From the OAIC Annual Report.
Andrew Lawrence, Superloop’s CSO looks at the OAIC annual report on the Notifiable Data Breaches (NDB) scheme and provides key takeaways.
It’s unsurprising that cyber attacks are increasing in sophistication and scope. Whilst the sources of attack are numerically broader, the average time between an attack and detection continues to fall.
Likewise, sensitive data is at greater risk as enterprises move to SaaS cloud, supported by the staggering figure of almost 1,000 data breaches being reported under the notifiable data breaches (NDB) scheme.
Lessons Learned, Insights Gained
Digging deeper into the OAIC report, 60% of all data breaches were related to malicious or criminal attacks. The most common method among these was phishing, which is a method that attackers use to attain consumer credentials such as usernames and passwords to access sensitive information.
Quite often, consumers unwittingly assist criminals by using the same username and password across multiple accounts - a factor that was illustrated by the next largest cause of data breaches – human error.
More than one third of all reported breaches were caused by human error, such as unintended disclosures (sending information to the wrong email address), lost devices, leaving devices unprotected, re-using passwords, and more. Viewed through an industry lens, the three sectors most affected by data breaches were healthcare, finance, and education.
Healthcare providers reported 200 eligible data breaches, with 55% of these due to human error. Compounded by the recent introduction of My Health Records, failure to implement proper policies and procedures will only exacerbate the scale and impact of data breaches.
The Solution? Keep the Basics Covered
Regardless of whether your organisation is sizable enough to be regulated by the NDB scheme, OAIC’s Report is an important reminder of the risks in not attending to security basics. It also highlights some key steps required to protect sensitive data.
For example, the over representation of malicious attacks and human errors within these figures confirms the need for all Australian organisations to regularly review staff training and governance on security policy and practices.
Australian Information Commissioner and Privacy Commissioner, Angelene Falk herself said when the report was delivered:
“The requirement to notify individuals of eligible data breaches goes to the core of what should underpin good privacy practice for any entity—transparency and accountability.”
“It’s also an opportunity for organisations to earn back trust by supporting consumers effectively to prevent or manage any potential harm that may result from a breach.”
The Key Takeaway
The inaugural review of the NDB scheme summarised the key outcome for organisations covered by Australia’s Privacy Act - put individuals first.
The complete annual report is downloadable, here.
1. 964 eligible data breaches were notified under the NDB scheme between 1 April 2018 to 31 March 2019.
2. There has been an increase in notifications (up 712%) since the introduction of the NBD scheme, compared with the previous 12 months.
3. The majority of data breaches were due to malicious or criminal attacks (60%).
4. There were 153 breaches associated with phishing, which continues to be the most common and highly effective way that hackers are infiltrating organisations.
5. Of cyber incidents where credentials were accessed, 28% of the time the notifying organisation wasn’t aware how they were obtained.
6. More than three quarters (83%) of data breaches affected fewer than 1,000 people.
7. More than one third (35%) of data breach notifications were attributed to human error.
8. The health sector had more than half (55%) data breaches due to human error.
9. The finance sector had 41% data breaches due to human error.10. The vast majority of data breaches (86%) involved contact information disclosure.
To learn more about Superloop's Security features, click here.