Cyberattacks take the number one spot in data breaches, and are increasing in sophistication and scope, according to the latest quarterly results from the April-June OAIC's Notifiable Data Breaches (NDB) scheme.
With International Right to Know Day the focus of September, it’s a good time to reflect on how organisations and government entities are protecting consumer and citizen data, with data breaches continuing to occur due to human error and cyberattacks.
While the day commemorates the rights that citizens have to know about any information that companies or governments have about them, it coincides with the latest report out from the Office of the Australian Information Commission’s report on notifiable data breaches in the April to June quarter.
According to the report, malicious or criminal attacks comprised the majority of data breaches (62%) with human error dropping to 32%. Cyber attacks are deliberately crafted to exploit known vulnerabilities for financial or other gain.
The majority of these attacks comprised phishing, malware or ransomware, brute-force attacks, or compromised or stolen credentials (69.5%) as well as theft of paperwork or data storage devices (14.5%). The remainder involved rogue employees and insider threats (8%), as well as social engineering or impersonation (8%).
While the rise in cyberattacks are alarming, many incidents exploited vulnerabilities involving human error. This includes individuals sending personal information to the wrong recipient via email (35%), unauthorised disclosure through the unintended release or publication of personal information (18%), as well as the loss of paperwork or data storage device (12%).
The goods news is that despite the increase in sources of attacks on Australian companies, the average time for enterprises to detect they are being attacked continues to fall. The OAIC expects Australian companies to continue to educate themselves on improving their ability to detect and respond to data breaches as awareness increases under the mandatory notification scheme.
Healthcare sector is the most targeted
Following the annual report, healthcare was the leading sector reporting compromised data and personal information (19%). However, this was closely followed by the finance sector (17%) and legal, accounting and management services sector (10%). The remaining top 5 sectors were companies from the private education sector (9%), and retail sector (6%).
Top Key Takeaways
1. 245 eligible data breaches were notified during the period.
2. There has been a significant increase in notifications on the last quarter (215).
3. The majority of data breaches were due to malicious or criminal attacks (62%).
4. Phishing continues to be the most common infiltration technique (43.81%)
5. The majority of data breaches involved the personal information of <100 individuals (62%).
6. Human error resulted in more than one third (34%) of data breaches, with the health sector attributing more than half of their data beaches to this (53%).
8. Half of the finance sectors data breaches were due to cyber incidents (50%).
9. More than one third of information compromised overall was contact information (36%) with financial information the second largest (17%).
See the complete OAIC April - June 2019 Annual Report here.
Keep the basics covered. The risks of not attending to the basics within your organisation is highlighted through the OAIC report, human errors and cyber incidents remain prominent.
September is a key month to emphasise good governance around data security with the report highlighting initiatives to protect the basics within a business that include contact information and financial data protection. All Australian organisations should regularly review policies and training for staff based on best practices in handling personal information.
It’s also important to remind staff to be alert to the ways they can unwittingly facilitate access to—and misuse of—personal and sensitive information.
How often do you remind your staff that everyone has a role to play in maintaining information security?
Australian Information Commissioner and Privacy Commissioner, Angelene Falk says “With the NDB reporting regime now well established, we expect organisations to be taking additional steps to prevent data breaches and improve their response strategies.”
Learn more about Superloop's Security features here.