Notifiable data breaches – the human element

The Office of the Australian Information Commissioner published their Notifiable Data Breaches Quarterly Statistics Report on Tuesday the 31st of July 2018. This report covers data breaches reported from the 1st of April through to the 30th of June. It’s a very topical read – as there’s some interesting statistics about trends and types of breaches reported.

The OAIC now publishes a quarterly statistical information about notifications received under the NDB scheme, which commenced on 22 February 2018, to assist entities and the public to understand the operation of the scheme.

A summary of the report is provided below:

  • The OAIC had a total of 242 notifications this quarter.
  • The largest source of attacks was cyber incidents (97 notifications) such as phishing, malware, ransomware, brute-force attack, compromised or stolen credentials and hacking by other means. The majority of cyber incidents were linked to the compromise of credentials through phishing (29%), brute-force attacks (14%) or by unknown methods (34%).
  • Theft of paperwork or storage devices was also a significant source of malicious or criminal attacks (31 notifications).
  • Other sources included social engineering or impersonation (7 notifications) and actions taken by a rogue employee or insider threat (7 notifications).

 

Finance Sector:

They have also provided additional details for different sectors, including finance:

  • Most notifications in the period from the finance sector involved the personal information of 100 individuals or fewer (67% of breaches).
  • Breaches impacting between 1 and 10 individuals comprised 44% of the notifications. 33% of notifications included affected more than 100 individuals.
  • The largest source of data breaches from the finance sector was human error (50%), with examples including sending personal information to the wrong recipient by email (6 notifications) or mail (3 notifications), and unintended release or publication of personal information (3 notifications).
  • Malicious and criminal attacks were the second largest source of data breaches notified by the finance sector (47%). Of these, cyber incidents were the most common type of attack (14 notifications).

 

Highlighting The “Human Factor”

Considering the human error numbers detailed in the report, it highlights that all organisations need to focus on raising awareness & culture for protecting and handling data. This needs to be done to ensure corporate and customer data is kept secure and confidential.

 

Types of data exposed:

The majority of data breaches involved ‘contact information’, such as an individual’s home address, phone number or email address. This is distinct from ‘identity information’, which refers to information that is used to confirm an individual’s identity, such as passport number, driver’s licence number or other government identifiers.

Entities also notified data breaches that involved individuals’ tax file numbers (TFNs), financial details, such as bank account or credit card numbers, as well as health information.

 

Read the full report here:

https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme/quarterly-statistics-reports/notifiable-data-breaches-quarterly-statistics-report-1-april-30-june-2018

 

Value your opinion:

Have a view of opinion of the report findings so far? Feel free to share your views, comments etc below.

 

Latest articles

Related articles