New data from the Office of the Information Commissioner (OAIC) has revealed that a total of 242 data breaches were reported in the second quarter of 2018 (April to June 2018), under the Notifiable Data Breaches (NDB) scheme.
The NDB scheme commenced on 22 February 2018, and requires entities subject to obligations under the Privacy Act 1988 (Cth) to report eligible data breaches. This includes Australian Government agencies, businesses and not-for profit organisations with an annual turnover of more than $3 million, as well as private sector health service providers and credit providers.
The number of reported data breaches increased every month in the period, suggesting that more data breaches are being reported as organisations become more familiar with the requirements of the NDB scheme.
Scale and types of reported data breaches
More than half of the reported data breaches (61%) involved the personal information of 100 individuals or fewer, while 38% of the reported data breaches impacted between 1 and 10 individuals.
The most common types of personal information involved in the reported data breaches were contact information such as individuals’ home address, phone number or email address (involved in 89% of data breaches), followed by financial details such as bank account and credit card information (involved in 42% of data breaches) and identity information such as driver’s licence numbers and other government identifiers (involved in 39% of data breaches).
Causes of reported data breaches
The OAIC has identified malicious or criminal attacks as the largest cause of data breaches this quarter, accounting for 59% of the reported data breaches. Such attacks included phishing, malware, ransomware, brute-force attacks and the use of stolen credentials. Theft of paperwork and storage devices, for example USBs, was a significant source of malicious or criminal attacks.
Human error was the second largest cause of data breaches (accounting for more than a third of the reported data breaches) with the OAIC noting that many of the cyber incidents this quarter appear to have exploited vulnerabilities involving a human factor (such as opening phishing emails). Other examples of human error included sending personal information to the wrong recipient and unintended release or publication of personal information. Interestingly, data breaches involving human error tended to impact a larger number of people – for example, human error incidents involving the loss of storage devices affected an average of 1199 individuals per data breach, while failing to use the ‘blind carbon copy’ (BCC) function when sending group emails impacted an average of 571 individuals per data breach.
System faults only accounted for 5% of reported data breaches.
These figures show the continued importance for organisations of maintaining strong information security and privacy protocols and training staff to practise them, in addition to maintaining technical cyber defence capabilities. This could include organisations ensuring that:
- they take a ‘privacy by design’ approach to new projects such that privacy issues are addressed at every stage
- they have a data breach response plan in place to contain and respond to data breaches quickly.