On 30 October 2018, the Office of the Australian Information Commissioner (OAIC) published the third Notifiable Data Breaches Quarterly Statistics Report, which reported 245 breach notifications, up from the 242 for the June quarter.

It is interesting that the breakdown of causes of breaches is consistent with the last Report. The causes were:

  • human error – 37 per cent (last quarter 36 per cent)
  • malicious or criminal attack – 57 per cent (last quarter 59 per cent)
  • system faults – six per cent (last quarter five per cent).

The Report noted that “Many cyber incidents this quarter appear to have exploited vulnerabilities involving a human factor (such as clicking on a phishing email or disclosing passwords).”

The Report provided a breakdown across key industry sectors, being:

  • health service providers – 45 breaches
  • finance – 35 breaches
  • legal, accounting and management services – 34 breaches
  • education – 16 breaches
  • personal services (including employment, training and recruitment) – 13 breaches.

This ranking is consistent with the ranking in the last quarter.

In terms of numbers of individuals affected by breaches, the majority of reported breaches (63 per cent) involved less than 100 individuals, with 41 per cent affecting between one and 10 individuals and only two breaches affecting more than 100,00 individuals.

In a report to the Senate Estimates Committee last week, the OAIC reported that this increasing number of breaches was stretching the workload of the OAIC with no additional resources provided for the function. In addition, the Commissioner noted that more complex data breaches are being reported to the OIAC resulting in longer waits to resolve enquires.

Further, it was noted that the OAIC had received a number of notifications that involved organisations that provided services to other businesses where the notifications to affected individuals involved multiple businesses.

This increasing interconnectedness of relationships and service providers is a key issue that we are seeing when businesses are faced with a data breach in their supply chain and seeking to determine who has the obligation to notify and who is best placed to notify.

We expect that this complexity will continue until businesses have fully resolved their supply chain management in relation to personal information and data breach management.