between 1 April 2019 and 30 June 2019. Trends have emerged within this data which assist in targeting education and security measures to combat increasing data breaches.
Health service providers and financial institutions have reported the greatest number of breaches (47 and 42 respectively in the quarter ending 30 June 2019). The legal, accounting and management services (24), education (23) and retail (15) sectors round out the top five sectors by notification rates. In each of these sectors, malicious attacks accounted for the most notifications, followed by human error.
This trend was echoed across all sectors. Overall, 62% of breaches resulted from malicious or criminal attacks, while human error accounted for 34%, and system faults for 4%.
The personal information at risk across all sectors was predominantly contact information (220 notifications), followed by financial details (102 notifications), identity information (76 notifications), health information (67 notifications), and Tax File Numbers (38 notifications). Miscellaneous sensitive information accounted for the outstanding 22 notifications.
A majority of malicious attacks (69.5%) involved cyber incidents which were overwhelmingly linked to compromised credentials (79), followed by phishing (46 notifications), brute force (5 notifications), and various unknown methods (32 notifications).
As the second largest source of data breaches, human error primarily entailed emailing the wrong recipient with personal information (35%), followed by unintended release or publication of information (18%) and loss of paperwork or a data storage device (12%).
Only 4% of breaches across all sectors were caused by a system fault, which can be caused by a bug in a web code or a machine fault. These breaches generally resulted in unintended release or publication of personal information.
Of the 15 notifications caused by unintended publication, the average number of individuals affected was 9,479. Of the five notifications caused by a failure to use blind carbon copy when sending an email, on average 601 individuals were affected. Despite other causes of human error being higher in number, these two categories affected a significantly larger number of individuals. The remaining causes of human error breaches only affected an average of 123 individuals.
While most breaches continue to affect under 100 people, one breach affected over one million individuals and 21 breaches affected between 1,001 and 5,000 individuals.
The latest report highlights the need to remain proactive in protecting systems containing personal information from attacks, and the importance of remaining vigilant to combat complacency. Each breach has significant implications on a business, incurring notification costs and the costs of investigating and remedying the breach. This is in addition to any resulting reputational harm and emotional distress caused to the individuals affected by the breach. With each report, we have seen a slight rise in data breach incidents which we will continue to observe with a keen interest.